pub enum Capability {
Show 16 variants
ReadSubject,
ReadRoles,
ReadTeams,
ReadClaims,
ReadPermissions,
ReadClient,
ReadWorkload,
ReadAgent,
ReadHeaders,
WriteHeaders,
ReadLabels,
AppendLabels,
ReadDelegation,
AppendDelegation,
ReadInboundCredentials,
ReadDelegatedTokens,
}Expand description
Declared permission that controls extension access.
§Why no Write* for identity slots
The IdentityResolve and TokenDelegate hook families return result
payloads that the framework consumes to mutate Extensions. Plugins
never write to security.subject / security.client /
security.*_workload / raw_credentials.* directly — those slots
are owned by the framework on behalf of return-based handlers. The
matching write capabilities are therefore absent from this enum
until a use case appears for plugin-driven mutation of these slots
outside the resolve/delegate hooks.
Variants§
ReadSubject
Read the authenticated subject identity (security.subject).
Unlocks the slot but not its sub-fields — roles / teams /
claims / permissions each have their own cap below.
ReadRoles
Read subject roles (security.subject.roles).
ReadTeams
Read subject team memberships (security.subject.teams).
ReadClaims
Read subject claims (security.subject.claims).
ReadPermissions
Read subject permissions (security.subject.permissions).
ReadClient
Read the OAuth client / gateway-access identity
(security.client). Distinct from the user identity
(subject) — a single user can connect through different
clients (first-party browser, third-party agent) and policies
sometimes want to gate on the client.
ReadWorkload
Read either workload-identity slot — both
security.caller_workload (the inbound attested peer) and
security.this_workload (our own outbound identity). One
capability covers both: a plugin either has access to
attested-workload identity or it doesn’t. Distinct from
read_agent which governs session / conversation context,
NOT identity.
ReadAgent
Read the agent execution context (AgentExtension).
NOT a credential — this carries session / conversation /
lineage state, not identity. Identity reads use
read_subject / read_client / read_workload.
ReadHeaders
Read HTTP headers.
WriteHeaders
Write (modify) HTTP headers.
ReadLabels
Read security labels.
AppendLabels
Append security labels (monotonic add-only).
ReadDelegation
Read the delegation chain.
AppendDelegation
Append to the delegation chain (monotonic).
ReadInboundCredentials
Read raw inbound tokens
(raw_credentials.inbound_tokens) — the bearer-token
strings captured at the wire layer before validation.
Narrowly scoped: only IdentityResolve handlers, forwarding
plugins, and a small set of audit plugins should declare it.
Out-of-process plugins can’t see these tokens regardless of
capability — token fields are #[serde(skip)].
ReadDelegatedTokens
Read minted outbound delegated tokens
(raw_credentials.delegated_tokens) — the credentials a
TokenDelegate handler produced for an upstream call. Held by
forwarding / proxy plugins that re-attach them on the outbound
request. Same out-of-process caveat as
read_inbound_credentials.
Trait Implementations§
Source§impl Clone for Capability
impl Clone for Capability
Source§fn clone(&self) -> Capability
fn clone(&self) -> Capability
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreimpl Copy for Capability
Source§impl Debug for Capability
impl Debug for Capability
Source§impl<'de> Deserialize<'de> for Capability
impl<'de> Deserialize<'de> for Capability
Source§fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
impl Eq for Capability
Source§impl Hash for Capability
impl Hash for Capability
Source§impl PartialEq for Capability
impl PartialEq for Capability
Source§impl Serialize for Capability
impl Serialize for Capability
impl StructuralPartialEq for Capability
Auto Trait Implementations§
impl Freeze for Capability
impl RefUnwindSafe for Capability
impl Send for Capability
impl Sync for Capability
impl Unpin for Capability
impl UnsafeUnpin for Capability
impl UnwindSafe for Capability
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> DeserializeOwned for Twhere
T: for<'de> Deserialize<'de>,
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§fn equivalent(&self, key: &K) -> bool
fn equivalent(&self, key: &K) -> bool
key and return true if they are equal.