Module evidence_signer 

Sign JCS-canonical event payloads with the SSH host key. The auditor trust root rotates independently from mTLS, so a leaked agent cert doesn’t compromise the third-party chain.

Structs

ActivationFailedSignedPayload

ClosureSignatureMismatchSignedPayload

EvidenceSigner

ManifestMismatchSignedPayload

Manifest signed but agent’s content-bound checks failed (hash, host_set membership, or pinned-bytes drift).

ManifestMissingSignedPayload

Agent could not load + parse the advertised rollout manifest.

ManifestVerifyFailedSignedPayload

Manifest signature didn’t verify against trust roots.

RealiseFailedSignedPayload

RollbackTriggeredSignedPayload

StaleTargetSignedPayload

VerifyMismatchSignedPayload

Constants

DEFAULT_SSH_HOST_KEY_PATH

Functions

default_ssh_host_key_path

sha256_jcs

Hex SHA-256 of JCS-canonical bytes; binds evidence_snippet to its envelope.

try_sign

Returns None for both “not configured” and “configured but failed”; the runtime-failure path emits an error! so auditors can distinguish them.