typesec-core

Foundational trait library for type-level security enforcement.

The Core Idea

Security policies encoded in types are enforced by the compiler, not by conditional checks at runtime. If an agent type doesn't carry the trait bound HasCapability<CanWrite, Report>, the method simply doesn't exist in its API. There is no path to a runtime permission error — the program won't compile.

This is fundamentally different from guard-based approaches:

// Guard-based (runtime check — can be forgotten, bypassed, skipped):
if acl.check(user, "write", resource) {
    resource.write(data)
}

// Type-level (compile-time check — impossible to bypass):
fn write<P: HasPermission<CanWrite>>(agent: &Agent<P>, cap: Capability<CanWrite, R>) {
    // cap's existence IS the proof. No check needed.
}

Key Abstractions

• [Permission] — zero-sized marker trait; each permission is a distinct type.
• [Capability] — unforgeable proof token: Capability<P, R> proves the bearer holds permission P on resource R. The phantom types make Capability<CanRead, Report> and Capability<CanWrite, Report> different types.
• [SecureValue] — an opaque labeled value that supports safe transformations while requiring typed authority to reveal or declassify protected data.
• [Agent] — typestate machine: Agent<Unauthenticated> → Agent<Authenticated>. Authenticated methods are literally absent on the unauthenticated state.
• [PolicyEngine] — the runtime bridge: dynamic policies (RBAC, ODRL) evaluated once, their result minted into an unforgeable [Capability].