Crate okami

Expand description

Okami — Post-quantum cryptographic identity for AI agents.

This crate provides SPIFFE-based agent identity with hybrid PQC cryptography (Ed25519 + ML-DSA-65), OAuth-style delegation tokens, and tamper-evident audit events. It builds on the [lupine-pqc] PQC library.

§Quick start

use okami::identity::AgentIdentity;
use okami::delegation::{Capability, DelegationToken};
use std::time::Duration;

// Create two agent identities.
let orchestrator = AgentIdentity::new("example.com", "orchestrator").unwrap();
let worker_id = okami::identity::SpiffeId::new("example.com", "worker/1").unwrap();

// Issue a delegation token.
let scopes = vec![Capability::new("read:db").unwrap()];
let token = DelegationToken::issue(
    &orchestrator,
    worker_id,
    scopes.clone(),
    &scopes,
    Duration::from_secs(3600),
    None,
).unwrap();

// Verify the token.
token.verify(None).unwrap();

§Modules

Module	Contents
`error`	Unified `Error` type and `Result` alias
`identity`	`identity::AgentIdentity`, `identity::SpiffeId`, `identity::PqcCredential`
`delegation`	`delegation::DelegationToken`, `delegation::DelegationChain`, `delegation::Capability`
`audit`	`audit::AuditEvent`, `audit::SignedAuditEvent`, audit chain verification

@decision DEC-OKAMI-020 @title Compile-enforced public API documentation coverage @status accepted @rationale Once published to crates.io (PR-1, issue #12), every pub symbol becomes a stable contract that downstream code can pin against. Undocumented or under-documented public items are a maintenance liability — they force consumers to read source, and they let API drift slip into releases without anyone noticing. #![deny(missing_docs)] at the crate root makes documentation gaps a compile error, not a code-review nice-to- have. The bar (top-level summary on all pub items; # Errors on every Result-returning function; # Examples on flagship types and their primary methods) is enforced partly by the compiler (missing_docs) and partly by cargo test --doc (every example must compile and run). The companion lint #![deny(rustdoc::broken_intra_doc_links)] makes ambiguous or stale doc references a build error too — without it, the only signal would be a cargo doc warning easy to overlook.

Re-exports§

pub use error::Error;
pub use error::Result;

Modules§

audit: Audit events: tamper-evident signed event chain for agent actions.
delegation: Delegation tokens and chains for OAuth-style capability passing between agents.
error: Unified error type for the okami Agent Passport SDK.
identity: Agent identity: SPIFFE IDs, PQC credentials, and key lifecycle.

Crate okami

Crate okami Copy item path

§Quick start

§Modules

Re-exports§

Modules§

Crate okami