Expand description
Helpers for verifying governed approval credentials locally.
Structs§
- Approval
Refresh Bootstrap - Control-plane bootstrap required to refresh trusted approval keys online.
- Approval
Resolution - Derived approval state for a runtime spec after local credential verification.
- Trusted
Approval Key - Trusted approval signing key material accepted by enterprise runtimes.
- Trusted
Approval KeyCache - A locally persisted trusted key set plus minimal refresh metadata.
Enums§
- Approval
Trust Source - Source of the trusted signing keys currently available to the runtime.
- Approval
Verification Error - Errors returned when an approval credential cannot be verified locally.
Functions§
- approval_
credential_ expires_ at - Extract the credential expiry timestamp from an approval credential payload.
- approval_
refresh_ bootstrap_ from_ env - Read approval-refresh bootstrap configuration from the runtime environment.
- approval_
spec_ hash_ from_ canonical_ spec_ kv - Compute the canonical
sha256:<hex>digest expected inside approval credentials. - default_
approval_ credential_ path - Return the default local path used for a bundle-adjacent approval credential.
- default_
trusted_ approval_ key_ cache_ path - Return the default local cache path used for trusted signing keys next to a spec file.
- discover_
trusted_ approval_ key_ paths - Return default signing-key file locations associated with a spec path.
- load_
approval_ credential_ from_ bundle - Load an approval credential from an extracted deploy bundle when present.
- load_
runtime_ trusted_ approval_ key_ cache - Load trusted approval keys for runtime startup, refreshing from the control plane when possible.
- load_
trusted_ approval_ key_ cache_ from_ file - Load a trusted approval key cache envelope from disk.
- load_
trusted_ approval_ key_ cache_ from_ paths - Load trusted approval signing keys from one or more local cache files.
- load_
trusted_ approval_ keys_ from_ file - Load trusted approval signing keys from a json file.
- load_
trusted_ approval_ keys_ from_ paths - Load trusted approval signing keys from one or more json files.
- refresh_
runtime_ trusted_ approval_ key_ cache - Refresh trusted approval keys from the control plane and persist them into the local runtime cache.
- required_
approval_ capabilities_ for_ spec_ kv - Derive the approval capabilities required by a canonical spec.
- resolve_
runtime_ approval - Resolve runtime approval presence by verifying an optional credential against the canonical spec hash, target environment, and required side-effect capabilities.
- write_
trusted_ approval_ key_ cache - Persist a trusted approval key cache envelope to disk.