Struct TrustRootStore 

pub struct TrustRootStore { /* private fields */ }

In-memory view of the trust root file.

Implementations

impl TrustRootStore

pub fn default_path() -> PathBuf

Default file location: ~/.treeship/trust_roots.json.

The TREESHIP_TRUST_ROOTS env var overrides the path. When set, a one-time warning is emitted on stderr (deduplicated per process via std::sync::Once) so CI logs show that the trust boundary moved.

pub fn empty() -> Self

Construct an empty in-memory store. Useful for tests; the verification path treats an empty store the same as a missing file (no trust configured).

pub fn with_roots(roots: Vec<TrustRoot>) -> Self

Construct a store from an explicit list of roots. Tests use this to thread a known trust set into the verifier; production callers should open the on-disk file.

pub fn open_or_empty(path: &Path) -> Result<Self, TrustRootError>

Convenience wrapper for code paths that want to “load if present, otherwise treat as no-trust-configured”. Returns an empty store on NotConfigured/Empty, propagates Malformed and PermissionsTooOpen (operator misconfiguration that shouldn’t silently downgrade to empty).

pub fn open_default_or_empty() -> Result<Self, TrustRootError>

Convenience: open the default-path file or return empty if it’s missing. Loud on malformed/perms errors. Suitable for the “thread trust through internal verify pipelines” use case.

pub fn open(path: &Path) -> Result<Self, TrustRootError>

Open the trust root file at path. Returns NotConfigured if it does not exist, Empty if it exists but has zero roots.

TOCTOU note: the file is opened ONCE, then the perm check runs on the resulting File (fstat on the fd), and the JSON bytes are read from the SAME fd. The path is never re-resolved after the open, so an attacker with write access to ~/.treeship/ cannot swap trust_roots.json between the perm gate and the content read. Mirrors the keystore single-open shape in keys/mod.rs::read_entry_with_perm_check.

pub fn save(&self, path: &Path) -> Result<(), TrustRootError>

Save the store to path. Creates parent directories with mode 0o700 and writes the file with mode 0o600.

pub fn contains(&self, key: &VerifyingKey, kind: TrustRootKind) -> bool

Returns true if key is pinned for kind. The CLI helper does not pre-decode; callers that already hold a VerifyingKey should use this directly.

pub fn contains_bytes(&self, key_bytes: &[u8; 32], kind: TrustRootKind) -> bool

Convenience: lookup against a raw 32-byte Ed25519 key without first constructing a VerifyingKey. Returns false if the bytes are not a valid public key (mirrors the verifier’s reject-on-decode-failure behavior).

pub fn is_empty(&self) -> bool

True when the store carries zero pinned roots. Verifiers reject any artifact when this returns true with a clear “configure trust” error.

pub fn is_empty_for_kind(&self, kind: TrustRootKind) -> bool

True when the store has no pinned root of kind. Used by verifiers to surface a kind-specific error message when an operator has set up agent_cert trust but is verifying a hub_checkpoint (or vice versa).

pub fn add(&mut self, root: TrustRoot)

Append a root. Idempotent: re-adding the same (key_id, kind) pair replaces the previous entry. The CLI treeship trust add goes through here.

pub fn remove(&mut self, key_id: &str) -> bool

Remove a root by key_id. Returns true if a root was removed. Removes every entry matching the id across all kinds.

pub fn roots(&self) -> &[TrustRoot]

Iterate over every root.

pub fn len(&self) -> usize

Number of roots configured.

Trait Implementations

impl Clone for TrustRootStore

fn clone(&self) -> TrustRootStore

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for TrustRootStore

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for TrustRootStore

fn default() -> TrustRootStore

Returns the “default value” for a type.