sptos-cap
seL4-inspired capability management for the SPTOS Cognition Kernel
Overview
sptos-cap enforces all access control in SPTOS. Every kernel object is accessed exclusively through capabilities -- unforgeable kernel-managed tokens with object ID, type, rights bitmap, badge, and epoch. The design follows seL4 principles: a task can only grant capabilities it holds, with rights that are equal or fewer.
Key Features
- Derivation tree — Capabilities can be derived with reduced rights; revoking a parent invalidates all descendants
- Delegation depth limit — Maximum depth of 8 prevents unbounded delegation chains
- Epoch-based invalidation — Stale handles are detected via epoch counters
- Audit logging — Optional capability operation audit trail (requires
alloc) - Boot verification — Cryptographic signature verification for initial capability sets
Dependencies
Key internal dependencies:
sptos-types— Core types (CapHandle, CapRights, Capability, ObjectType)
Usage
rust
use sptos_cap::{CapabilityManager, CapManagerConfig};
use sptos_types::{ObjectType, CapRights, TaskHandle};
let mut manager: CapabilityManager<64> = CapabilityManager::new(
CapManagerConfig::default()
);
let task = TaskHandle::new(1, 0);
let cap = manager.create_root_capability(
0x1000, ObjectType::VectorStore, 0, task,
).unwrap();API Reference
Core Types
| Type | Description |
|---|---|
CapabilityManager<N> | Central manager with fixed-size capability table of N slots |
CapManagerConfig | Configuration for the capability manager |
CapabilityTable | Underlying storage for capability entries |
DerivationTree | Tracks parent-child relationships for revocation propagation |
BootCapabilitySet | Initial capabilities distributed during boot |
CapabilityAuditor | Audit logger for capability operations (requires audit-log) |
BootVerifier | Cryptographic verifier for boot-time signatures |
CapError | Error type for capability operations |