Expand description
Runtime mandate enforcement.
This module provides runtime authorization and consumption of mandates for tool calls. It ensures atomic single-use enforcement, nonce replay prevention, and idempotent consumption.
§Architecture (SPEC-Mandate-v1.0.3 §7)
┌─────────────────────────────────────────────────────────────────┐
│ MCP Proxy │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │ Policy Check │───▶│ Authorizer │───▶│ Forward to Tool │ │
│ └──────────────┘ └──────┬───────┘ └────────┬─────────┘ │
│ │ │ │
│ ┌───────▼───────┐ ┌──────▼──────┐ │
│ │ MandateStore │ │ Tool Server │ │
│ │ (SQLite) │ └─────────────┘ │
│ └───────────────┘ │
└─────────────────────────────────────────────────────────────────┘Structs§
- Authorizer
- Runtime authorizer.
- Authz
Config - Authorization configuration.
- Authz
Receipt - Authorization receipt returned after successful consumption.
- Consume
Params - Parameters for consume_mandate.
- Mandate
Data - Mandate data for authorization (extracted from signed mandate).
- Mandate
Metadata - Mandate metadata for upsert.
- Mandate
Store - SQLite-backed mandate store.
- Tool
Call Data - Tool call data for authorization.
Enums§
- Authorize
Error - Combined authorization error.
- Authz
Error - Authorization errors.
- Mandate
Kind - Mandate kind.
- Operation
Class - Operation class for tool classification.
- Policy
Error - Policy-level authorization errors (before DB).
Constants§
- DEFAULT_
CLOCK_ SKEW_ SECONDS - Default clock skew tolerance in seconds.
- MANDATE_
SCHEMA - DDL for mandate runtime enforcement tables.
Functions§
- compute_
use_ id - Compute deterministic use_id per SPEC-Mandate-v1.0.4 §7.4.