Expand description
Portable scope matching for tool grants.
This module implements portable scope matching for tool grants.
The hosted kernel still carries the richest matcher in
chio-kernel::request_matching, but the portable core must never
silently drop a grant constraint. Constraints that can be evaluated
from request arguments are enforced here; constraints that require
richer kernel state (governed intent, runtime attestation, SQL result
inspection, regex compilation, etc.) fail closed with an explicit
error instead of widening scope.
Callers that want the full constraint pipeline continue to go through
chio_kernel::capability_matches_request – the public API in the
orchestration shell is unchanged. This function is the pure-compute
kernel the portable adapters will consume directly.
Verified-core boundary note:
formal/proof-manifest.toml includes the portable matcher because it is
the fail-closed subset of scope evaluation that never reaches into stores,
regex engines, runtime-attestation records, or governed-transaction state.
Structs§
- Matched
Grant - Borrowed match result, ordered by specificity.
Enums§
- Scope
Match Error - Errors that can be raised by the portable scope matcher.
Functions§
- resolve_
capability_ grants - Convenience wrapper that runs
resolve_matching_grantsagainst a full capability token. - resolve_
matching_ grants - Resolve the set of grants that authorise a tool invocation on the given server.