Enum AttestAction 

pub enum AttestAction {
    Scan {
        path: Option<PathBuf>,
        strict: bool,
        extra_paths: Vec<PathBuf>,
        format: AttestScanFormat,
        output: Option<PathBuf>,
    },
    Run {
        contract: Option<PathBuf>,
        emit_run_evidence: Option<PathBuf>,
        audit_trail: Option<PathBuf>,
        allow_command_override: bool,
        sign_run_evidence: bool,
        no_sign: bool,
        command: Vec<String>,
    },
    Verify {
        evidence: PathBuf,
        pubkey: Option<String>,
        require_pinned: bool,
    },
    Key {
        action: AttestKeyAction,
    },
    Trust {
        action: AttestTrustAction,
    },
}

Attestation subcommands — Phases 3 and 4 of the algol→tsafe migration.

• scan (Phase 3) — secret + env-authority scanner.
• run (Phase 4) — env-injection enforcement harness; emits RunEvidence + CloudEvents audit trail.

Variants

Scan

Scan a repo for committed secrets and env-authority signals.

Defaults to scanning the current directory. The scanner is the Phase 3 port of the algol Phase 2.1 scanner; see crate docs for the full provenance trail.

Scanner P/R on synthetic N=100 corpus: 1.000 / 1.000. Real-world rates may differ. See ecosystem-catalog/portfolio-algol-tsafe-phase2-1-precision-recovery-2026-05-21.md for the verdict.

Fields

path: Option<PathBuf>

Repo path to scan (defaults to current directory).

strict: bool

Exit with code 2 if any secret-class finding is present.

Secret-class kinds: ENV_FILE, HARDCODED_SECRET, PRIVATE_KEY. SECRET_PLACEHOLDER (Phase 2.1 — placeholder/comment context) is NOT counted as a secret finding.

extra_paths: Vec<PathBuf>

Additional paths to scan (repeatable). Findings from all paths are merged into a single report.

format: AttestScanFormat

Output format.

output: Option<PathBuf>

Write the report to this file (otherwise printed to stdout).

Run

Run a command under env-injection enforcement.

Loads an AttestContract, strips the parent env, injects declared variables from the configured sources, spawns the command, and emits a RunEvidence artifact + CloudEvents audit-trail entry.

Phase 4 wire formats: tsafe.run.v1 RunEvidence, tsafe.audit_event.v1 audit events, BLAKE3 fingerprints. Legacy algol.* schemas + SHA-256 hashes are accepted on parse during the v1.x compat window.

Fields

contract: Option<PathBuf>

Path to the AttestContract to enforce. Defaults to tsafe.contract.yaml in the current directory.

emit_run_evidence: Option<PathBuf>

Path to write the RunEvidence artifact. Defaults to tsafe-run.json in the current directory.

audit_trail: Option<PathBuf>

Path to the audit-trail NDJSON log. Each line is a CloudEvents envelope. Defaults to tsafe-audit-events.ndjson.

allow_command_override: bool

Allow the supplied command to differ from the contract’s command field. Disabled by default; useful only for testing.

sign_run_evidence: bool

Phase 5: sign the emitted RunEvidence with the per-profile Ed25519 keyring entry. Default is ON — if no key is provisioned, one is auto-generated on first use with a stderr warning (tsafe attest key generate is the explicit form). Use --no-sign to opt out.

no_sign: bool

Phase 5: explicitly disable Ed25519 signing of the emitted RunEvidence. Overrides the default-on --sign-run-evidence behaviour.

command: Vec<String>

Command to execute under enforcement. Pass after --.

Verify

Verify the Ed25519 signature on a RunEvidence artifact.

Phase 5 (this version) emits artifacts with a signature field carrying an Ed25519 signature over the canonical encoding of every other field. verify re-derives the canonical bytes, prepends the tsafe.run_evidence.v1 domain tag, and checks the signature.

Without --pubkey, the embedded pubkey on the artifact is used (TOFU); a stderr warning is emitted reminding the operator to pin the pubkey out of band. With --pubkey <base64url>, the supplied key takes precedence.

Exit codes:

• 0 — signature is valid
• 5 — artifact has no signature field
• 6 — signature verification failed (tampered or wrong key)
• 7 — --require-pinned: signer is not a pinned trusted identity
• other — internal error

Fields

evidence: PathBuf

Path to the RunEvidence JSON artifact to verify.

pubkey: Option<String>

Operator-supplied verifying key (base64url-encoded, no padding, 32 bytes after decoding). If omitted, the pubkey embedded in the artifact is used (TOFU; see honest disclosure on --help).

require_pinned: bool

Fail closed (exit code 7) unless the signing key matches an identity pinned in the trust store (tsafe attest trust add). This converts TOFU verification into identity-anchored verification: the cryptographic check still runs, AND the signer must be a key the operator has explicitly trusted. When combined with --pubkey, both must agree.

Key

Manage the tsafe-attest Ed25519 signing key for a profile.

The key lives in the OS credential store under the per-profile tsafe-attest-signing-key account name. tsafe attest run signs emitted RunEvidence artifacts with this key by default; tsafe attest verify can use the embedded pubkey or an operator-supplied one.

Fields

action: AttestKeyAction

Trust

Manage the pinned-pubkey trust store used by tsafe attest verify --require-pinned.

The trust store binds operator-chosen identity names to pinned Ed25519 public keys, closing the Phase 5 TOFU gap: once a producer’s pubkey is pinned out of band, verify --require-pinned will fail closed for any artifact NOT signed by a pinned identity.

The store lives at <config-root>/trust-store.json (honoring TSAFE_VAULT_DIR). It holds only public keys — no secrets.

Fields

action: AttestTrustAction

Trait Implementations

impl FromArgMatches for AttestAction

fn from_arg_matches(__clap_arg_matches: &ArgMatches) -> Result<Self, Error>

Instantiate Self from ArgMatches, parsing the arguments as needed.

fn from_arg_matches_mut( __clap_arg_matches: &mut ArgMatches, ) -> Result<Self, Error>

Instantiate Self from ArgMatches, parsing the arguments as needed.

fn update_from_arg_matches( &mut self, __clap_arg_matches: &ArgMatches, ) -> Result<(), Error>

Assign values from ArgMatches to self.

fn update_from_arg_matches_mut<'b>( &mut self, __clap_arg_matches: &mut ArgMatches, ) -> Result<(), Error>

Assign values from ArgMatches to self.

impl Subcommand for AttestAction

fn augment_subcommands<'b>(__clap_app: Command) -> Command

Append to Command so it can instantiate Self via FromArgMatches::from_arg_matches_mut

fn augment_subcommands_for_update<'b>(__clap_app: Command) -> Command

Append to Command so it can instantiate self via FromArgMatches::update_from_arg_matches_mut

fn has_subcommand(__clap_name: &str) -> bool

Test whether Self can parse a specific subcommand