Skip to content

sptos-cap

seL4-inspired capability management for the SPTOS Cognition Kernel

Overview

sptos-cap enforces all access control in SPTOS. Every kernel object is accessed exclusively through capabilities -- unforgeable kernel-managed tokens with object ID, type, rights bitmap, badge, and epoch. The design follows seL4 principles: a task can only grant capabilities it holds, with rights that are equal or fewer.

Key Features

  • Derivation tree — Capabilities can be derived with reduced rights; revoking a parent invalidates all descendants
  • Delegation depth limit — Maximum depth of 8 prevents unbounded delegation chains
  • Epoch-based invalidation — Stale handles are detected via epoch counters
  • Audit logging — Optional capability operation audit trail (requires alloc)
  • Boot verification — Cryptographic signature verification for initial capability sets

Dependencies

Key internal dependencies:

  • sptos-types — Core types (CapHandle, CapRights, Capability, ObjectType)

Usage

rust
use sptos_cap::{CapabilityManager, CapManagerConfig};
use sptos_types::{ObjectType, CapRights, TaskHandle};

let mut manager: CapabilityManager<64> = CapabilityManager::new(
    CapManagerConfig::default()
);
let task = TaskHandle::new(1, 0);
let cap = manager.create_root_capability(
    0x1000, ObjectType::VectorStore, 0, task,
).unwrap();

API Reference

Core Types

TypeDescription
CapabilityManager<N>Central manager with fixed-size capability table of N slots
CapManagerConfigConfiguration for the capability manager
CapabilityTableUnderlying storage for capability entries
DerivationTreeTracks parent-child relationships for revocation propagation
BootCapabilitySetInitial capabilities distributed during boot
CapabilityAuditorAudit logger for capability operations (requires audit-log)
BootVerifierCryptographic verifier for boot-time signatures
CapErrorError type for capability operations

Released under the MIT License.