Skip to main content

dyolo_kya/
lib.rs

1#![doc(
2    html_logo_url = "https://raw.githubusercontent.com/dyologician/dyolo-kya/main/docs/assets/logo.png"
3)]
4#![doc(
5    html_favicon_url = "https://raw.githubusercontent.com/dyologician/dyolo-kya/main/docs/assets/favicon.ico"
6)]
7#![cfg_attr(docsrs, feature(doc_cfg))]
8//! # dyolo-kya — Know Your Agent v2.0.0
9//!
10//! Cryptographic chain-of-custody for recursive AI agent delegation.
11//!
12//! ## What it solves
13//!
14//! When one AI agent delegates a task to another, the authorization chain breaks
15//! down — a liability called the "Recursive Delegation Gap." This library closes
16//! that gap with a native Know Your Agent (KYA) protocol: every action executed
17//! by any agent in a delegation tree carries an irrefutable, cryptographically
18//! verified chain proving exactly which human authorized it, with enforced scope
19//! boundaries that hold offline.
20//!
21//! ## v2.0.0 additions over v1
22//!
23//! - **Namespace isolation** — `DyoloChain::with_namespace("tenant-id")` cryptographically
24//!   binds a chain to a single tenant. A cert issued for tenant-a cannot authorize
25//!   under tenant-b. Hard multi-tenant separation with zero configuration overhead.
26//!
27//! - **Storage health checks** — `NonceStore::health_check()` and
28//!   `RevocationStore::health_check()` propagate to gateway `/healthz` so load
29//!   balancers pull degraded instances automatically.
30//!
31//! - **Rate limiting trait** — `RateLimitStore` + `MemoryRateLimitStore` cap
32//!   intent executions per principal per time window. Plug in a Redis or Postgres
33//!   backend for distributed enforcement.
34//!
35//! - **KyaContext builder** — wire all dependencies in three lines:
36//!   ```rust,ignore
37//!   let ctx = KyaContext::builder().namespace("my-tenant").build();
38//!   let action = ctx.authorize(&chain, &agent_pk, &intent, &proof)?;
39//!   ```
40//!
41//! ## Feature flags
42//!
43//! | Flag          | Description                                                               |
44//! |---------------|---------------------------------------------------------------------------|
45//! | `serde`       | Serialization for all core types. Required for most integrations.         |
46//! | `async`       | `AsyncNonceStore`, `AsyncRevocationStore`, `AsyncKyaContext`.             |
47//! | `wire`        | `SignedChain`, `VerifiedToken`, `CertExtensions` (requires `serde`).      |
48//! | `tracing`     | Structured `tracing` spans during authorization.                          |
49//! | `ffi`         | C ABI for Python, Go, Java, and Node.js (requires `wire`).                |
50//! | `policy-yaml` | Parse delegation policies from YAML files.                                |
51//! | `schema`      | JSON Schema export for `SignedChain`.                                     |
52//! | `full`        | All of the above except `ffi`.                                            |
53
54#![deny(unsafe_code)]
55
56mod crypto;
57
58pub mod audit;
59pub mod cert;
60pub mod chain;
61pub mod context;
62pub mod error;
63pub mod identity;
64pub mod intent;
65pub mod policy;
66pub mod registry;
67
68#[cfg(feature = "wire")]
69#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
70pub mod cert_extensions;
71
72#[cfg(feature = "wire")]
73#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
74pub mod wire;
75
76#[cfg(feature = "ffi")]
77#[cfg_attr(docsrs, doc(cfg(feature = "ffi")))]
78#[allow(unsafe_code)]
79pub mod ffi;
80
81pub use audit::{
82    AuditEvent, AuditOutcome, AuditSink, CompositeAuditSink, LogAuditSink, NoopAuditSink,
83};
84pub use cert::{CertBuilder, CertBundle, DelegationCert, CERT_VERSION};
85pub use chain::{
86    AuthorizedAction, BatchAuthorizeResult, Clock, DyoloChain, SystemClock, VerificationReceipt,
87};
88pub use context::KyaContext;
89pub use error::{KyaError, KyaStorageError, StorageErrorKind};
90pub use identity::{DyoloIdentity, SharedIdentity, Signer};
91#[allow(deprecated)]
92pub use intent::{
93    intent_hash, Intent, IntentHash, IntentTree, MerkleProof, SiblingNode, SubScopeProof,
94};
95pub use policy::{CapabilitySet, DelegationPolicy, PolicySet};
96pub use registry::{
97    fresh_nonce, MemoryNonceStore, MemoryRateLimitStore, MemoryRevocationStore, NonceStore,
98    RateLimitStore, RevocationStore,
99};
100
101#[cfg(feature = "wire")]
102#[cfg_attr(docsrs, doc(cfg(feature = "wire")))]
103pub use cert_extensions::{CertExtensions, ExtValue};
104
105#[cfg(feature = "async")]
106#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
107pub use context::AsyncKyaContext;
108
109#[cfg(feature = "async")]
110#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
111pub use registry::r#async::{
112    AsyncNonceStore, AsyncRateLimitStore, AsyncRevocationStore, SyncNonceAdapter,
113    SyncRevocationAdapter,
114};
115
116#[cfg(feature = "async")]
117#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
118pub use audit::r#async::{AsyncAuditSink, SyncAuditAdapter};
119
120#[cfg(feature = "async")]
121#[cfg_attr(docsrs, doc(cfg(feature = "async")))]
122pub use identity::AsyncSigner;