dyolo-kya 2.0.0

Know Your Agent (KYA): cryptographic chain-of-custody for recursive AI delegation with provable scope narrowing, namespace isolation, and enterprise-grade storage health
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

#![doc(
    html_logo_url = "https://raw.githubusercontent.com/dyologician/dyolo-kya/main/docs/assets/logo.png"
)]
#![doc(
    html_favicon_url = "https://raw.githubusercontent.com/dyologician/dyolo-kya/main/docs/assets/favicon.ico"
)]
#![cfg_attr(docsrs, feature(doc_cfg))]
//! # dyolo-kya — Know Your Agent v2.0.0
//!
//! Cryptographic chain-of-custody for recursive AI agent delegation.
//!
//! ## What it solves
//!
//! When one AI agent delegates a task to another, the authorization chain breaks
//! down — a liability called the "Recursive Delegation Gap." This library closes
//! that gap with a native Know Your Agent (KYA) protocol: every action executed
//! by any agent in a delegation tree carries an irrefutable, cryptographically
//! verified chain proving exactly which human authorized it, with enforced scope
//! boundaries that hold offline.
//!
//! ## v2.0.0 additions over v1
//!
//! - **Namespace isolation** — `DyoloChain::with_namespace("tenant-id")` cryptographically
//!   binds a chain to a single tenant. A cert issued for tenant-a cannot authorize
//!   under tenant-b. Hard multi-tenant separation with zero configuration overhead.
//!
//! - **Storage health checks** — `NonceStore::health_check()` and
//!   `RevocationStore::health_check()` propagate to gateway `/healthz` so load
//!   balancers pull degraded instances automatically.
//!
//! - **Rate limiting trait** — `RateLimitStore` + `MemoryRateLimitStore` cap
//!   intent executions per principal per time window. Plug in a Redis or Postgres
//!   backend for distributed enforcement.
//!
//! - **KyaContext builder** — wire all dependencies in three lines:
//!   ```rust,ignore
//!   let ctx = KyaContext::builder().namespace("my-tenant").build();
//!   let action = ctx.authorize(&chain, &agent_pk, &intent, &proof)?;
//!   ```
//!
//! ## Feature flags
//!
//! | Flag          | Description                                                               |
//! |---------------|---------------------------------------------------------------------------|
//! | `serde`       | Serialization for all core types. Required for most integrations.         |
//! | `async`       | `AsyncNonceStore`, `AsyncRevocationStore`, `AsyncKyaContext`.             |
//! | `wire`        | `SignedChain`, `VerifiedToken`, `CertExtensions` (requires `serde`).      |
//! | `tracing`     | Structured `tracing` spans during authorization.                          |
//! | `ffi`         | C ABI for Python, Go, Java, and Node.js (requires `wire`).                |
//! | `policy-yaml` | Parse delegation policies from YAML files.                                |
//! | `schema`      | JSON Schema export for `SignedChain`.                                     |
//! | `full`        | All of the above except `ffi`.                                            |

#![deny(unsafe_code)]

mod crypto;

pub mod audit;
pub mod cert;
pub mod chain;
pub mod context;
pub mod error;
pub mod identity;
pub mod intent;
pub mod policy;
pub mod registry;

#[cfg(feature = "wire")]
#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
pub mod cert_extensions;

#[cfg(feature = "wire")]
#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
pub mod wire;

#[cfg(feature = "ffi")]
#[cfg_attr(docsrs, doc(cfg(feature = "ffi")))]
#[allow(unsafe_code)]
pub mod ffi;

pub use audit::{
    AuditEvent, AuditOutcome, AuditSink, CompositeAuditSink, LogAuditSink, NoopAuditSink,
};
pub use cert::{CertBuilder, CertBundle, DelegationCert, CERT_VERSION};
pub use chain::{
    AuthorizedAction, BatchAuthorizeResult, Clock, DyoloChain, SystemClock, VerificationReceipt,
};
pub use context::KyaContext;
pub use error::{KyaError, KyaStorageError, StorageErrorKind};
pub use identity::{DyoloIdentity, SharedIdentity, Signer};
#[allow(deprecated)]
pub use intent::{
    intent_hash, Intent, IntentHash, IntentTree, MerkleProof, SiblingNode, SubScopeProof,
};
pub use policy::{CapabilitySet, DelegationPolicy, PolicySet};
pub use registry::{
    fresh_nonce, MemoryNonceStore, MemoryRateLimitStore, MemoryRevocationStore, NonceStore,
    RateLimitStore, RevocationStore,
};

#[cfg(feature = "wire")]
#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
pub use cert_extensions::{CertExtensions, ExtValue};

#[cfg(feature = "async")]
#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
pub use context::AsyncKyaContext;

#[cfg(feature = "async")]
#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
pub use registry::r#async::{
    AsyncNonceStore, AsyncRateLimitStore, AsyncRevocationStore, SyncNonceAdapter,
    SyncRevocationAdapter,
};

#[cfg(feature = "async")]
#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
pub use audit::r#async::{AsyncAuditSink, SyncAuditAdapter};

#[cfg(feature = "async")]
#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
pub use identity::AsyncSigner;