agentic_identity/negative/
types.rs

1//! Data structures for negative capability proofs.
2
3use serde::{Deserialize, Serialize};
4
5use crate::identity::IdentityId;
6use crate::receipt::witness::WitnessSignature;
7use crate::spawn::SpawnId;
8
9// ---------------------------------------------------------------------------
10// Impossibility reason
11// ---------------------------------------------------------------------------
12
13/// Reason why a capability is structurally impossible.
14#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
15pub enum ImpossibilityReason {
16    /// Not in identity's capabilities ceiling
17    NotInCeiling,
18
19    /// No ancestor in lineage has this capability
20    NotInLineage,
21
22    /// Explicitly excluded at spawn time
23    SpawnExclusion { spawn_id: SpawnId },
24
25    /// Capability structurally doesn't exist
26    CapabilityNonexistent,
27
28    /// Voluntarily declared impossible
29    VoluntaryDeclaration { declaration_id: DeclarationId },
30}
31
32// ---------------------------------------------------------------------------
33// Negative capability proof
34// ---------------------------------------------------------------------------
35
36/// Unique identifier for a negative proof.
37#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
38pub struct NegativeProofId(pub String);
39
40impl std::fmt::Display for NegativeProofId {
41    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
42        write!(f, "{}", self.0)
43    }
44}
45
46/// Negative capability proof — cryptographic evidence that an agent CANNOT do something.
47#[derive(Debug, Clone, Serialize, Deserialize)]
48pub struct NegativeCapabilityProof {
49    pub proof_id: NegativeProofId,
50    pub identity: IdentityId,
51    pub cannot_do: String, // CapabilityUri
52    pub reason: ImpossibilityReason,
53    pub evidence: NegativeEvidence,
54    pub generated_at: u64,
55    pub valid_until: Option<u64>,
56    pub proof_hash: String,
57    pub signature: String,
58}
59
60// ---------------------------------------------------------------------------
61// Negative evidence
62// ---------------------------------------------------------------------------
63
64/// Evidence supporting the impossibility claim.
65#[derive(Debug, Clone, Serialize, Deserialize)]
66pub enum NegativeEvidence {
67    /// Ceiling proof — the ceiling doesn't include the capability
68    CeilingExclusion {
69        ceiling: Vec<String>,
70        ceiling_hash: String,
71    },
72
73    /// Lineage proof — no ancestor has the capability
74    LineageExclusion {
75        lineage: Vec<IdentityId>,
76        ancestor_ceilings: Vec<(IdentityId, Vec<String>)>,
77        lineage_hash: String,
78    },
79
80    /// Spawn exclusion — spawn record explicitly excludes
81    SpawnExclusion {
82        spawn_id: SpawnId,
83        spawn_record_hash: String,
84        exclusions: Vec<String>,
85    },
86
87    /// Voluntary declaration as evidence
88    Declaration { declaration_id: DeclarationId },
89}
90
91// ---------------------------------------------------------------------------
92// Negative declaration
93// ---------------------------------------------------------------------------
94
95/// Unique identifier for a negative declaration.
96#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
97pub struct DeclarationId(pub String);
98
99impl std::fmt::Display for DeclarationId {
100    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
101        write!(f, "{}", self.0)
102    }
103}
104
105/// Voluntary negative capability declaration — self-imposed restriction.
106#[derive(Debug, Clone, Serialize, Deserialize)]
107pub struct NegativeDeclaration {
108    pub declaration_id: DeclarationId,
109    pub identity: IdentityId,
110    pub cannot_do: Vec<String>, // CapabilityUris
111    pub reason: String,
112    pub declared_at: u64,
113    pub permanent: bool,
114    pub witnesses: Vec<WitnessSignature>,
115    pub signature: String,
116}
117
118// ---------------------------------------------------------------------------
119// Negative verification
120// ---------------------------------------------------------------------------
121
122/// Verification result for a negative proof.
123#[derive(Debug, Clone)]
124pub struct NegativeVerification {
125    pub proof_id: NegativeProofId,
126    pub identity: IdentityId,
127    pub capability: String,
128    pub reason_valid: bool,
129    pub evidence_valid: bool,
130    pub signature_valid: bool,
131    pub is_valid: bool,
132    pub verified_at: u64,
133    pub errors: Vec<String>,
134}
agentic_identity/negative/types.rs

agentic_identity/negative/
types.rs
