Context
verify_for_load returns a VerifiedLoadPlan with verified primary artifact metadata and a slice of auxiliary artifact plans. OrdinalDB can iterate that slice to find its required ordinaldb.ids sidecar, but every caller that needs a named sidecar will otherwise repeat the same missing/duplicate/name/state checks.
A small lookup helper keeps the verifier as the shared source of truth for sidecar resolution and reduces downstream bundle boilerplate.
Related: #148 covers unified report shape. This issue is specifically about ergonomic, typed access to verified named auxiliary artifacts in the load plan.
Evidence
VerifiedLoadPlan stores auxiliary_artifacts: Vec<VerifiedAuxiliaryArtifactPlan>: ordvec-manifest/src/lib.rs:2759-2766.- Public API currently exposes only
auxiliary_artifacts(&self) -> &[VerifiedAuxiliaryArtifactPlan]: ordvec-manifest/src/lib.rs:2842-2844.
VerifiedAuxiliaryArtifactPlan exposes per-artifact accessors, including path and state, but no load-plan-level lookup: ordvec-manifest/src/lib.rs:2933-2985.- Verifier shape validation already rejects duplicate auxiliary names at manifest-shape time:
ordvec-manifest/src/lib.rs:497-516.
Proposed Shape
Sketch:
impl VerifiedLoadPlan {
pub fn auxiliary_by_name(&self, name: &str) -> Option<&VerifiedAuxiliaryArtifactPlan>;
pub fn require_auxiliary(
&self,
name: &str,
) -> Result<&VerifiedAuxiliaryArtifactPlan, VerifiedLoadPlanError>;
}require_auxiliary should ensure the artifact exists and has a resolved verified path when required for load.
Acceptance Criteria
auxiliary_by_name returns a named verified auxiliary plan without callers manually iterating.require_auxiliary returns a typed error for missing sidecar or unavailable path/state.- Behavior is deterministic even if a malformed manifest somehow has duplicate names; ideally duplicates remain rejected earlier.
- Tests cover found, missing, optional-absent, and required-missing cases.
- Docs show the intended load pattern:
verify_for_load → require_auxiliary("ordinaldb.ids") → application-specific sidecar parser.
Non-goals
- No application-specific sidecar parsing.
- No byte pinning or file locking beyond the existing
VerifiedLoadPlan contract.
- No semantic approval policy beyond verification facts.
Context
verify_for_loadreturns aVerifiedLoadPlanwith verified primary artifact metadata and a slice of auxiliary artifact plans. OrdinalDB can iterate that slice to find its requiredordinaldb.idssidecar, but every caller that needs a named sidecar will otherwise repeat the same missing/duplicate/name/state checks.A small lookup helper keeps the verifier as the shared source of truth for sidecar resolution and reduces downstream bundle boilerplate.
Related: #148 covers unified report shape. This issue is specifically about ergonomic, typed access to verified named auxiliary artifacts in the load plan.
Evidence
VerifiedLoadPlanstoresauxiliary_artifacts: Vec<VerifiedAuxiliaryArtifactPlan>:ordvec-manifest/src/lib.rs:2759-2766.auxiliary_artifacts(&self) -> &[VerifiedAuxiliaryArtifactPlan]:ordvec-manifest/src/lib.rs:2842-2844.VerifiedAuxiliaryArtifactPlanexposes per-artifact accessors, including path and state, but no load-plan-level lookup:ordvec-manifest/src/lib.rs:2933-2985.ordvec-manifest/src/lib.rs:497-516.Proposed Shape
Sketch:
require_auxiliaryshould ensure the artifact exists and has a resolved verified path when required for load.Acceptance Criteria
auxiliary_by_namereturns a named verified auxiliary plan without callers manually iterating.require_auxiliaryreturns a typed error for missing sidecar or unavailable path/state.verify_for_load→require_auxiliary("ordinaldb.ids")→ application-specific sidecar parser.Non-goals
VerifiedLoadPlancontract.