pub struct JournalCheckpoint {Show 20 fields
pub type_: String,
pub checkpoint_id: String,
pub checkpoint_kind: CheckpointKind,
pub from_record_index: u64,
pub to_record_index: u64,
pub merkle_root: String,
pub leaf_count: u64,
pub journal_id: String,
pub created_at: String,
pub hub_id: String,
pub hub_public_key: String,
pub hub_signature: String,
pub signed_at: String,
pub covered_use_ids: Vec<String>,
pub covered_grant_ids: Vec<String>,
pub previous_record_digest: String,
pub record_digest: String,
pub signature: Option<String>,
pub signature_alg: Option<String>,
pub signing_key_id: Option<String>,
}Expand description
A signed Merkle commitment to a contiguous range of journal records. Lets a verifier check journal continuity (and, with a Hub-signed variant, replay across machines) without reading every record.
Two kinds with the same shape:
-
LocalJournal(default): committed by the local journal as a compaction primitive. Verify only emitsreplay-included-checkpoint. -
HubOrg: signed by a Hub/org. Carrieshub_id,hub_public_key,hub_signature,signed_at, andcovered_use_idslisting every use the checkpoint asserts coverage over. Verify emitsreplay-hub-orgPASS only when every Hub-signature check passes and every embedded use is incovered_use_ids.
Fields§
§type_: String§checkpoint_id: String§checkpoint_kind: CheckpointKindDiscriminator. Defaults to LocalJournal for back-compat with pre-PR-6 records that didn’t serialize this field.
from_record_index: u64Inclusive range of use_numbers (or revocation_ids) covered by
this checkpoint, in journal order.
to_record_index: u64§merkle_root: StringMerkle root over the canonical JSON of every record in
[from_record_index, to_record_index].
leaf_count: u64§journal_id: String§created_at: String§hub_id: StringHub identity (e.g. “hub://org-foo”). Required when
checkpoint_kind == HubOrg. Empty/absent for local-journal.
hub_public_key: StringHub’s signing public key. base64-url no-pad. Required for HubOrg. Embedded so a verifier can check the signature without a separate trust root lookup; PR 7+ adds a trusted issuer registry that pins acceptable hub_public_keys.
hub_signature: Stringbase64-url-no-pad Ed25519 signature over the canonical
signing payload (canonical_hub_signing_bytes). Required for
HubOrg.
signed_at: StringRFC 3339 timestamp when the Hub signed this checkpoint.
Distinct from created_at (which is the local journal’s
recorded creation time).
covered_use_ids: Vec<String>Use IDs the Hub asserts this checkpoint covers. The verifier
MUST confirm every package use_id is in this list before
emitting replay-hub-org PASS.
covered_grant_ids: Vec<String>Grant IDs covered. Informational; the per-use check is what gates the row.
previous_record_digest: String§record_digest: String§signature: Option<String>§signature_alg: Option<String>§signing_key_id: Option<String>Implementations§
Source§impl JournalCheckpoint
impl JournalCheckpoint
Sourcepub fn is_hub_signed(&self) -> bool
pub fn is_hub_signed(&self) -> bool
True only when EVERY Hub field is populated – the precondition
for replay-hub-org PASS to be considered. Signature
verification is a separate step.
Sourcepub fn canonical_hub_signing_bytes(&self) -> Vec<u8> ⓘ
pub fn canonical_hub_signing_bytes(&self) -> Vec<u8> ⓘ
Canonical bytes the Hub signs. Stable JSON of every field
except hub_signature and record_digest (those depend on
the signature itself). Sibling helper to record_digest’s
approach in this same module.
Trait Implementations§
Source§impl Clone for JournalCheckpoint
impl Clone for JournalCheckpoint
Source§fn clone(&self) -> JournalCheckpoint
fn clone(&self) -> JournalCheckpoint
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more