Crate capsec_core 

capsec-core

Zero-cost capability tokens and permission traits for compile-time capability-based security in Rust.

This crate provides the foundational types that the rest of the capsec ecosystem builds on:

• Permission — sealed marker trait for capability categories
• Cap<P> — zero-sized proof token that the holder has permission P
• Has<P> — trait for checking and composing capabilities
• CapRoot — the singleton root of all capability grants
• Attenuated<P, S> — scope-restricted capabilities
• CapSecError — error types for scope violations and I/O

All capability types are zero-sized at runtime. The security model is enforced entirely through the type system — no runtime overhead.

Quick start

use capsec_core::root::test_root;
use capsec_core::permission::{FsRead, NetConnect};
use capsec_core::has::Has;

// Create a capability root (use test_root in tests)
let root = test_root();

// Grant individual capabilities
let fs_cap = root.grant::<FsRead>();
let net_cap = root.grant::<NetConnect>();

// Functions declare what they need via Has<P> bounds
fn needs_both(fs: &impl Has<FsRead>, net: &impl Has<NetConnect>) {
    let _ = fs.cap_ref();
    let _ = net.cap_ref();
}

needs_both(&fs_cap, &net_cap);

Modules

attenuate

Scope-restricted capabilities via Attenuated<P, S>.

cap

The zero-sized capability token Cap<P> and its thread-safe variant SendCap<P>.

error

Error types for the capsec capability system.

has

The Has<P> trait — proof that a capability token includes permission P.

permission

The sealed Permission trait and all built-in permission types.

root

The capability root — the single point where ambient authority enters the system.