Expand description
basil: client library for the basil agent.
The public client talks to Basil’s broker over gRPC.
Re-exports§
pub use client::AgentDecision;pub use client::AgentExplanation;pub use client::AgentHealth;pub use client::AgentReadiness;pub use client::AgentReload;pub use client::AgentRevocation;pub use client::AgentStatus;pub use client::AllowedNatsSigner;pub use client::Client;pub use client::ImportEntry;pub use client::IssuedCertificate;pub use client::KeyHandle;pub use client::MatchedRule;pub use client::MintedJwt;pub use client::NatsJwtValidation;pub use client::NatsJwtValidationReason;pub use client::NatsUserPermissions;pub use client::ReadinessReason;pub use client::ReloadRejection;pub use client::SecretValue;pub use client::SignNatsJwtOptions;pub use client_sync::BlockingClient;pub use error::Error;pub use error::Result;pub use sealed_invocation::BrokerRecipient;pub use sealed_invocation::BrokerSigner;pub use sealed_invocation::CarrierSigner;pub use sealed_invocation::CarrierSignerConfig;pub use sealed_invocation::LocalCarrierSigner;pub use sealed_invocation::LocalSealedInvocationRecipient;pub use sealed_invocation::LocalSealedInvocationSigner;pub use sealed_invocation::PreparedSealedInvocation;pub use sealed_invocation::SealedInvocationCarrier;pub use sealed_invocation::SealedInvocationError;pub use sealed_invocation::SealedInvocationOptions;pub use sealed_invocation::SealedInvocationResponseError;pub use sealed_invocation::prepare_sealed_invocation;pub use sealed_invocation::verify_and_decrypt_sign_response;pub use sealed_invocation::verify_and_open_sign_response;pub use stream::AeadSuite;pub use stream::BrokerCekRecovery;pub use stream::CekRecovery;pub use stream::CekSource;pub use stream::DEFAULT_CHUNK_SIZE;pub use stream::LocalSeedCekRecovery;pub use stream::MAX_CHUNK_SIZE;pub use stream::MlKemSuite;pub use stream::StreamError;pub use stream::StreamKemEnvelope;pub use stream::StreamResult;pub use stream::decrypt_aead;pub use stream::decrypt_ml_kem;pub use stream::encrypt_aead;pub use stream::encrypt_ml_kem;
Modules§
- client
- Async gRPC client for the basil broker.
- client_
sync - Blocking client for the basil agent.
- constants
- Shared constants for the wire protocol and codec.
- error
- Client-side error type.
- proto
- Basil domain wire types re-exported for client API stability.
- sealed_
invocation - Client-side COSE sealed invocation helpers.
- stream
- Streaming, chunked authenticated encryption for large payloads and files.
Structs§
- Catalog
Entry - Metadata for one visible catalog entry.
- Ciphertext
Envelope - Self-describing AEAD ciphertext produced by
encryptand consumed bydecrypt. The broker owns the nonce. - Event
- A change-notification event streamed by
Watch. - Grpc
Catalog Entry - One visible catalog entry, streamed by
ListCatalog. - Grpc
Ciphertext Envelope - Self-describing AEAD ciphertext from
Encrypt, consumed byDecrypt. The broker owns the nonce, so a caller can neither choose nor misuse it. - Grpc
KeyMaterial - BYOK key material for
Import/ImportSet. Write-only: it is accepted into the vault but never returned by any RPC. - KemEnvelope
- A KEM + AEAD envelope from
WrapEnvelope, consumed byUnwrapEnvelope.
Enums§
- Aead
Algorithm - AEAD suite used for Basil-owned nonce encryption.
- Catalog
Kind - The kind of a catalog entry.
- Envelope
Algorithm - AEAD that seals the payload under the KEM-derived key in an envelope.
- Event
Kind - The kind of a change
Event. - Grpc
Aead Algorithm - AEAD suite for
Encrypt/Decrypt. Basil owns the nonce in every case. - Grpc
Catalog Kind - The class of a catalog entry, returned by
ListCatalog. - Grpc
Nats JwtValidation Reason - Result of validating a presented NATS JWT.
- KemAlgorithm
- Key-encapsulation mechanism for
WrapEnvelope/UnwrapEnvelope. - KeyMaterial
- BYOK key material for import. Write-only; never returned to clients.
- KeyType
- Asymmetric key type used by key creation, import, signing, and minting.
- Nats
JtiMode - How SignNatsJwt handles a supplied but incorrect NATS
jti. - Nats
JwtType - NATS JWT claim shape for validated arbitrary NATS JWT signing.
- Signing
Algorithm - Signature scheme for
Sign/Verify.UNSPECIFIEDlets the broker pick the scheme implied by the key’s catalog type.