Expand description
Capability prescripts: audit-trail and dual-authorization wrappers.
LoggedCap<P> wraps a Cap<P> with an append-only audit log
that records every try_cap() invocation.
DualKeyCap<P> wraps a Cap<P> with a dual-authorization gate that requires
two independent approvals before try_cap() succeeds.
Neither type implements Has<P> — callers must use try_cap()
and handle the fallible result explicitly.
These types implement Saltzer & Schroeder’s “prescript” concept — actions triggered before capability exercise — specifically Design Principle #5 (Separation of Privilege) and #8 (Compromise Recording).
Structs§
- ApproverA
- First approval handle for a
DualKeyCap. - ApproverB
- Second approval handle for a
DualKeyCap. - Dual
KeyCap - A dual-authorization capability requiring two independent approvals.
- Dual
KeySend Cap - A thread-safe dual-authorization capability token.
- LogEntry
- A record of a single capability exercise attempt.
- Logged
Cap - An audited capability token that logs every exercise attempt.
- Logged
Send Cap - A thread-safe audited capability token.