Skip to main content

astrid_capabilities/
lib.rs

1//! Astrid Capabilities - Cryptographically signed authorization tokens.
2//!
3//! This crate provides:
4//! - Capability tokens with ed25519 signatures
5//! - Resource patterns with glob matching
6//! - Session and persistent token storage
7//! - Token validation and authorization checking
8//!
9//! # Security Model
10//!
11//! Every capability token is:
12//! - Signed by the runtime's ed25519 key
13//! - Linked to the approval audit entry that created it
14//! - Time-bounded (optional expiration)
15//! - Scoped (session or persistent)
16//!
17//! # Example
18//!
19//! ```
20//! use astrid_capabilities::{
21//!     CapabilityToken, CapabilityStore, ResourcePattern, TokenScope, AuditEntryId,
22//! };
23//! use astrid_core::Permission;
24//! use astrid_crypto::KeyPair;
25//!
26//! // Create a capability store
27//! let store = CapabilityStore::in_memory();
28//!
29//! // Runtime key for signing
30//! let runtime_key = KeyPair::generate();
31//!
32//! // Create a capability token
33//! let token = CapabilityToken::create(
34//!     ResourcePattern::new("mcp://filesystem:*").unwrap(),
35//!     vec![Permission::Invoke],
36//!     TokenScope::Session,
37//!     runtime_key.key_id(),
38//!     AuditEntryId::new(),
39//!     &runtime_key,
40//!     None,
41//! );
42//!
43//! // Add to store
44//! store.add(token).unwrap();
45//!
46//! // Check capability
47//! assert!(store.has_capability("mcp://filesystem:read_file", Permission::Invoke));
48//! ```
49
50#![deny(unsafe_code)]
51#![deny(missing_docs)]
52#![deny(clippy::all)]
53#![deny(unreachable_pub)]
54#![deny(clippy::unwrap_used)]
55#![cfg_attr(test, allow(clippy::unwrap_used))]
56
57pub mod prelude;
58
59mod error;
60mod handle;
61mod pattern;
62mod store;
63mod token;
64mod validator;
65
66pub use error::{CapabilityError, CapabilityResult};
67pub use handle::{DirHandle, FileHandle};
68pub use pattern::ResourcePattern;
69pub use store::CapabilityStore;
70pub use token::{AuditEntryId, CapabilityToken, TokenScope};
71pub use validator::{AuthorizationResult, CapabilityValidator};