Expand description
Pure capability-card verification primitives, shared by the CLI
(treeship verify-capability) and the WASM verifier (browser receipt
viewer) so both agree by construction. No I/O: callers supply the parsed
card, the action statements, and the trust roots.
See docs/specs/agent-capability-cards.md. The honest contract holds here too: this checks consistency over captured evidence (the actions the caller passes in), never completeness.
Functions§
- action_
in_ scope - Is an action within a declared capability set? The action label is
authoritative;
meta.toolcounts only when the label is a generic dispatch placeholder (see [scope_candidates]). - commit_
tools - Commit a tool set for selective disclosure. Returns the sorted
tools_sddigests (which go into the signed card) and the encoded disclosure strings (which the holder stores and reveals selectively). Order oftoolsdoes not affecttools_sd(it is sorted), so the digest list never leaks the set’s authoring order. - committed_
tool_ digests - Read the signed
capabilities.tools_sddigest list from a card payload. - declared_
tools - Extract the declared
capabilities.toolsfrom an agent_card.v1 payload. - disclose_
capabilities - Transform a full capability card payload into a disclosed one: replace
capabilities.tools(the raw list) withcapabilities.tools_sd(the salted digests), and return the disclosures for exactly the tools inreveal. - disclosed_
tools - Reconstruct the revealed tools from presented disclosures, checked against
the signed
tools_sddigest set. Only disclosures whose digest is in the set and whose value istruecount; a tampered, foreign, or malformed disclosure contributes nothing (fail-closed). The result is exactly the subset the holder chose to reveal – for a full presentation, every disclosure; for a selective one, fewer. - is_
key_ bound - A card is key-bound only when its
keyidis the envelope signer AND that key is pinned underAgentCert. Anything else is self-asserted. - matched_
capability - The first declared capability an action matches, if any. Same matching as
action_in_scope, but returns which capability matched, so callers can grade each declared capability by whether captured receipts exercise it. - reconstruct_
capabilities - Reconstruct the revealed capabilities from a disclosed card payload and the
disclosures presented with it. Returns exactly the tools whose disclosure
opens a digest in the signed
capabilities.tools_sd; a tampered or foreign disclosure contributes nothing. This is the verify side ofdisclose_capabilities. - tool_
matches family.*matchesfamily.write; otherwise an exact match. A bare*matches anything.