Skip to content

feat(consent): add signed artifact verification#353

Open
jeremi wants to merge 1 commit into
mainfrom
agent/parallel-consent-tracks
Open

feat(consent): add signed artifact verification#353
jeremi wants to merge 1 commit into
mainfrom
agent/parallel-consent-tracks

Conversation

@jeremi

@jeremi jeremi commented Jul 11, 2026

Copy link
Copy Markdown
Member

What changed

  • add the registry-platform-consent crate with closed ConsentEvidenceV1 parsing and validation
  • verify slice-1 Ed25519 compact JWS artifacts against pinned keys
  • enforce the 8 KiB artifact bound and per-evaluation evidence cardinality
  • add portable golden vectors, including a maximum-size assertion
  • add registryctl consent keygen and registryctl consent sign helpers with safe key and output handling

Why

This implements WP-C1 from the validated parallel consent decision, while preserving the frozen wire name consent. Slice 2 source_status and resolver behavior remain intentionally excluded until their enforcement-point semantics are frozen.

Validation

  • cargo metadata --format-version 1
  • cargo fmt --all -- --check
  • cargo check --locked --workspace --all-targets
  • cargo test --locked --workspace
  • cargo clippy --locked --workspace --all-targets -- -D warnings
  • cargo deny check
  • git diff --check

All checks passed. cargo deny check reported only the existing unmatched Unicode-DFS-2016 allowance and duplicate-version warnings.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant