Skip to main content

chio_kernel/
capability_lineage.rs

1//! Capability lineage index for Chio kernel.
2//!
3//! This module provides persistence and query functions for capability snapshots.
4//! Snapshots are recorded at issuance time and co-located with the receipt database
5//! for efficient JOINs. The delegation chain can be walked via WITH RECURSIVE CTE.
6
7use serde::{Deserialize, Serialize};
8
9use crate::receipt_store::ReceiptStoreError;
10
11/// A point-in-time snapshot of a capability token persisted at issuance.
12///
13/// Stored in the `capability_lineage` table alongside `chio_tool_receipts`
14/// for efficient JOINs during audit queries.
15#[derive(Debug, Clone, Serialize, Deserialize)]
16pub struct CapabilitySnapshot {
17    /// The unique token ID (matches CapabilityToken.id).
18    pub capability_id: String,
19    /// Hex-encoded subject public key (agent bound to this capability).
20    pub subject_key: String,
21    /// Hex-encoded issuer public key (Capability Authority or delegating agent).
22    pub issuer_key: String,
23    /// Unix timestamp (seconds) when the token was issued.
24    pub issued_at: u64,
25    /// Unix timestamp (seconds) when the token expires.
26    pub expires_at: u64,
27    /// JSON-serialized ChioScope (grants, resource_grants, prompt_grants).
28    pub grants_json: String,
29    /// Depth in the delegation chain. Root capabilities have depth 0.
30    pub delegation_depth: u64,
31    /// Parent capability_id if this was delegated from another token.
32    pub parent_capability_id: Option<String>,
33}
34
35/// A capability snapshot with the source database sequence used for cluster sync.
36#[derive(Debug, Clone, Serialize, Deserialize)]
37pub struct StoredCapabilitySnapshot {
38    pub seq: u64,
39    pub snapshot: CapabilitySnapshot,
40}
41
42/// Errors from capability lineage operations.
43#[derive(Debug, thiserror::Error)]
44pub enum CapabilityLineageError {
45    #[error("receipt store error: {0}")]
46    ReceiptStore(#[from] ReceiptStoreError),
47
48    #[error("sqlite error: {0}")]
49    Sqlite(#[from] rusqlite::Error),
50
51    #[error("json error: {0}")]
52    Json(#[from] serde_json::Error),
53}