Skip to main content

styrene_rbac/
lib.rs

1//! Role-based access control for the Styrene mesh.
2//!
3//! Provides a hierarchical role model with fine-grained capabilities,
4//! roster-based identity binding, and policy evaluation. Shared by
5//! `styrened` (device-level RBAC) and `aether` (agent-to-agent RBAC).
6//!
7//! # Design
8//!
9//! - **Roles** are cumulative: each tier inherits all capabilities from
10//!   tiers below it (PEER ⊂ MONITOR ⊂ OPERATOR ⊂ ADMIN).
11//! - **Capabilities** are dot-separated strings (`chat.send`, `rpc.exec`).
12//! - **Orthogonal grants** (e.g. `vpn.handshake`) sit outside the hierarchy
13//!   and must be explicitly assigned regardless of role.
14//! - **Policy evaluation** is pure — no I/O, no side effects. Takes a roster
15//!   and an identity hash, returns allow/deny.
16//!
17//! # Features
18//!
19//! - `config` — enables serde deserialization from YAML/TOML/JSON config.
20
21mod capability;
22mod policy;
23mod role;
24pub mod signed;
25mod warning;
26
27pub use capability::{Capability, ADMIN_CAPS, MONITOR_CAPS, OPERATOR_CAPS, PEER_CAPS};
28pub use policy::{RbacPolicy, RosterEntry, MIN_BLOCKED_PREFIX_LEN};
29pub use role::Role;
30pub use signed::{SignedRosterEntry, TrustedHub};
31pub use warning::PolicyWarning;