Expand description
Pure capability verification.
Given a CapabilityToken, a trusted-issuer key set, and a clock, this
module answers: “is the signature valid, is the issuer trusted, and is
the capability inside its validity window right now?”. It does NOT
check:
- Revocation (stateful, lives in
chio-kernel::revocation_runtime). - Delegation-chain lineage against the receipt store (IO-dependent).
- Scope match against a request (use
crate::scope::resolve_capability_grants). - DPoP subject binding (lives in
chio-kernel::dpop).
All four are orchestrated by chio-kernel::ChioKernel::evaluate_tool_call_sync,
which calls into this module for the pure pieces and its own async/std
plumbing for the rest.
Verified-core boundary note:
formal/proof-manifest.toml includes this module in the bounded verified
core because it performs only issuer-trust, signature, and time-window
checks over an in-memory capability token. Revocation stores, delegation
lineage joins, and transport-bound subject proof remain excluded surfaces.
Structs§
- Verified
Capability - The subset of a verified capability that portable callers actually need.
Enums§
- Capability
Error - Errors raised by
verify_capability.
Functions§
- verify_
capability - Verify the signature, issuer trust, and time-bounds of a capability token.
- verify_
capability_ with_ trusted - Convenience wrapper around
verify_capabilitythat returns the trusted-issuer list as aVecso adapters can build it lazily.