Skip to main content

Baseline

taudit_core::baselines

Struct Baseline 

Source 
pub struct Baseline {
    pub schema_version: String,
    pub pipeline_path: String,
    pub pipeline_content_hash: String,
    pub pipeline_identity_material_hash: Option<String>,
    pub captured_at: DateTime<Utc>,
    pub captured_by: String,
    pub captured_with: CapturedWith,
    pub baseline_findings: Vec<BaselineFinding>,
}
Expand description

One baseline file = one pipeline. Keyed by pipeline_content_hash so renames preserve state and merge conflicts only touch the affected file.

Fields§

§schema_version: String§pipeline_path: String§pipeline_content_hash: String

sha256:<hex> of the pipeline file’s bytes at init time.

§pipeline_identity_material_hash: Option<String>

Optional additive hardening signal captured at init time.

Hashes parser-emitted dependency-like material (include/template/ repository declarations and delegation edges) so suppression can be disabled if that material drifts even when the baseline file still exists. Absent on legacy baseline files written before v1.1.0.

§captured_at: DateTime<Utc>§captured_by: String§captured_with: CapturedWith§baseline_findings: Vec<BaselineFinding>

Sorted by fingerprint ASC for stable git diffs.

Implementations§

Source§

impl Baseline

Source

pub fn load(path: &Path) -> Result<Option<Self>, BaselineError>

Load and parse a baseline from disk. Returns Ok(None) if path does not exist (the OSS-friendly default — absent baseline is fine).

Source

pub fn save(&self, path: &Path) -> Result<(), BaselineError>

Write self to path as pretty JSON with stable key ordering and fingerprint-sorted entries. Creates parent directories as needed.

§Atomicity contract

The write is atomic at the rename boundary on POSIX: bytes are staged into a .<name>.tmp.<pid>.<nanos> file in the same parent directory and then fs::renamed over the destination. POSIX guarantees rename(2) is atomic within a single filesystem, so a concurrent reader either sees the prior baseline content or the new content — never a truncated/partial JSON.

If the process is SIGKILLed (or crashes) between the temp-file write and the rename, the destination is unchanged and a dot-prefixed temp file is left in the parent directory. This is acceptable: the next successful save overwrites that temp slot, and the temp prefix .tmp. makes manual cleanup trivial. We do not call fsync here — durability against host crash is a premature optimisation absent a measured requirement.

Source

pub fn from_findings( pipeline_path: &str, content: &str, graph: &AuthorityGraph, findings: &[Finding], captured_by: &str, taudit_version: &str, rules_version: &str, now: DateTime<Utc>, ) -> Self

Produce a fresh baseline from current_findings against graph. Each entry is a plain pre-existing finding (no waiver fields set). pipeline_path should be the pipeline’s filesystem path as the user sees it; content is the raw bytes used to derive the content hash.

Source

pub fn accept( &mut self, fingerprint: &str, rule_id: &str, severity: Severity, reason: &str, severity_override: Option<Severity>, expires_at: Option<DateTime<Utc>>, now: DateTime<Utc>, ) -> Result<&BaselineFinding, BaselineError>

Append a single waiver entry. Validates reason length and the critical-waiver constraints. Returns the inserted/updated entry. If an entry with the same fingerprint already exists, it is replaced (idempotent re-acceptance with a refreshed reason / expiry).

Source

pub fn identity_material_matches(&self, graph: &AuthorityGraph) -> bool

Returns true when the captured identity material matches the current parsed graph. Legacy baselines that predate this field are considered compatible to preserve backward compatibility.

Trait Implementations§

Source§

impl Clone for Baseline

Source§

fn clone(&self) -> Baseline

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Baseline

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for Baseline

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl PartialEq for Baseline

Source§

fn eq(&self, other: &Baseline) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for Baseline

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl Eq for Baseline

Source§

impl StructuralPartialEq for Baseline

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,