typesec-agent

Agent executor: typestate + capability-based access control in action.

This crate provides the high-level [SecureAgent] API that ties together:

• The typestate machine from typesec-core (unauthenticated → authenticated).
• Runtime policy checking via any [PolicyEngine].
• Typed capability acquisition: the only way to get a Capability<P, R> is through a successful policy check.
• Async task execution: the execute method requires a capability as proof.

Usage Pattern

// 1. Create agent with an engine — starts Unauthenticated.
let agent = SecureAgent::new(Arc::new(rbac_engine));

// 2. Authenticate — type transitions to Authenticated.
let agent = agent.authenticate_unverified(Credentials::new("agent:bot", "token"))?;

// 3. Request a capability — policy checked at runtime, cap minted on success.
let report = Report::new("reports/q1");
let cap: Capability<CanRead, Report> = agent.request_capability(&report).await?;

// 4. Execute — cap is required proof. No cap? Won't compile.
agent.execute(&cap, &report, |r| Box::pin(async move {
    println!("reading: {}", r.id);
    Ok(())
})).await?;