Expand description
§Hessra Capability Engine
Convenience crate that re-exports the Hessra capability engine with the default CList policy backend.
For custom policy backends, depend on hessra-cap-engine directly.
§Quick Start
use hessra_cap::{CapabilityEngine, CListPolicy, ObjectId, Operation, SessionConfig};
// Load policy from TOML
let policy = CListPolicy::from_toml(r#"
[[objects]]
id = "agent:my-agent"
capabilities = [
{ target = "tool:web-search", operations = ["invoke"] },
]
"#).expect("Failed to parse policy");
// Create engine with generated keys (local mode)
let engine = CapabilityEngine::with_generated_keys(policy);
// Mint a context for the agent session
let context = engine.mint_context(
&ObjectId::new("agent:my-agent"),
SessionConfig::default(),
).expect("Failed to mint context");
// Mint a capability token
let result = engine.mint_capability(
&ObjectId::new("agent:my-agent"),
&ObjectId::new("tool:web-search"),
&Operation::new("invoke"),
Some(&context),
).expect("Failed to mint capability");
// Verify the capability token
engine.verify_capability(
&result.token,
&ObjectId::new("tool:web-search"),
&Operation::new("invoke"),
).expect("Verification failed");Modules§
- context
- Context token wrapper for the capability engine.
- engine
- The capability engine: orchestrates policy evaluation, token minting, and verification.
- error
- Error types for the capability engine.
- types
- Core types for the capability engine.
Structs§
- CList
Policy - CList (Capability List) policy backend.
- Capability
Engine - The Hessra Capability Engine.
- Capability
Grant - A capability grant: permission for a subject to perform operations on a target.
- Context
Token - A context token tracking data exposure for an object.
- Designation
- A designation label-value pair for narrowing capability scope.
- Exposure
Label - Exposure label for information flow control.
- Hessra
Context - Builder for creating Hessra context tokens.
- Identity
Config - Configuration for minting identity tokens.
- Mint
Options - Options for customizing capability minting beyond the basic case.
- Mint
Result - Result of minting a capability token.
- Object
Id - Object identifier in the unified namespace.
- Operation
- Operation on a target object.
- Policy
Config - Top-level policy configuration.
- Session
Config - Configuration for context token sessions.
- Token
Time Config - TokenTimeConfig allows control over token creation times and durations This is used to create tokens with custom start times and durations for testing purposes. In the future, this can be enhanced to support variable length tokens, such as long-lived bearer tokens.
Enums§
- Engine
Error - Errors from the capability engine.
- KeyPair
- pair of cryptographic keys used to sign a token’s block
- Policy
Config Error - Errors from policy configuration parsing.
- Policy
Decision - Result of a policy evaluation.
- Public
Key - the public part of a KeyPair
Traits§
- Policy
Backend - Pluggable policy backend trait.