hessra-cap-token 1.1.1

Capability token implementation for Hessra
Documentation
//! # Hessra Capability Token
//!
//! Capability token implementation for the Hessra authorization system.
//!
//! This crate provides functionality for creating, verifying, and attenuating capability
//! tokens (biscuit tokens). Capability tokens follow the principle that presenting the
//! capability IS the authorization -- no subject verification is required by default.
//!
//! ## Key Design
//!
//! The authority block contains:
//! ```datalog
//! right(subject, resource, operation);
//! check if resource($res), operation($op), right($sub, $res, $op);
//! check if time($time), $time < expiration;
//! ```
//!
//! Note: `subject` is NOT checked by default. The `right` fact retains the subject
//! for auditing purposes, but the verifier only needs to provide `resource` and `operation`.
//!
//! ## Optional Subject Verification
//!
//! When stronger guarantees are needed, the verifier can opt into subject checking:
//! ```rust,no_run
//! # use hessra_cap_token::CapabilityVerifier;
//! # use hessra_token_core::KeyPair;
//! # let keypair = KeyPair::new();
//! # let public_key = keypair.public();
//! # let token = String::new();
//! CapabilityVerifier::new(token, public_key, "resource".into(), "read".into())
//!     .with_subject("alice".into())  // optional subject check
//!     .verify();
//! ```

pub(crate) mod attenuate;
pub(crate) mod mint;
mod revocation;
pub(crate) mod verify;

pub use attenuate::CapabilityAmendment;
pub use mint::HessraCapability;
pub use revocation::{
    get_capability_revocation_id, get_capability_revocation_id_from_bytes, latest_revocation_id,
};
pub use verify::{CapabilityVerifier, biscuit_key_from_string};

// Re-export commonly needed types from core
pub use hessra_token_core::{
    Biscuit, KeyPair, PublicKey, RevocationId, TokenError, TokenTimeConfig, decode_token,
    encode_token, get_revocation_ids, parse_token, public_key_from_pem_file,
};