Expand description
Cryptographic signing for finding bundles — the trust infrastructure layer.
Every finding event can be signed with Ed25519 and verified independently. Signatures cover the canonical JSON of the finding (deterministic, sorted keys).
Structs§
- Actor
Record - Phase M (v0.4): registered actor identity. Maps a stable
actor.idto an Ed25519 public key, established at a specific timestamp. - Signed
Envelope - A signed envelope wrapping a finding’s cryptographic signature.
- Verify
Report - Result of verifying all signatures in a frontier.
Functions§
- actor_
can_ auto_ apply - Phase α (v0.6): authorization predicate for one-call auto-apply.
- canonical_
json - Produce deterministic canonical JSON for a finding bundle. Uses sorted keys (via serde_json::Value -> BTreeMap conversion) and compact format.
- event_
signing_ bytes - Compute the canonical signing bytes for a
StateEvent. Thesignaturefield is excluded from the preimage (you can’t sign over your own signature). The same canonical-JSON rule that derivesvev_…is reused. - generate_
keypair - Generate an Ed25519 keypair. Writes the private key to
output_dir/private.keyand the public key tooutput_dir/public.key. Both are hex-encoded. - load_
signing_ key_ from_ path - v0.49.3: public key-loading and primitive-signing helpers so the
hub (and any other downstream binary) can sign small JSON payloads
— e.g., the
/.well-known/velamanifest — without needing direct access to the ed25519_dalek dep or to the SigningKey type. Load a hex-encoded Ed25519 signing key from disk. - proposal_
signing_ bytes - Compute the canonical signing bytes for a
StateProposal. Thesignature(held externally on the wire) is excluded from the preimage. Same canonical-JSON discipline asevent_signing_bytes. - pubkey_
hex - Hex-encoded Ed25519 public key (64 chars) for the given signing key.
- refresh_
jointly_ accepted - Walk every finding and (re)set
flags.jointly_acceptedto match the current state ofsignature_thresholdand the multi-sig envelope set. Idempotent. Called fromsign_frontierand the verify path so the flag never drifts from the underlying truth. - sign_
bytes - Sign arbitrary bytes with the given key. Returns the 64-byte signature.
- sign_
event - Sign a canonical event with an Ed25519 private key, returning a
hex-encoded signature suitable for
event.signature. - sign_
finding - Sign a single finding bundle, producing a SignedEnvelope.
- sign_
frontier - Sign all findings in a frontier that are not yet signed BY THIS KEY. Returns the number of newly signed findings.
- sign_
proposal - Sign a proposal with an Ed25519 private key, returning a hex-encoded signature suitable for transport on a write API.
- signers_
for - Hex-encoded public keys of every actor whose
SignedEnvelopetargetingfinding_idcryptographically verifies against the finding’s canonical bytes. Duplicate signatures from the same key are counted once. Returns an empty Vec if the finding doesn’t exist. - threshold_
met - True iff
flags.signature_thresholdisSome(k)andkdistinct valid signatures are present.Nonethreshold means single-sig semantics — never reports threshold-met. - valid_
signature_ count - Number of unique valid signers on
finding_id. - validate_
orcid - v0.43: Validate an ORCID identifier’s structural shape. ORCID IDs
are 16 digits in 4 groups of 4 separated by hyphens, with the
final character optionally being
X(the ISO 7064 check digit). Accepts bare form0000-0001-2345-6789, the URL formhttps://orcid.org/0000-..., or the prefixed formorcid:0000-...and returns the bare form. - verify_
action_ signature - Generic signature verifier for action-on-canonical-bytes: verify
signature_hexis a valid Ed25519 signature oversigning_bytes, produced by the holder ofexpected_pubkey_hex. Used by write actions that don’t sign over a full proposal/event struct (e.g., accept/reject decisions). - verify_
event_ signature - Verify that
event.signatureis a valid Ed25519 signature over the canonical signing bytes ofevent, produced by the holder of the private key matchingexpected_pubkey_hex. - verify_
finding - Verify a signed envelope against a finding bundle.
- verify_
finding_ with_ pubkey - Verify a finding against a specific public key (hex-encoded).
- verify_
frontier - Verify all signatures in a frontier. Optionally filter by a specific public key.
- verify_
frontier_ data - Verify all signatures in an in-memory frontier.
- verify_
proposal_ signature - Verify a hex-encoded Ed25519 signature against the canonical signing
bytes of
proposal, usingexpected_pubkey_hexas the verifying key.