Expand description
Evidence probe runner (RFC-0007 §3.1 + §7). READ-ONLY consumer of the local collector unit’s signed evidence file.
The collector (compliance-evidence-collector.service) owns its own systemd timer + cadence; this runner does NOT trigger it. On each tick the runner:
- Reads
evidence_path(default/var/lib/nixfleet-compliance/evidence.json). - Verifies the ed25519 signature against the host’s SSH ed25519
public key half (RFC-0009 §5). Signature is read from
<path>.sig(base64 64-byte sig of the JCS canonical bytes of the payload’scontrolsarray). - Filters
controlstoframework == decl.frameworkand produces per-control sub_results. Aggregate Pass iff every framework- matching control is Pass.
Any error (file missing, parse, signature mismatch, framework
missing) → Fail (RFC-0007 §6 uniform strict mode).
Functions§
- probe_
level_ 🔒mode - Probe-level fallback mode parsed from
ProbeDecl.mode. Used by the per-control effective-mode resolver when neithercontrols/controlOverridesdeclares a control-specific value. - push_
entry_ 🔒sub_ results - Expand one EvidenceControlEntry into ProbeSubResults respecting the
probe’s selection mode. Pushes one sub-result per (framework,
article) tuple in scope.
override_reasoncarries the operator’s audit rationale (when an override applied) onto every sub-result the entry produces; the value is shared across all per-article rows because the override is on the control, not the article. - resolve_
effective_ 🔒mode - Resolve effective mode for a control by consulting the probe’s
controlsmap (custom-framework declaration) first, thencontrolOverrides(per-framework override), then falling back to the probe-level mode. For framework probes, controls whose frameworkArticles don’t cover the probe’s framework are skipped at the caller — this fn assumes the control is in scope. Returns the resolved mode plus the operator’s audit rationale (reason) when an override applied;Nonewhen the probe-level mode was the fallback (no per-control override declared). - resolve_
host_ 🔒pubkey - run