Skip to main content

clasp_caps/
lib.rs

1//! Delegatable capability tokens for CLASP
2//!
3//! Implements UCAN-inspired capability tokens where each token in a
4//! delegation chain can only narrow (attenuate) scopes, never widen.
5//!
6//! Tokens use Ed25519 signatures and can be chained:
7//!
8//! ```text
9//! Root token:   admin:/**
10//!   -> Child:   write:/lights/**          (valid: admin allows write)
11//!     -> Grand: write:/lights/room1/**    (valid: narrower pattern)
12//!       -> Bad: write:/audio/**           (rejected: not subset of /lights/**)
13//! ```
14//!
15//! # Token Format
16//!
17//! `cap_<base64url(messagepack(CapabilityToken))>`
18//!
19//! # Integration
20//!
21//! Add to `ValidatorChain` alongside existing CPSK tokens:
22//!
23//! ```no_run
24//! use clasp_caps::{CapabilityValidator, CapabilityToken};
25//! use ed25519_dalek::SigningKey;
26//!
27//! // Create validator with trusted root key
28//! let root_key = SigningKey::from_bytes(&[1u8; 32]);
29//! let pub_key = root_key.verifying_key().to_bytes().to_vec();
30//! let validator = CapabilityValidator::new(vec![pub_key], 5);
31//!
32//! // Use with ValidatorChain
33//! // chain.add(validator);
34//! ```
35
36pub mod error;
37pub mod token;
38pub mod validator;
39
40pub use error::{CapError, Result};
41pub use token::{CapabilityToken, ProofLink};
42pub use validator::CapabilityValidator;