Skip to main content

Module capability

Module capability 

Source
Expand description

Pure capability-card verification primitives, shared by the CLI (treeship verify-capability) and the WASM verifier (browser receipt viewer) so both agree by construction. No I/O: callers supply the parsed card, the action statements, and the trust roots.

See docs/specs/agent-capability-cards.md. The honest contract holds here too: this checks consistency over captured evidence (the actions the caller passes in), never completeness.

Functions§

action_in_scope
Is an action within a declared capability set? The action label is authoritative; meta.tool counts only when the label is a generic dispatch placeholder (see [scope_candidates]).
commit_tools
Commit a tool set for selective disclosure. Returns the sorted tools_sd digests (which go into the signed card) and the encoded disclosure strings (which the holder stores and reveals selectively). Order of tools does not affect tools_sd (it is sorted), so the digest list never leaks the set’s authoring order.
committed_tool_digests
Read the signed capabilities.tools_sd digest list from a card payload.
declared_tools
Extract the declared capabilities.tools from an agent_card.v1 payload.
disclose_capabilities
Transform a full capability card payload into a disclosed one: replace capabilities.tools (the raw list) with capabilities.tools_sd (the salted digests), and return the disclosures for exactly the tools in reveal.
disclosed_tools
Reconstruct the revealed tools from presented disclosures, checked against the signed tools_sd digest set. Only disclosures whose digest is in the set and whose value is true count; a tampered, foreign, or malformed disclosure contributes nothing (fail-closed). The result is exactly the subset the holder chose to reveal – for a full presentation, every disclosure; for a selective one, fewer.
is_key_bound
A card is key-bound only when its keyid is the envelope signer AND that key is pinned under AgentCert. Anything else is self-asserted.
matched_capability
The first declared capability an action matches, if any. Same matching as action_in_scope, but returns which capability matched, so callers can grade each declared capability by whether captured receipts exercise it.
reconstruct_capabilities
Reconstruct the revealed capabilities from a disclosed card payload and the disclosures presented with it. Returns exactly the tools whose disclosure opens a digest in the signed capabilities.tools_sd; a tampered or foreign disclosure contributes nothing. This is the verify side of disclose_capabilities.
tool_matches
family.* matches family.write; otherwise an exact match. A bare * matches anything.