Module verify 

Manifest signing and hash-pinning verification.

Production deployments can require:

• Ed25519 signed manifests — the manifest’s signature field is verified against a trust root (configured per Uni instance).
• Blake3 hash pinning — the manifest’s hash field must match a hash recorded at first install; reloads must reproduce.

Ed25519 signature verification is always compiled — it is a security primitive, so it is deliberately not a build-time opt-out. The signature covers the whole manifest (see canonical_payload), not just the hash pin, which closes a manifest-substitution attack: rewriting capabilities or side_effects while preserving the hash invalidates the signature.

Structs

TrustRoot

Trust root for plugin signature verification.

Enums

SignaturePolicy

Host policy for plugin signature enforcement.

Functions

verify_hash_pin

Verify a plugin’s hash-pin against the payload bytes.

verify_manifest_with_policy

Apply SignaturePolicy on top of verify_signed_manifest.

verify_signed_manifest

Verify a manifest’s Ed25519 signature against the trust root.