capability
Module: startup::capability
Section titled “Module: startup::capability”Contents
Section titled “Contents”Functions
build_token_verifier- Build the Stage 1 token verifier.load_capability_map- Read every seed file referenced byseed.pathsand assemble aseed_into_entry- Convert a parsed capability seed file into a runtime entry.
firma_sidecar::startup::capability::build_token_verifier
Section titled “firma_sidecar::startup::capability::build_token_verifier”Function
Build the Stage 1 token verifier.
Returns a [PasetoV4Verifier] when public_key_path is set,
otherwise returns a [RejectAllVerifier] so unconfigured
deployments continue to deny every protected call.
Errors
Section titled “Errors”Returns an error when the public-key file cannot be read or its contents do not match the Ed25519 32-byte format.
fn build_token_verifier(public_key_path: Option<&std::path::Path>) -> anyhow::Result<Box<dyn TokenVerifier>>firma_sidecar::startup::capability::load_capability_map
Section titled “firma_sidecar::startup::capability::load_capability_map”Function
Read every seed file referenced by seed.paths and assemble a
fully-indexed [CapabilityMap].
Errors
Section titled “Errors”Returns an error when a seed file cannot be read, parsed, converted
into a [CapabilityClaims] value, or when its raw_token fails
PASETO verification.
fn load_capability_map(seed: &crate::config::CapabilitySeedConfig, verifier: &dyn TokenVerifier) -> anyhow::Result<crate::enforcement::capability_map::CapabilityMap>firma_sidecar::startup::capability::seed_into_entry
Section titled “firma_sidecar::startup::capability::seed_into_entry”Function
Convert a parsed capability seed file into a runtime entry.
Errors
Section titled “Errors”Returns a descriptive error string when any identifier (token, agent, or session) fails to parse or when the token fails verification.
fn seed_into_entry(file: &crate::config::SeedFile, verifier: &dyn TokenVerifier) -> anyhow::Result<crate::enforcement::capability_map::CapabilityEntry>