Skip to main content

a1/
lib.rs

1#![doc(
2    html_logo_url = "https://raw.githubusercontent.com/dyologician/a1/main/docs/assets/logo.png"
3)]
4#![doc(
5    html_favicon_url = "https://raw.githubusercontent.com/dyologician/a1/main/docs/assets/favicon.ico"
6)]
7#![cfg_attr(docsrs, feature(doc_cfg))]
8//! # A1 — One Identity. Full Provenance. v2.8.0
9//!
10//! The cryptographic identity and authorization layer that turns anonymous AI
11//! agents into accountable, verifiable entities.
12//!
13//! ## What it solves
14//!
15//! When one AI agent delegates a task to another, the authorization chain breaks
16//! down — a liability called the "Recursive Delegation Gap." A1 closes that gap
17//! with a native A1 Passport protocol: every action executed by any agent in a
18//! delegation tree carries an irrefutable, cryptographically verified chain
19//! proving exactly which human authorized it, with enforced scope boundaries
20//! that hold offline.
21//!
22//! ## v2.8.0 additions
23//!
24//! - **DyoloPassport** — long-lived agent identity with cryptographically
25//!   enforced capability bounds. Issue once, delegate scoped sub-certs per task.
26//!   The chain of custody is irrefutable from human principal to executing agent.
27//!
28//! - **NarrowingMatrix** — a 256-bit O(1) capability bitmask enforcing strict
29//!   subset delegation at both issuance and guard time. No external registry, no
30//!   network call, no configuration at verification time. Pure bitwise arithmetic.
31//!
32//! - **CapabilityRegistry** — collision-free explicit name-to-bit registry for
33//!   deployments with more than ~100 distinct capability names.
34//!
35//! - **ProvableReceipt** — an extended authorization receipt carrying the passport
36//!   namespace and a Blake3 commitment over the enforced capability mask, enabling
37//!   post-hoc audit without retaining any secrets.
38//!
39//! - **W3C DID + Verifiable Credentials** (`did` feature) — every DyoloPassport
40//!   holder gets a permanent `did:a1:` identifier. Issue portable VCs for
41//!   capabilities and receipts that verify offline on any platform.
42//!
43//! - **ZK chain commitments** (`zk` feature) — compact, O(1)-verifiable
44//!   commitments to full delegation chains. Upgrade path to full zkVM proofs
45//!   (RISC Zero, Jolt, SP1) without changing consumer code.
46//!
47//! - **Post-quantum hybrid signatures** — `HybridMlDsa44Ed25519` and
48//!   `HybridMlDsa65Ed25519` wire formats. Classical Ed25519 by default;
49//!   activate full ML-DSA verification with the `post-quantum` feature flag.
50//!
51//! - **VaultSigner backends** — AWS KMS, GCP Cloud KMS, HashiCorp Vault Transit,
52//!   and Azure Key Vault signing. Root key material never touches application
53//!   memory at issuance time. Zero KMS calls at verification time.
54//!
55//! - **SIEM exporters** — Datadog Logs, Splunk HEC, OpenTelemetry OTLP, and
56//!   NDJSON file exporters. Fan-out via `CompositeExporter`.
57//!
58//! - **Framework integrations** — LangChain, LangGraph, LlamaIndex, AutoGen v0.4,
59//!   CrewAI, Semantic Kernel, and OpenAI Agents SDK.
60//!
61//! ## Feature flags
62//!
63//! | Flag            | Description                                                             |
64//! |-----------------|-------------------------------------------------------------------------|
65//! | `serde`         | Serialization for all core types. Required for most integrations.       |
66//! | `async`         | `AsyncNonceStore`, `AsyncRevocationStore`, `AsyncA1Context`.            |
67//! | `wire`          | `SignedChain`, `VerifiedToken`, `CertExtensions` (requires `serde`).    |
68//! | `did`           | W3C DID Documents and Verifiable Credentials (requires `wire`).         |
69//! | `zk`            | `ZkChainCommitment` — compact chain attestation with zkVM upgrade path. |
70//! | `anchor`        | `AnchoredReceipt` — on-chain provenance for Ethereum, Polygon, Base, Solana. |
71//! | `negotiate`     | Agent-to-agent delegation negotiation protocol (AIP).                   |
72//! | `tracing`       | Structured `tracing` spans during authorization.                        |
73//! | `ffi`           | C ABI for Python, Go, Java, and Node.js (requires `wire`).              |
74//! | `policy-yaml`   | Parse delegation policies from YAML files.                              |
75//! | `post-quantum`  | Activate ML-DSA signature verification (hybrid certs, requires `wire`). |
76//! | `schema`        | JSON Schema export for `SignedChain`.                                   |
77//! | `full`          | All of the above except `ffi` and `post-quantum`.                       |
78
79#![deny(unsafe_code)]
80
81mod crypto;
82
83pub mod audit;
84pub mod cert;
85pub mod chain;
86pub mod context;
87pub mod error;
88pub mod hybrid;
89pub mod identity;
90pub mod intent;
91pub mod passport;
92pub mod policy;
93pub mod provenance;
94pub mod registry;
95
96#[cfg(feature = "wire")]
97#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
98pub mod cert_extensions;
99
100#[cfg(feature = "wire")]
101#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
102pub mod wire;
103
104#[cfg(feature = "did")]
105#[cfg_attr(docsrs, doc(cfg(feature = "did")))]
106pub mod did;
107
108#[cfg(feature = "zk")]
109#[cfg_attr(docsrs, doc(cfg(feature = "zk")))]
110pub mod zk;
111
112#[cfg(feature = "anchor")]
113#[cfg_attr(docsrs, doc(cfg(feature = "anchor")))]
114pub mod anchor;
115
116#[cfg(feature = "negotiate")]
117#[cfg_attr(docsrs, doc(cfg(feature = "negotiate")))]
118pub mod negotiate;
119
120#[cfg(feature = "swarm")]
121#[cfg_attr(docsrs, doc(cfg(feature = "swarm")))]
122pub mod swarm;
123
124#[cfg(feature = "governance")]
125#[cfg_attr(docsrs, doc(cfg(feature = "governance")))]
126pub mod governance;
127
128#[cfg(feature = "ffi")]
129#[cfg_attr(docsrs, doc(cfg(feature = "ffi")))]
130#[allow(unsafe_code)]
131pub mod ffi;
132
133pub use audit::{
134    AuditEvent, AuditOutcome, AuditSink, CompositeAuditSink, LogAuditSink, NoopAuditSink,
135};
136pub use cert::{CertBuilder, CertBundle, DelegationCert, CERT_VERSION};
137pub use chain::{
138    AuthorizedAction, BatchAuthorizeResult, Clock, DyoloChain, SystemClock, VerificationReceipt,
139};
140pub use context::A1Context;
141pub use error::{A1Error, A1StorageError, StorageErrorKind};
142pub use hybrid::{
143    negotiate_algorithm, ChainAlgorithmCompatibility, ClassicalHybridAdapter, HybridPublicKey,
144    HybridSignature, HybridSigner, SignatureAlgorithm,
145};
146pub use identity::narrowing::{CapabilityRegistry, NarrowingMatrix};
147pub use identity::receipt::ProvableReceipt;
148pub use identity::{DyoloIdentity, SharedIdentity, Signer};
149#[allow(deprecated)]
150pub use intent::{
151    intent_hash, Intent, IntentHash, IntentTree, MerkleProof, SiblingNode, SubScopeProof,
152};
153pub use passport::DyoloPassport;
154pub use policy::{CapabilitySet, DelegationPolicy, PolicySet};
155pub use provenance::{
156    ProvenanceRoot, ProvenanceStepProof, ReasoningStep, ReasoningStepKind, ReasoningTrace,
157};
158pub use registry::{
159    fresh_nonce, MemoryNonceStore, MemoryRateLimitStore, MemoryRevocationStore, NonceStore,
160    RateLimitStore, RevocationStore,
161};
162
163#[cfg(feature = "wire")]
164#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
165pub use cert_extensions::{CertExtensions, ExtValue};
166
167#[cfg(feature = "did")]
168#[cfg_attr(docsrs, doc(cfg(feature = "did")))]
169pub use did::{
170    AgentDid, CredentialSubject, DidDocument, VcProof, VerifiableCredential, VerificationMethod,
171};
172
173#[cfg(feature = "zk")]
174#[cfg_attr(docsrs, doc(cfg(feature = "zk")))]
175pub use zk::{anchor_hash, ZkChainCommitment, ZkProofMode, ZkTraceProof};
176
177#[cfg(feature = "anchor")]
178#[cfg_attr(docsrs, doc(cfg(feature = "anchor")))]
179pub use anchor::{AnchorNetwork, AnchoredReceipt};
180
181#[cfg(feature = "negotiate")]
182#[cfg_attr(docsrs, doc(cfg(feature = "negotiate")))]
183pub use negotiate::{CapabilityRequest, DelegationAcceptance, DelegationOffer, NegotiationResult};
184
185#[cfg(feature = "swarm")]
186#[cfg_attr(docsrs, doc(cfg(feature = "swarm")))]
187pub use swarm::{SwarmMember, SwarmPassport, SwarmRole};
188
189#[cfg(feature = "governance")]
190#[cfg_attr(docsrs, doc(cfg(feature = "governance")))]
191pub use governance::{
192    ApprovalGate, ApprovalToken, AuditReport, GovernancePolicy, KeyRotationPolicy,
193};
194
195#[cfg(feature = "async")]
196#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
197pub use context::AsyncA1Context;
198
199#[cfg(feature = "async")]
200#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
201pub use registry::r#async::{
202    AsyncNonceStore, AsyncRateLimitStore, AsyncRevocationStore, SyncNonceAdapter,
203    SyncRevocationAdapter,
204};
205
206#[cfg(feature = "async")]
207#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
208pub use audit::r#async::{AsyncAuditSink, SyncAuditAdapter};
209
210#[cfg(feature = "async")]
211#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
212pub use identity::AsyncSigner;