Skip to main content

Crate tsafe_attest

Crate tsafe_attest 

Source
Expand description

Attestation pipeline for tsafe — secret scanner + env-injection contract + run-evidence harness.

§Provenance

Phase 3 lifted the algol Phase 2.1 scanner (algol/src/scan.rs @ 4e81948, built on 6956cfd). Phase 4 lifts the env-injection contract pipeline (algol/src/{audit,enforce,event_log,events,plan, redact}.rs @ 6956cfd) and converges the hash family + schema namespace.

Re-licensed AGPL-3.0-or-later per:

  • ecosystem-catalog/docs/adr/draft-algol-into-tsafe-merge.md
  • ecosystem-catalog/portfolio-algol-tsafe-migration-2026-05-21.md
  • ecosystem-catalog/portfolio-algol-tsafe-phase0-audit-2026-05-21.md
  • ecosystem-catalog/portfolio-algol-tsafe-phase2-scanner-2026-05-21.md
  • ecosystem-catalog/portfolio-algol-tsafe-phase2-1-precision-recovery-2026-05-21.md
  • ecosystem-catalog/portfolio-algol-tsafe-phase4-attest-run-2026-05-21.md
  • operator decisions 2026-05-21

§Public surface

  • scan — Phase 3 scanner module
  • modelScanReport, ScanFinding, severity, finding kinds
  • redact — content redaction + short_hash (Phase 4 BLAKE3 family)
  • hash — BLAKE3 canonical + SHA-256 deprecation API
  • events — CloudEvents projection types (tsafe.audit_event.v1)
  • event_log — append-only audit log + lifecycle event constructors
  • audit — markdown audit-report renderer (tsafe attest audit)
  • enforce — env-injection enforcement harness (tsafe attest run)
  • plan — contract derivation from scan reports (tsafe attest plan)

§Hash family — BLAKE3 canonical

Per ec ADR-0003 (hash convergence), all new content-hash output is BLAKE3 (blake3:<64 hex>). SHA-256 hashes are still accepted on parse during the v1.x compat window for legacy algol.* artifacts. Phase 4 swept four fingerprint slots in RunEvidence, four schema names, and the ALGOL-FINDING-NNNN ID prefix; see CHANGELOG.md.

§Schema namespace (Phase 4 rename wave)

New emissions use the tsafe.* namespace:

  • algol.run.v1 -> tsafe.run.v1
  • algol.contract.v1 -> tsafe.contract.v1
  • algol.scan.v1 -> tsafe.scan.v1
  • algol.audit_event.v1 -> tsafe.audit_event.v1
  • ALGOL-FINDING-NNNN -> TSAFE-FINDING-NNNN

Parsers accept legacy names during the v1.x compat window.

Re-exports§

pub use model::is_supported_scan_schema;
pub use model::CiSecretReference;
pub use model::FindingKind;
pub use model::ObservedEnvRead;
pub use model::ScanFinding;
pub use model::ScanReport;
pub use model::ScanSummary;
pub use model::Severity;
pub use model::ATTEST_VERSION;
pub use model::LEGACY_SCAN_SCHEMA;
pub use model::SCAN_SCHEMA;
pub use scan::is_high_risk_env_name;
pub use scan::is_sensitive_env_name;
pub use scan::print_summary;
pub use scan::scan_repo;
pub use scan::write_scan;

Modules§

audit
tsafe attest audit — render a markdown audit report from RunEvidence.
enforce
tsafe attest run — env-injection enforcement + run-evidence harness.
event_log
Append-only audit-event log + lifecycle event constructors.
events
Audit CloudEvents projection types.
hash
Hashing helpers — BLAKE3 canonical, SHA-256 deprecation-API.
model
Scanner model types — ScanReport, ScanFinding, Severity, etc.
plan
tsafe attest plan — derive an AttestContract from a scan report.
redact
Value redaction + placeholder detection.
scan
Secret + env-authority scanner.