styrene-rbac 0.1.0

Role-based access control for the Styrene mesh — shared by styrened and aether
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340

//! Capability strings and per-tier capability sets.
//!
//! Capabilities are dot-separated strings (`chat.send`, `rpc.exec`).
//! Each role tier has a cumulative set — higher tiers inherit all
//! capabilities from tiers below.

/// Capability string constants.
///
/// Organized by the minimum tier required to hold each capability.
/// Orthogonal capabilities (`vpn.handshake`, `relay.reject`) are not
/// included in any tier and require explicit grants.
pub struct Capability;

impl Capability {
    // ── Peer (10) ──────────────────────────────────────────────
    pub const CHAT_SEND: &str = "chat.send";
    pub const CHAT_RECEIVE: &str = "chat.receive";
    pub const PAGE_BROWSE: &str = "page.browse";
    pub const RPC_PING: &str = "rpc.ping";
    pub const RPC_STATUS: &str = "rpc.status";
    pub const DATALINK_PING: &str = "datalink.ping";
    pub const DATALINK_META: &str = "datalink.meta";
    pub const DATALINK_INFO: &str = "datalink.info";
    pub const DATALINK_STATUS: &str = "datalink.status";
    pub const RELAY_REQUEST: &str = "relay.request";
    pub const RELAY_LIST: &str = "relay.list";
    pub const RELAY_TEARDOWN: &str = "relay.teardown";
    pub const RELAY_ACCEPT: &str = "relay.accept";

    // ── Monitor (20) ──────────────────────────────────────────
    pub const RPC_INBOX_READ: &str = "rpc.inbox_read";
    pub const WEB_READ: &str = "web.read";
    pub const DATALINK_ESTABLISH: &str = "datalink.establish";
    pub const DATALINK_SPEEDTEST: &str = "datalink.speedtest";

    // ── Operator (30) ─────────────────────────────────────────
    pub const RPC_CONFIG_UPDATE: &str = "rpc.config_update";
    pub const TERMINAL_RESTRICTED: &str = "terminal.restricted";
    pub const WEB_WRITE: &str = "web.write";
    pub const RELAY_REQUEST_PERMANENT: &str = "relay.request_permanent";
    pub const RELAY_ACCEPT_PERMANENT: &str = "relay.accept_permanent";
    pub const RELAY_PRIORITIZE: &str = "relay.prioritize";
    pub const RELAY_BRIDGE: &str = "relay.bridge";

    // ── Admin (40) ────────────────────────────────────────────
    pub const RPC_EXEC: &str = "rpc.exec";
    pub const RPC_REBOOT: &str = "rpc.reboot";
    pub const RPC_SELF_UPDATE: &str = "rpc.self_update";
    pub const TERMINAL_FULL: &str = "terminal.full";
    pub const ADAPTER_PROVISION: &str = "adapter.provision";
    pub const RELAY_ADMIN: &str = "relay.admin";

    // ── Tunnel (tiered) ─────────────────────────────────────────
    /// View tunnel status and list active tunnels (Peer)
    pub const TUNNEL_STATUS: &str = "tunnel.status";
    /// Initiate or accept tunnel establishment (Operator)
    pub const TUNNEL_ESTABLISH: &str = "tunnel.establish";
    /// Tear down an active tunnel (Operator)
    pub const TUNNEL_TEARDOWN: &str = "tunnel.teardown";

    // ── Orthogonal (explicit grant only) ──────────────────────
    pub const VPN_HANDSHAKE: &str = "vpn.handshake";
    pub const RELAY_REJECT: &str = "relay.reject";
    pub const I2P_PROXY: &str = "i2p.proxy";

    // ── Agent-to-agent (aether) ───────────────────────────────
    pub const AETHER_DELEGATE: &str = "aether.delegate";
    pub const AETHER_QUERY: &str = "aether.query";
    pub const AETHER_REPORT: &str = "aether.report";
}

/// All known capability strings (for validation).
pub const ALL_CAPABILITIES: &[&str] = &[
    // Peer
    Capability::CHAT_SEND,
    Capability::CHAT_RECEIVE,
    Capability::PAGE_BROWSE,
    Capability::RPC_PING,
    Capability::RPC_STATUS,
    Capability::DATALINK_PING,
    Capability::DATALINK_META,
    Capability::DATALINK_INFO,
    Capability::DATALINK_STATUS,
    Capability::RELAY_REQUEST,
    Capability::RELAY_LIST,
    Capability::RELAY_TEARDOWN,
    Capability::RELAY_ACCEPT,
    // Monitor
    Capability::RPC_INBOX_READ,
    Capability::WEB_READ,
    Capability::DATALINK_ESTABLISH,
    Capability::DATALINK_SPEEDTEST,
    // Operator
    Capability::RPC_CONFIG_UPDATE,
    Capability::TERMINAL_RESTRICTED,
    Capability::WEB_WRITE,
    Capability::RELAY_REQUEST_PERMANENT,
    Capability::RELAY_ACCEPT_PERMANENT,
    Capability::RELAY_PRIORITIZE,
    Capability::RELAY_BRIDGE,
    // Admin
    Capability::RPC_EXEC,
    Capability::RPC_REBOOT,
    Capability::RPC_SELF_UPDATE,
    Capability::TERMINAL_FULL,
    Capability::ADAPTER_PROVISION,
    Capability::RELAY_ADMIN,
    // Tunnel
    Capability::TUNNEL_STATUS,
    Capability::TUNNEL_ESTABLISH,
    Capability::TUNNEL_TEARDOWN,
    // Orthogonal
    Capability::VPN_HANDSHAKE,
    Capability::RELAY_REJECT,
    Capability::I2P_PROXY,
    // Aether
    Capability::AETHER_DELEGATE,
    Capability::AETHER_QUERY,
    Capability::AETHER_REPORT,
];

/// Capabilities granted at the Peer tier (cumulative base).
pub const PEER_CAPS: &[&str] = &[
    Capability::CHAT_SEND,
    Capability::CHAT_RECEIVE,
    Capability::PAGE_BROWSE,
    Capability::RPC_PING,
    Capability::RPC_STATUS,
    Capability::DATALINK_PING,
    Capability::DATALINK_META,
    Capability::DATALINK_INFO,
    Capability::DATALINK_STATUS,
    Capability::RELAY_REQUEST,
    Capability::RELAY_LIST,
    Capability::RELAY_TEARDOWN,
    Capability::RELAY_ACCEPT,
    // Tunnel: all peers can view tunnel status
    Capability::TUNNEL_STATUS,
    // Aether: all peers can query and report
    Capability::AETHER_QUERY,
    Capability::AETHER_REPORT,
];

/// Capabilities granted at the Monitor tier (includes Peer).
pub const MONITOR_CAPS: &[&str] = &[
    // Peer
    Capability::CHAT_SEND,
    Capability::CHAT_RECEIVE,
    Capability::PAGE_BROWSE,
    Capability::RPC_PING,
    Capability::RPC_STATUS,
    Capability::DATALINK_PING,
    Capability::DATALINK_META,
    Capability::DATALINK_INFO,
    Capability::DATALINK_STATUS,
    Capability::RELAY_REQUEST,
    Capability::RELAY_LIST,
    Capability::RELAY_TEARDOWN,
    Capability::RELAY_ACCEPT,
    Capability::TUNNEL_STATUS,
    Capability::AETHER_QUERY,
    Capability::AETHER_REPORT,
    // Monitor
    Capability::RPC_INBOX_READ,
    Capability::WEB_READ,
    Capability::DATALINK_ESTABLISH,
    Capability::DATALINK_SPEEDTEST,
];

/// Capabilities granted at the Operator tier (includes Monitor).
pub const OPERATOR_CAPS: &[&str] = &[
    // Peer
    Capability::CHAT_SEND,
    Capability::CHAT_RECEIVE,
    Capability::PAGE_BROWSE,
    Capability::RPC_PING,
    Capability::RPC_STATUS,
    Capability::DATALINK_PING,
    Capability::DATALINK_META,
    Capability::DATALINK_INFO,
    Capability::DATALINK_STATUS,
    Capability::RELAY_REQUEST,
    Capability::RELAY_LIST,
    Capability::RELAY_TEARDOWN,
    Capability::RELAY_ACCEPT,
    Capability::TUNNEL_STATUS,
    Capability::AETHER_QUERY,
    Capability::AETHER_REPORT,
    // Monitor
    Capability::RPC_INBOX_READ,
    Capability::WEB_READ,
    Capability::DATALINK_ESTABLISH,
    Capability::DATALINK_SPEEDTEST,
    // Operator
    Capability::RPC_CONFIG_UPDATE,
    Capability::TERMINAL_RESTRICTED,
    Capability::WEB_WRITE,
    Capability::RELAY_REQUEST_PERMANENT,
    Capability::RELAY_ACCEPT_PERMANENT,
    Capability::RELAY_PRIORITIZE,
    Capability::RELAY_BRIDGE,
    Capability::TUNNEL_ESTABLISH,
    Capability::TUNNEL_TEARDOWN,
    // Operator can delegate
    Capability::AETHER_DELEGATE,
];

/// Capabilities granted at the Admin tier (includes Operator).
/// Note: `vpn.handshake` and `relay.reject` are intentionally excluded —
/// they are orthogonal and require explicit grants.
pub const ADMIN_CAPS: &[&str] = &[
    // Peer
    Capability::CHAT_SEND,
    Capability::CHAT_RECEIVE,
    Capability::PAGE_BROWSE,
    Capability::RPC_PING,
    Capability::RPC_STATUS,
    Capability::DATALINK_PING,
    Capability::DATALINK_META,
    Capability::DATALINK_INFO,
    Capability::DATALINK_STATUS,
    Capability::RELAY_REQUEST,
    Capability::RELAY_LIST,
    Capability::RELAY_TEARDOWN,
    Capability::RELAY_ACCEPT,
    Capability::TUNNEL_STATUS,
    Capability::AETHER_QUERY,
    Capability::AETHER_REPORT,
    // Monitor
    Capability::RPC_INBOX_READ,
    Capability::WEB_READ,
    Capability::DATALINK_ESTABLISH,
    Capability::DATALINK_SPEEDTEST,
    // Operator
    Capability::RPC_CONFIG_UPDATE,
    Capability::TERMINAL_RESTRICTED,
    Capability::WEB_WRITE,
    Capability::RELAY_REQUEST_PERMANENT,
    Capability::RELAY_ACCEPT_PERMANENT,
    Capability::RELAY_PRIORITIZE,
    Capability::RELAY_BRIDGE,
    Capability::TUNNEL_ESTABLISH,
    Capability::TUNNEL_TEARDOWN,
    Capability::AETHER_DELEGATE,
    // Admin
    Capability::RPC_EXEC,
    Capability::RPC_REBOOT,
    Capability::RPC_SELF_UPDATE,
    Capability::TERMINAL_FULL,
    Capability::ADAPTER_PROVISION,
    Capability::RELAY_ADMIN,
];

use crate::Role;

/// Get the capability set for a given role.
pub fn capabilities_for_role(role: Role) -> &'static [&'static str] {
    match role {
        Role::Blocked | Role::None => &[],
        Role::Peer => PEER_CAPS,
        Role::Monitor => MONITOR_CAPS,
        Role::Operator => OPERATOR_CAPS,
        Role::Admin => ADMIN_CAPS,
    }
}

/// Check whether a capability string is a known capability.
pub fn is_valid_capability(cap: &str) -> bool {
    ALL_CAPABILITIES.contains(&cap)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn cumulative_inclusion() {
        // Every peer cap must appear in monitor, operator, and admin sets.
        for cap in PEER_CAPS {
            assert!(MONITOR_CAPS.contains(cap), "monitor missing peer cap: {cap}");
            assert!(OPERATOR_CAPS.contains(cap), "operator missing peer cap: {cap}");
            assert!(ADMIN_CAPS.contains(cap), "admin missing peer cap: {cap}");
        }
        for cap in MONITOR_CAPS {
            assert!(OPERATOR_CAPS.contains(cap), "operator missing monitor cap: {cap}");
            assert!(ADMIN_CAPS.contains(cap), "admin missing monitor cap: {cap}");
        }
        for cap in OPERATOR_CAPS {
            assert!(ADMIN_CAPS.contains(cap), "admin missing operator cap: {cap}");
        }
    }

    #[test]
    fn orthogonal_not_in_admin() {
        assert!(!ADMIN_CAPS.contains(&Capability::VPN_HANDSHAKE));
        assert!(!ADMIN_CAPS.contains(&Capability::RELAY_REJECT));
    }

    #[test]
    fn aether_caps_in_hierarchy() {
        assert!(PEER_CAPS.contains(&Capability::AETHER_QUERY));
        assert!(PEER_CAPS.contains(&Capability::AETHER_REPORT));
        assert!(!PEER_CAPS.contains(&Capability::AETHER_DELEGATE));
        assert!(OPERATOR_CAPS.contains(&Capability::AETHER_DELEGATE));
    }

    #[test]
    fn all_capabilities_contains_everything() {
        for cap in ADMIN_CAPS {
            assert!(ALL_CAPABILITIES.contains(cap), "ALL missing admin cap: {cap}");
        }
        assert!(ALL_CAPABILITIES.contains(&Capability::VPN_HANDSHAKE));
        assert!(ALL_CAPABILITIES.contains(&Capability::RELAY_REJECT));
    }

    #[test]
    fn tunnel_caps_in_hierarchy() {
        // tunnel.status is Peer-level
        assert!(PEER_CAPS.contains(&Capability::TUNNEL_STATUS));
        assert!(MONITOR_CAPS.contains(&Capability::TUNNEL_STATUS));
        assert!(OPERATOR_CAPS.contains(&Capability::TUNNEL_STATUS));
        assert!(ADMIN_CAPS.contains(&Capability::TUNNEL_STATUS));

        // tunnel.establish and tunnel.teardown are Operator-level
        assert!(!PEER_CAPS.contains(&Capability::TUNNEL_ESTABLISH));
        assert!(!MONITOR_CAPS.contains(&Capability::TUNNEL_ESTABLISH));
        assert!(OPERATOR_CAPS.contains(&Capability::TUNNEL_ESTABLISH));
        assert!(ADMIN_CAPS.contains(&Capability::TUNNEL_ESTABLISH));

        assert!(!PEER_CAPS.contains(&Capability::TUNNEL_TEARDOWN));
        assert!(OPERATOR_CAPS.contains(&Capability::TUNNEL_TEARDOWN));
        assert!(ADMIN_CAPS.contains(&Capability::TUNNEL_TEARDOWN));
    }

    #[test]
    fn capabilities_for_blocked_is_empty() {
        assert!(capabilities_for_role(Role::Blocked).is_empty());
        assert!(capabilities_for_role(Role::None).is_empty());
    }
}