Struct RunEvidence 

pub struct RunEvidence {

    pub schema: String,
    pub tsafe_attest_version: String,
    pub started_at: DateTime<Utc>,
    pub finished_at: DateTime<Utc>,
    pub repo_path: String,
    pub repo_commit: Option<String>,
    pub command: Vec<String>,
    pub contract: ContractRef,
    pub environment: EnvironmentEvidence,
    pub process: ProcessEvidence,
    pub machine: MachineEvidence,
    pub result: EnforcementResult,
    pub signature: Option<SignaturePayload>,
}

Typed-evidence artifact for a single attested command execution.

RunEvidence is the post-run truth record: every field is observed after the child process exits. It carries:

• Identity of the run (schema, version, timestamps, repo, command)
• A pointer to the contract the run was enforced against (contract)
• The parent-vs-child env diff with per-var BLAKE3 hashes (environment)
• Process lifecycle observations (process)
• Host fingerprint (hashed only) (machine)
• Enforcement verdict (result)

Construction is the caller’s responsibility — this module owns the type definition and validation only.

Fields

schema: String

tsafe_attest_version: String

Producing tool version (BLAKE3-converged tsafe-attest since v1.2.0).

Legacy algol_version field name is accepted on parse via serde(alias) for the v1.x compat window; new emissions use tsafe_attest_version.

started_at: DateTime<Utc>

finished_at: DateTime<Utc>

repo_path: String

repo_commit: Option<String>

command: Vec<String>

contract: ContractRef

environment: EnvironmentEvidence

process: ProcessEvidence

machine: MachineEvidence

result: EnforcementResult

signature: Option<SignaturePayload>

Optional Ed25519 signature over the canonical form of every other field on this artifact (Phase 5; see crate::sign).

None on legacy / unsigned emissions; Some(..) when the producer had a signing key available and the operator did not opt out via --no-sign. Skipped from the wire form when absent so existing readers parse old artifacts unchanged.

Implementations

impl RunEvidence

pub fn validation_errors(&self) -> Vec<String>

Return all validation errors for this artifact.

Empty vector indicates the artifact is structurally and semantically valid. Used by Self::ensure_valid.

During the v1.x compat window, both tsafe.run.v1 and algol.run.v1 are accepted for the schema field, and any hash field accepts either blake3: (canonical) or sha256: (legacy) prefixes.

pub fn ensure_valid(&self) -> Result<(), String>

Convert the validation-error list into a Result.

Trait Implementations

impl Clone for RunEvidence

fn clone(&self) -> RunEvidence

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for RunEvidence

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for RunEvidence

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Eq for RunEvidence

impl PartialEq for RunEvidence

fn eq(&self, other: &RunEvidence) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for RunEvidence

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for RunEvidence