rfgen.manifest_verification¶
rfgen.manifest_verification verifies an already-published run manifest
without authority to publish, mutate objects, sign, or write provenance. It is
a sealed orchestration boundary: callers supply narrow read-only capabilities
for repository reads, object reads, optional fresh-process reproduction, and
optional persisted DSSE-bundle reads.
ManifestVerifier¶
ManifestVerifier¶
class ManifestVerifier:
def __init__(
self,
repository: ManifestRepositoryReader,
*,
object_reader: ManifestObjectReader | None = None,
reproduction: ReproductionCapability | None = None,
provenance_bundles: ManifestProvenanceBundleReader | None = None,
provenance_adapter: SigstoreDSSEAdapter | None = None,
provenance_identity: str | None = None,
provenance_issuer: str | None = None,
) -> None
def verify(
self,
revision: str,
*,
mode: VerificationMode,
deadline: datetime | None = None,
) -> VerificationReportV1
The repository is always read first and must return a validated
RunManifestV1. revision is the
expected manifest SHA-256; an unavailable manifest and a self-hash mismatch
become report failures rather than write-side repair actions. mode must be a
VerificationMode, not a string.
deadline, when supplied, must be UTC and is forwarded unchanged to the
reproduction capability.
Partial signed-provenance inputs and a non-UTC deadline raise ValueError;
a plain string or other non-enum mode raises TypeError. Those are caller
contract errors. In contrast, repository, object-read, reproduction, bundle,
or DSSE-verification runtime failures are retained in the returned report as
typed FAIL rows with a diagnostic code; they are not propagated and never
trigger repair or mutation.
Mode |
Checks |
Capability failure |
|---|---|---|
|
Manifest schema and self-hash; object rows are |
None required |
|
Metadata plus presence and SHA-256 for every declared object |
Missing object reader is |
|
Checksums plus bounded output recreation |
Missing reproduction capability is |
For checksums, every object is read in 8 MiB chunks and all failures are
reported. For reproduction, the verifier deterministically selects the 32
smallest sha256(run_id || sample_id) values, passes that tuple in selected
order, and rejects duplicated, missing, extra, reordered, or non-fresh results.
Integer IQ must compare exactly. Floating IQ passes only when both maximum
absolute and relative-RMS error are at most 1e-6. Metadata, configuration,
assets, plugins, and sample IDs compare exactly.
Optional signed provenance is an all-or-none constructor capability. The
verifier loads the existing bundle for revision, verifies it through
SigstoreDSSEAdapter with a
RUN_MANIFEST_V1 policy bound to run-manifest.json and this revision, and
requires the verified predicate to equal the loaded manifest. It never signs
or persists a statement or bundle.
Capability protocols¶
ManifestRepositoryReader¶
Read-only protocol: get(revision: str) -> RunManifestV1.
ManifestObjectReader¶
Read-only protocol: open(key: str) -> BinaryIO.
ReproductionCapability¶
sample_ids(manifest) returns candidate IDs. reproduce(manifest, sample_ids, *, deadline) returns exactly one ReproductionResultV1 per selected ID in
the supplied order. Its result supplies fresh_process=True as the
fresh-runtime evidence that the verifier requires; absent, false, or malformed
evidence fails closed.
ReproductionResultV1¶
Protocol fields are sample_id, fresh_process, exact-integer-IQ or floating
error measurements, and exact metadata/config/assets/plugins/sample-ID
comparison booleans. integer_iq_equal=True is the only integer-IQ pass. When
it is None, both floating_max_abs and floating_relative_rms must be
present and at most 1e-6; otherwise IQ fails. fresh_process and each of
the five comparison fields must be boolean. A missing required field becomes
fail-closed RESULT_MALFORMED report rows; a present but false
fresh_process specifically reports FRESH_PROCESS_REQUIRED. It is a result
interface rather than a persisted schema.
ManifestProvenanceBundleReader¶
Read-only protocol: load(revision: str) -> Bundle for an already-persisted
DSSE bundle.
Output¶
verify() returns VerificationReportV1. Its rows are sorted by (scope, key, code), its counts must match those rows, and its overall status passes
only when no requested check failed. Unrequested work is explicitly SKIP;
requested but unavailable capability is a failure.
See Also¶
Manifest: canonical payload, report schemas, and repository.
Determinism: provenance and comparison rules.
Attestation: the closed DSSE verification boundary.