capability_validation

Module: enforcement::capability_validation

Contents

Structs

• CapabilityValidator - Stage 1: Capability Validation.
• ValidatedCapability - A capability token that has been selected from the map and

---

firma_sidecar::enforcement::capability_validation::CapabilityValidator

Struct

Stage 1: Capability Validation.

Selects the best-matching capability token and validates it: parse PASETO v4, verify Ed25519 signature, check expiry, and check revocation via bloom filter + LRU cache. Fully local — the Authority is never contacted.

Target: < 1ms p95.

Methods:

• fn new(capability_map: CapabilityMap, verifier: Box<dyn TokenVerifier>, revocation: Arc<dyn RevocationStore>, clock_skew_tolerance: Duration) -> Self - Creates a new [CapabilityValidator] with the given [CapabilityMap],
• fn enforce(self: &Self, envelope: &NormalizedEnvelope, session_id: &str) -> Result<ValidatedCapability, EnforcementDecision> - Run Stage 1: select token → validate.

firma_sidecar::enforcement::capability_validation::ValidatedCapability

Struct

A capability token that has been selected from the map and cryptographically validated (signature, expiry, revocation).

Fields:

• raw_token: String - The raw PASETO v4 token string.
• claims: firma_core::CapabilityClaims - Verified claims extracted from the token.

Trait Implementations:

• Debug
  • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
• Clone
  • fn clone(self: &Self) -> ValidatedCapability