astrid-capabilities 0.1.1

Capability token system for Astrid secure agent runtime
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

# astrid-capabilities

Cryptographically signed authorization tokens for the Astrid secure agent runtime.

## Overview

This crate provides capability-based authorization using ed25519-signed tokens. Every token is cryptographically linked to the approval audit entry that created it, ensuring a verifiable chain of authorization.

## Features

- **Capability Tokens** - Ed25519-signed authorization tokens with audit linkage
- **Resource Patterns** - Glob-based matching for flexible resource scoping
- **Token Storage** - Session (in-memory) and persistent (SurrealDB) storage backends
- **Validation** - Token signature verification and authorization checking
- **Time Bounds** - Optional expiration for time-limited capabilities

## Security Model

Every capability token is:
- Signed by the runtime's ed25519 key
- Linked to the approval audit entry that created it
- Time-bounded (optional expiration)
- Scoped (session or persistent)

## Usage

```rust
use astrid_capabilities::{
    CapabilityToken, CapabilityStore, ResourcePattern, TokenScope, AuditEntryId,
};
use astrid_core::Permission;
use astrid_crypto::KeyPair;

// Create a capability store
let store = CapabilityStore::in_memory();

// Runtime key for signing
let runtime_key = KeyPair::generate();

// Create a capability token
let token = CapabilityToken::create(
    ResourcePattern::new("mcp://filesystem:*").unwrap(),
    vec![Permission::Invoke],
    TokenScope::Session,
    runtime_key.key_id(),
    AuditEntryId::new(),
    &runtime_key,
    None,
);

// Add to store
store.add(token).unwrap();

// Check capability
assert!(store.has_capability("mcp://filesystem:read_file", Permission::Invoke));
```

## Key Types

| Type | Description |
|------|-------------|
| `CapabilityToken` | Signed authorization token with scope and permissions |
| `CapabilityStore` | Storage backend for session and persistent tokens |
| `ResourcePattern` | Glob pattern for matching resource URIs |
| `TokenScope` | Session (memory) or Persistent (SurrealDB) scope |
| `CapabilityValidator` | Token validation and authorization checking |

## License

This crate is licensed under the MIT license.