Expand description
Trust metadata primitives shared across the runtime.
Structs§
- Attestation
- Placeholder attestation envelope attached to trust decisions and replay events.
- C2pa
Manifest Envelope - Canonical C2PA envelope containing the manifest payload and detached signature.
- Capability
Budget Limits - Capability
Claims - Canonical capability claims embedded inside minted tokens.
- Capability
Evidence - Capability
Evidence Entry - Capability
Schema Ref - Capability
Token - Serialized capability token envelope (JWS + claims).
- Capability
Token Scope - Capability
Token Subject - Capability
Tool Scope - Ed25519
Signer - Identity
Evidence - InMemory
Attestation Vault - In-memory attestation vault used for tests and local development.
- Jwk
- Manifest
Input - Object
Store Attestation Vault - Object store backed attestation vault with a Postgres index.
- Policy
Evidence - Signature
Envelope - Signing
Algorithm - Trust
Decision - Outcome of evaluating a policy against a subject.
- Trust
Origin - Describes how the runtime obtained an untrusted or derived value.
- Trust
Signer - Trusted
- Strongly-typed wrapper for trusted values.
- Untrusted
- Strongly-typed wrapper for untrusted values.
- Verified
Manifest
Enums§
- Manifest
Profile - Trust
- High-level trust classification.
- Trust
Boundary - Boundary within the runtime where trust is assessed.
- Trust
Source - Source system that produced the value.
- Trust
Subject - Identifies what entity an attestation or trust decision covers.
- Trust
Verdict - Placeholder for future detailed policy verdict information.
Constants§
- TRUST_
MESH_ ALPHA_ FLAG - Environment flag that gates Trust Mesh alpha capabilities.
Traits§
Functions§
- build_
scitt_ entry - Constructs a SCITT transparency entry linking change evidence to attestations.
- c2pa_
signer - Loads the C2PA signer; falls back to the trust signer when none is configured.
- capability_
signer - Loads the capability signer; falls back to the trust signer when none is configured.
- digest_
bytes - Computes a deterministic SHA256 digest for a byte slice.
- digest_
for_ algorithm - digest_
json - Computes a deterministic SHA256 digest for the supplied JSON value.
- generate_
c2pa_ manifest - Generates a signed C2PA-style manifest for the supplied artifact bytes.
- jwk_
from_ aws_ public_ key - jwk_
from_ gcp_ public_ key - mint_
capability_ token - Mint a capability token with the supplied subject and scope.
- normalize_
ecdsa_ signature - scitt_
signer - Loads the SCITT signer configuration, requiring explicit key material.
- trust_
signer - Returns the default Trust Mesh signer, falling back to an ephemeral key when none is configured.
- verify_
c2pa_ manifest - Verifies the provided manifest envelope against the raw artifact bytes and signature.
- verify_
capability_ token - Verify the capability token against configured signer keys.
- verify_
signature_ envelope