Skip to content

Commit 8a1986c

Browse files
frristclaude
frrist
and
claude
committed
feat(capabilities/access): add access/grant binding
Mirrors the go-libstoracha access.Grant shape with UCAN 1.0 framing: - Arguments carry an Attenuations list (capabilities the agent wishes to be granted) and an optional Cause CID. cid.Undef on Cause means no cause. - OK aliases ClaimOK — a successful grant resolves into a bundle of delegation CIDs. Delegation envelopes themselves ride in the receipt response container as metadata, following the libforge pattern used by /access/claim and /access/confirm. - Stable receipt failure names match the go-libstoracha originals so existing callers can keep their error matching. This unblocks piri-signing-service's UCAN 1.0 migration: that service gates all /pdp/sign/* abilities behind an /access/grant delegation and needs a libforge binding to switch off go-libstoracha. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 2f71f7c commit 8a1986c

5 files changed

Lines changed: 419 additions & 0 deletions

File tree

capabilities/access/cbor_gen.go

Lines changed: 185 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

capabilities/access/gen/main.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ func main() {
3030
access.ClaimOK{},
3131
access.ConfirmArguments{},
3232
access.DelegateArguments{},
33+
access.GrantArguments{},
3334
}
3435
const (
3536
cborFile = "../cbor_gen.go"

capabilities/access/grant.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
//go:build !codegen
2+
3+
package access
4+
5+
import (
6+
"github.com/fil-forge/libforge/capabilities"
7+
"github.com/fil-forge/ucantone/errors"
8+
)
9+
10+
const GrantCommand = "/access/grant"
11+
12+
// GrantOK mirrors ClaimOK / ConfirmOK: a successful grant resolves into a
13+
// bundle of delegation CIDs. The actual delegation envelopes ride in the
14+
// receipt response container as metadata.
15+
type GrantOK = ClaimOK
16+
17+
// Grant can be invoked by an agent to request that a set of capabilities be
18+
// granted directly. Unlike Request -> Confirm, Grant is one-shot: the
19+
// executor decides immediately whether to issue the delegation.
20+
var Grant = capabilities.MustNew[*GrantArguments](GrantCommand)
21+
22+
const (
23+
UnknownAbilityErrorName = "UnknownAbility"
24+
MissingCapabilityErrorName = "MissingCapability"
25+
UnknownCauseErrorName = "UnknownCause"
26+
MissingCauseErrorName = "MissingCause"
27+
InvalidCauseErrorName = "InvalidCause"
28+
UnauthorizedCauseErrorName = "UnauthorizedCause"
29+
)
30+
31+
var (
32+
ErrMissingCapability = errors.New(MissingCapabilityErrorName, "grant requires one or more capabilities")
33+
ErrMissingCause = errors.New(MissingCauseErrorName, "grant requires a supporting contextual invocation")
34+
ErrUnknownCause = errors.New(UnknownCauseErrorName, "unknown cause invocation")
35+
)

0 commit comments

Comments
 (0)