Enum AdminRequestKind

Source

pub enum AdminRequestKind {
Show 21 variants    AgentCreate {
        name: String,
        groups: Vec<String>,
        grants: Vec<String>,
    },
    AgentDelete {
        principal: PrincipalId,
    },
    AgentEnable {
        principal: PrincipalId,
    },
    AgentDisable {
        principal: PrincipalId,
    },
    AgentList,
    AgentModify {
        principal: PrincipalId,
        add_groups: Vec<String>,
        remove_groups: Vec<String>,
    },
    QuotaSet {
        principal: PrincipalId,
        quotas: Quotas,
    },
    QuotaGet {
        principal: PrincipalId,
    },
    UsageGet {
        principal: PrincipalId,
    },
    GroupCreate {
        name: String,
        capabilities: Vec<String>,
        description: Option<String>,
        unsafe_admin: bool,
    },
    GroupDelete {
        name: String,
    },
    GroupModify {
        name: String,
        capabilities: Option<Vec<String>>,
        description: Option<Option<String>>,
        unsafe_admin: Option<bool>,
    },
    GroupList,
    CapsGrant {
        principal: PrincipalId,
        capabilities: Vec<String>,
        unsafe_admin: bool,
    },
    CapsRevoke {
        principal: PrincipalId,
        capabilities: Vec<String>,
    },
    InviteIssue {
        group: String,
        expires_secs: Option<u64>,
        max_uses: u32,
        metadata: Option<String>,
    },
    InviteRedeem {
        token: String,
        public_key: String,
        display_name: Option<String>,
    },
    InviteList,
    InviteRevoke {
        token: String,
    },
    PairDeviceIssue {
        expires_secs: Option<u64>,
        label: Option<String>,
    },
    PairDeviceRedeem {
        token: String,
        public_key: String,
    },
}

Expand description

Typed admin request body — flattened into AdminKernelRequest on the wire as { "method": "...", "params": {...} }.

Every variant is gated by the Layer 5 capability-enforcement preamble through a sibling of required_capability — see required_capability_for_admin_request for the exact mapping. Mutating variants are serialized through the kernel’s admin write lock so concurrent callers cannot interleave on groups.toml / profile.toml.

Variants§

§

AgentCreate

Create a new agent identity. name must pass PrincipalId::new. Defaults to the built-in agent group when groups is empty.

Fields

§name: String

Human-readable name and principal identifier for the new agent.

§groups: Vec<String>

Group memberships for the new principal; empty → ["agent"].

§grants: Vec<String>

Per-principal capability grants beyond group inheritance.

§

AgentDelete

Delete an existing agent identity. The default principal is rejected unconditionally. The principal’s home directory is NOT scrubbed — reclamation is an ops concern.

Fields

§principal: PrincipalId

Principal to delete.

§

AgentEnable

Set enabled = true on the target principal’s profile.

Fields

§principal: PrincipalId

Principal to enable.

§

AgentDisable

Set enabled = false on the target principal’s profile. In-flight invocations finish under the old value; new invocations are refused.

Fields

§principal: PrincipalId

Principal to disable.

§

AgentList

List every agent principal with a profile on disk.

§

AgentModify

Partial-update an existing agent’s group memberships. Built-in group names (admin, agent, restricted) and custom groups loaded from groups.toml are both accepted as identifiers; validation that the named groups exist happens at the new profile’s validate step. Mutations are idempotent — adding an already-present group or removing an absent one is a no-op.

Fields

§principal: PrincipalId

Principal to modify.

§add_groups: Vec<String>

Groups to add (idempotent).

§remove_groups: Vec<String>

Groups to remove (idempotent — missing entries are no-ops). Removing the last group leaves the agent in zero groups, which the agent built-in does NOT auto-restore; operators who want a baseline should add agent explicitly.

§

QuotaSet

Replace the target principal’s Quotas block. Values are validated before the atomic profile write.

Fields

§principal: PrincipalId

Principal whose quotas are being set.

§quotas: Quotas

Replacement quota values.

§

QuotaGet

Read the target principal’s current Quotas block.

Fields

§principal: PrincipalId

Principal whose quotas are being read.

§

UsageGet

Read the target principal’s current resource usage vs budget — the cross-capsule CPU total plus the configured ceilings. Read-only, scoped exactly like QuotaGet (self:quota:get / quota:get): a principal can read its own usage, an admin can read anyone’s.

Fields

§principal: PrincipalId

Principal whose usage is being read.

§

GroupCreate

Create a custom group, validated through the same rules the boot loader applies to groups.toml.

Fields

§name: String

Name of the new custom group.

§capabilities: Vec<String>

Capability patterns conferred by the new group.

§description: Option<String>

Human-readable description.

§unsafe_admin: bool

Required when capabilities contains the universal * pattern.

§

GroupDelete

Remove a custom group. Built-in groups (admin, agent, restricted) are rejected.

Fields

§name: String

Name of the group to remove.

§

GroupModify

Partial-update a custom group. Every provided field replaces the corresponding field on the existing group. Built-ins are rejected.

Fields

§name: String

Name of the group to modify.

§capabilities: Option<Vec<String>>

New capability patterns, if changing.

§description: Option<Option<String>>

New description, if changing. Outer None = keep, inner None = clear.

§unsafe_admin: Option<bool>

New unsafe_admin flag, if changing.

§

GroupList

List every group (built-in + custom) with its capability set.

§

CapsGrant

Append capability patterns to the principal’s grants vec. Does NOT clear matching revokes — revoke precedence is preserved.

Fields

§principal: PrincipalId

Principal receiving the grants.

§capabilities: Vec<String>

Capability patterns to add.

§unsafe_admin: bool

Required when capabilities contains the universal * pattern. Mirrors the unsafe_admin rail on Self::GroupCreate / Self::GroupModify so an individual grant cannot escalate a principal to universal admin without an explicit acknowledgement.

§

CapsRevoke

Append capability patterns to the principal’s revokes vec. Safe to call on caps the principal does not currently hold (pre-emptive revoke).

Fields

§principal: PrincipalId

Principal losing the capabilities.

§capabilities: Vec<String>

Capability patterns to revoke.

§

InviteIssue

Issue a new invite token. Capability-gated by invite:issue. The kernel persists the token under etc/invites.toml with expiry + remaining use count, and the caller publishes the returned redeem URL out-of-band.

Fields

§group: String

Group new redeemers join. Must already exist (built-in or custom) — validated against the live GroupConfig.

§expires_secs: Option<u64>

Seconds until the token expires. None = no expiry (the max-uses counter is the only stop). Capped server-side to 30 days to bound forever-tokens.

§max_uses: u32

Maximum number of successful redemptions before the token is invalidated. Zero is rejected (issuing a dead token serves no purpose).

§metadata: Option<String>

Free-form short label (e.g. “alice’s tablet”) attached to the persisted record. Surfaced by InviteList.

§

InviteRedeem

Redeem an invite token. The token IS the auth: the kernel-side dispatcher special-cases this variant to skip the capability preamble (the caller principal does not yet exist), and the handler verifies the token, mints a fresh principal via the existing AgentCreate machinery, registers the supplied ed25519 public key on the new principal’s profile, and decrements the token’s use counter (deleting the record on the last use).

Fields

§token: String

Opaque token bytes (URL-safe base64) returned from a prior InviteIssue.

§public_key: String

Hex-encoded ed25519 public key (32 bytes / 64 hex chars). Registered on the new principal’s AuthConfig.public_keys.

§display_name: Option<String>

Optional human-friendly name attached to the minted principal. When Some(s), the kernel generates the underlying PrincipalId from s (slugified, collision-checked); when None, a random agent-<8-hex> id is allocated.

§

InviteList

List outstanding invite tokens. Gated by invite:list.

§

InviteRevoke

Revoke an outstanding invite token without consuming it. Gated by invite:revoke.

Fields

§token: String

The opaque token to invalidate.

§

PairDeviceIssue

Issue a pair-device token. Gated by self:auth:pair (the caller can only mint pair-tokens for their own principal — the kernel ignores any target field on the wire and ties the token to the caller). Used to add a new device’s ed25519 public key to an existing principal’s AuthConfig.public_keys without minting a separate principal.

Fields

§expires_secs: Option<u64>

Seconds until the token expires. Capped server-side to 1 hour — pair-tokens are intended for immediate use on a neighbouring device, not for long-lived sharing.

§label: Option<String>

Free-form short label (e.g. “alice’s phone”) persisted alongside the new public key on AuthConfig.public_keys once the token is redeemed.

§

PairDeviceRedeem

Redeem a pair-device token. Like InviteRedeem, the kernel dispatcher special-cases this to bypass the capability preamble — the token IS the auth. The handler verifies the token, appends the supplied public key to the issuing principal’s AuthConfig.public_keys, and decrements / deletes the token record.