Skip to main content

Crate clasp_caps

Crate clasp_caps

Expand description

Delegatable capability tokens for CLASP

Implements UCAN-inspired capability tokens where each token in a delegation chain can only narrow (attenuate) scopes, never widen.

Tokens use Ed25519 signatures and can be chained:

Root token:   admin:/**
  -> Child:   write:/lights/**          (valid: admin allows write)
    -> Grand: write:/lights/room1/**    (valid: narrower pattern)
      -> Bad: write:/audio/**           (rejected: not subset of /lights/**)

§Token Format

cap_<base64url(messagepack(CapabilityToken))>

§Integration

Add to ValidatorChain alongside existing CPSK tokens:

use clasp_caps::{CapabilityValidator, CapabilityToken};
use ed25519_dalek::SigningKey;

// Create validator with trusted root key
let root_key = SigningKey::from_bytes(&[1u8; 32]);
let pub_key = root_key.verifying_key().to_bytes().to_vec();
let validator = CapabilityValidator::new(vec![pub_key], 5);

// Use with ValidatorChain
// chain.add(validator);

Re-exports§

pub use error::CapError;
pub use error::Result;
pub use token::CapabilityToken;
pub use token::ProofLink;
pub use validator::CapabilityValidator;

Modules§

error: Capability token error types
token: Capability token types and operations
validator: Capability token validator for CLASP router integration