Module security 

Claim-based RBAC authority resolution.

Every message entry point calls into this module to derive the sender’s effective InputAuthority from all authentication layers.

Algorithm

effective = min(max(positive_grants…), min(negative_ceilings…))

Positive grants OR across layers (any layer can grant authority). Negative ceilings AND across layers (strictest restriction wins).

Structs

ChannelContext

Inputs describing what a channel adapter knows about the sender.

Functions

resolve_a2a_claim

Resolve a SecurityClaim for an A2A (agent-to-agent) session.

resolve_api_claim

Resolve a SecurityClaim for an HTTP API or WebSocket request.

resolve_channel_claim

Resolve a SecurityClaim for a channel-originated message.