Documentation
¶
Overview ¶
Package delegation provides delegation chain management for agent principals. Delegation allows principals to authorize other principals (particularly agents) to act on their behalf with constrained capabilities.
Index ¶
- type ActionValidation
- type Chain
- type Constraints
- type CreateInput
- type DefaultService
- func (s *DefaultService) ComputeEffectiveConstraints(chain *Chain) Constraints
- func (s *DefaultService) CreateDelegation(ctx context.Context, input CreateInput) (*Link, error)
- func (s *DefaultService) GetChain(ctx context.Context, principalID uuid.UUID) (*Chain, error)
- func (s *DefaultService) ListDelegations(ctx context.Context, delegatorID uuid.UUID) ([]*Link, error)
- func (s *DefaultService) RevokeDelegation(ctx context.Context, delegatorID, delegateID uuid.UUID, reason string) error
- func (s *DefaultService) ValidateAction(ctx context.Context, principalID uuid.UUID, action, resource string) (*ActionValidation, error)
- type Link
- type Service
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ActionValidation ¶
type ActionValidation struct {
Allowed bool `json:"allowed"`
Reason string `json:"reason,omitempty"`
Confirmation bool `json:"confirmation_required"`
}
ActionValidation represents the result of validating an action.
type Chain ¶
type Chain struct {
// Links ordered from root (human/service) to current (typically agent)
Links []Link `json:"links"`
// Effective constraints computed by intersecting all links
EffectiveConstraints Constraints `json:"effective_constraints"`
}
Chain represents a full delegation chain from root to current principal.
type Constraints ¶
type Constraints struct {
// AllowedCapabilities lists capabilities the delegate can use.
// Empty means all capabilities of the parent are available.
AllowedCapabilities []string `json:"allowed_capabilities,omitempty"`
// AllowedScopes lists scopes the delegate can request.
// Empty means all scopes of the parent are available.
AllowedScopes []string `json:"allowed_scopes,omitempty"`
// AllowedResources lists resource patterns the delegate can access.
// Supports glob patterns like "project/*" or "org/123/*"
AllowedResources []string `json:"allowed_resources,omitempty"`
// AllowedActions lists actions the delegate can perform.
// Example: ["read", "write"], ["*"]
AllowedActions []string `json:"allowed_actions,omitempty"`
// MaxTokenLifetime limits token duration for the delegate.
MaxTokenLifetime time.Duration `json:"max_token_lifetime,omitempty"`
// RequiresConfirmation indicates actions need human approval.
RequiresConfirmation bool `json:"requires_confirmation"`
// ExpiresAt is when the delegation expires.
ExpiresAt *time.Time `json:"expires_at,omitempty"`
}
Constraints defines what a delegated principal can do.
type CreateInput ¶
type CreateInput struct {
// DelegatorID is the principal granting the delegation.
DelegatorID uuid.UUID
// DelegateID is the principal receiving the delegation.
DelegateID uuid.UUID
// Constraints on what the delegate can do.
Constraints Constraints
// Reason for the delegation (audit).
Reason string
}
CreateInput contains fields for creating a delegation.
type DefaultService ¶
type DefaultService struct {
// contains filtered or unexported fields
}
DefaultService implements the Service interface.
func (*DefaultService) ComputeEffectiveConstraints ¶
func (s *DefaultService) ComputeEffectiveConstraints(chain *Chain) Constraints
ComputeEffectiveConstraints computes the effective constraints by intersecting constraints through the delegation chain.
func (*DefaultService) CreateDelegation ¶
func (s *DefaultService) CreateDelegation(ctx context.Context, input CreateInput) (*Link, error)
CreateDelegation creates a delegation from one principal to another.
func (*DefaultService) ListDelegations ¶
func (s *DefaultService) ListDelegations(ctx context.Context, delegatorID uuid.UUID) ([]*Link, error)
ListDelegations lists all delegations granted by a principal.
func (*DefaultService) RevokeDelegation ¶
func (s *DefaultService) RevokeDelegation(ctx context.Context, delegatorID, delegateID uuid.UUID, reason string) error
RevokeDelegation revokes a delegation.
func (*DefaultService) ValidateAction ¶
func (s *DefaultService) ValidateAction(ctx context.Context, principalID uuid.UUID, action, resource string) (*ActionValidation, error)
ValidateAction checks if a principal can perform an action on a resource.
type Link ¶
type Link struct {
PrincipalID uuid.UUID `json:"principal_id"`
PrincipalType principal.Type `json:"principal_type"`
DisplayName string `json:"display_name"`
Constraints Constraints `json:"constraints"`
GrantedAt time.Time `json:"granted_at"`
}
Link represents a single link in a delegation chain.
type Service ¶
type Service interface {
// CreateDelegation creates a delegation from one principal to another.
CreateDelegation(ctx context.Context, input CreateInput) (*Link, error)
// GetChain retrieves the full delegation chain for a principal.
GetChain(ctx context.Context, principalID uuid.UUID) (*Chain, error)
// ValidateAction checks if a principal can perform an action on a resource.
ValidateAction(ctx context.Context, principalID uuid.UUID, action, resource string) (*ActionValidation, error)
// RevokeDelegation revokes a delegation.
RevokeDelegation(ctx context.Context, delegatorID, delegateID uuid.UUID, reason string) error
// ListDelegations lists all delegations granted by a principal.
ListDelegations(ctx context.Context, delegatorID uuid.UUID) ([]*Link, error)
// ComputeEffectiveConstraints computes the effective constraints
// by intersecting constraints through the delegation chain.
ComputeEffectiveConstraints(chain *Chain) Constraints
}
Service defines the business logic interface for delegation.
func NewService ¶
NewService creates a new DelegationService.
Source Files
Click to show internal directories.
Click to hide internal directories.