Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Capability Vocabulary Inventory

This Phase 0 artifact inventories the current authorization capability strings, classifies their status, and records the canonical migration targets for the clean-cutover capability-vocabulary refactor.

Scope

This inventory covers authorization capability names used in:

  • product Rust call sites
  • Biscuit token issuance
  • guard snapshots and guard checks
  • choreography .tell files
  • docs and examples that currently teach or exercise capability annotations
  • test fixtures that still exercise legacy naming

This inventory does not treat the following as authorization capability names:

  • aura_core::effects::CapabilityKey runtime-admission keys
  • version-handshake feature flags such as ceremony_supersession
  • explicit negative-test placeholders such as unknown_capability
  • documentation placeholders such as capability_name
  • diagnostic labels such as bundle linking and session delegation
  • unrelated "capability" terminology in ownership or crypto docs

No out-of-tree module manifests currently exist in-tree. The module namespace rules below therefore reserve the future extension path, but no concrete module capabilities are currently admitted.

Reserved Namespaces

First-Party Authorization Namespaces

These namespace roots are reserved for first-party Aura capability families:

NamespaceOwner crateNotes
ampaura-ampAMP message-flow capabilities
authaura-authenticationAuthentication and guardian-auth capabilities
chataura-chatChat and channel message capabilities
consensusaura-consensusConsensus ceremony capabilities
dkdaura-authenticationDistributed key derivation choreography capabilities
examplehost-owned docs/examples namespaceReserved for teaching examples and macro tests
invitationaura-invitationInvitation, guardian, channel, and device flows
recoveryaura-recoveryRecovery, guardian setup, membership change
relayaura-rendezvousRelay-forward subfamily
rendezvousaura-rendezvousDescriptor and rendezvous exchange
syncaura-syncAnti-entropy and epoch rotation

Generic Host-Owned Capabilities

These names stay reserved by the host and are not owned by a feature crate:

  • read
  • write
  • execute
  • delegate
  • moderator
  • flow_charge

Reserved Module Namespace

Out-of-tree module-defined capabilities must use:

module:<module_id>:<capability_path>

Rules:

  • <module_id> is the admitted host-reviewed module identity, not an arbitrary author-chosen prefix.
  • <capability_path> uses the same validated lower-case segment grammar as first-party names.
  • modules may not claim first-party namespace roots such as invitation, consensus, or sync
  • modules may not claim generic host-owned names such as read or write
  • host runtime code must consume admitted descriptors, not hand-written module:<module_id>:... strings

Canonical First-Party Capability Inventory

These are the canonical migration targets for first-party product code.

Canonical nameOwner crateCurrent sourcesNotes
amp:sendaura-ampcrates/aura-authorization/src/biscuit_token.rs, crates/aura-agent/src/runtime/effects.rs, crates/aura-simulator/tests/guarded_amp_anti_entropy.rsCanonical AMP send capability
amp:receiveaura-ampcrates/aura-amp/src/choreography.tell currently uses cap:amp_recvCanonical AMP receive capability
auth:requestaura-authenticationcrates/aura-authentication/src/guards.rsCanonical authentication request capability
auth:submit_proofaura-authenticationcrates/aura-authentication/src/guards.rsCanonical proof-submission capability
auth:verifyaura-authenticationcrates/aura-authentication/src/guards.rsCanonical proof-verification capability
auth:create_sessionaura-authenticationcrates/aura-authentication/src/guards.rsAuthentication-owned session creation capability
auth:guardian:request_approvalaura-authenticationcrates/aura-authentication/src/guardian_auth_relational.tell, crates/aura-authentication/src/guards.rsCanonical guardian-auth request capability
auth:guardian:coordinateaura-authenticationcrates/aura-authentication/src/guardian_auth_relational.tellCoordinator-side guardian-auth capability
auth:guardian:submit_proofaura-authenticationcrates/aura-authentication/src/guardian_auth_relational.tellGuardian proof submission
auth:guardian:verifyaura-authenticationcrates/aura-authentication/src/guardian_auth_relational.tell, crates/aura-authentication/src/guards.rsCanonical guardian-auth verification capability
chat:channel:createaura-chatcrates/aura-chat/src/guards.rsCanonical chat channel-create capability
chat:message:sendaura-chatcrates/aura-chat/src/guards.rsCanonical chat send capability
consensus:initiateaura-consensuscrates/aura-consensus/src/protocol/guards.rsCanonical start-of-ceremony capability
consensus:witness_nonceaura-consensuscrates/aura-consensus/src/protocol/guards.rsWitness nonce submission
consensus:aggregate_noncesaura-consensuscrates/aura-consensus/src/protocol/guards.rsCoordinator aggregation capability
consensus:witness_signaura-consensuscrates/aura-consensus/src/protocol/guards.rsWitness sign-share submission
consensus:finalizeaura-consensuscrates/aura-consensus/src/protocol/guards.rsFinal consensus completion capability
dkd:initiateaura-authenticationcrates/aura-authentication/src/dkd.tellDKD initiation
dkd:commitaura-authenticationcrates/aura-authentication/src/dkd.tellDKD commitment
dkd:revealaura-authenticationcrates/aura-authentication/src/dkd.tellDKD reveal
dkd:finalizeaura-authenticationcrates/aura-authentication/src/dkd.tellDKD finalize
invitation:sendaura-invitationcrates/aura-invitation/src/guards.rs, crates/aura-invitation/src/protocol.rs, crates/aura-invitation/src/protocol.invitation_exchange.tell, token issuanceCanonical invitation send capability
invitation:acceptaura-invitationcrates/aura-invitation/src/guards.rs, crates/aura-invitation/src/protocol.rs, crates/aura-invitation/src/protocol.invitation_exchange.tell, token issuanceCanonical invitation accept capability
invitation:declineaura-invitationcrates/aura-invitation/src/guards.rs, crates/aura-invitation/src/protocol.rs, token issuanceCanonical invitation decline capability
invitation:cancelaura-invitationcrates/aura-invitation/src/guards.rs, token issuanceCanonical invitation cancel capability
invitation:guardianaura-invitationcrates/aura-invitation/src/guards.rs, crates/aura-invitation/src/protocol.rs, crates/aura-invitation/src/protocol.guardian_invitation.tell, token issuanceGuardian invitation send capability
invitation:guardian:acceptaura-invitationcrates/aura-invitation/src/protocol.rs, crates/aura-invitation/src/protocol.guardian_invitation.tellGuardian invitation accept capability
invitation:channelaura-invitationcrates/aura-invitation/src/guards.rs, token issuanceShared-channel invitation capability
invitation:device:enrollaura-invitationcrates/aura-invitation/src/protocol.rs, crates/aura-invitation/src/protocol.device_enrollment.tellDevice-enrollment send capability
invitation:device:acceptaura-invitationcrates/aura-invitation/src/protocol.rs, crates/aura-invitation/src/protocol.device_enrollment.tellDevice-enrollment accept capability
recovery:initiateaura-recoverycrates/aura-authentication/src/guards.rs, crates/aura-agent/src/handlers/recovery.rs, crates/aura-recovery/src/recovery_protocol.tellRecovery initiation
recovery:coordinateaura-recoverycrates/aura-recovery/src/recovery_protocol.tellRecovery coordination capability
recovery:approveaura-recoverycrates/aura-authentication/src/guards.rs, crates/aura-agent/src/handlers/recovery.rs, crates/aura-recovery/src/recovery_protocol.tellGuardian approval capability
recovery:finalizeaura-recoverycrates/aura-agent/src/handlers/recovery.rs, crates/aura-recovery/src/recovery_protocol.tellCanonical completion/finalization capability
recovery:cancelaura-recoverycrates/aura-agent/src/handlers/recovery.rsRecovery cancellation capability
recovery:guardian_setup:initiateaura-recoverycrates/aura-recovery/src/guardian_setup.tellGuardian setup initiation
recovery:guardian_setup:accept_invitationaura-recoverycrates/aura-recovery/src/guardian_setup.tellGuardian setup invitation acceptance
recovery:guardian_setup:verify_invitationaura-recoverycrates/aura-recovery/src/guardian_setup.tellGuardian setup verification
recovery:guardian_setup:completeaura-recoverycrates/aura-recovery/src/guardian_setup.tellGuardian setup completion
recovery:membership_change:initiateaura-recoverycrates/aura-recovery/src/guardian_membership.tellMembership-change initiation
recovery:membership_change:voteaura-recoverycrates/aura-recovery/src/guardian_membership.tellGuardian vote capability
recovery:membership_change:verify_proposalaura-recoverycrates/aura-recovery/src/guardian_membership.tellProposal verification
recovery:membership_change:completeaura-recoverycrates/aura-recovery/src/guardian_membership.tellMembership-change completion
relay:forwardaura-rendezvouscrates/aura-rendezvous/src/protocol.rs, crates/aura-rendezvous/src/protocol.relayed_rendezvous.tell, docs/113_rendezvous.mdRelay forwarding subfamily
rendezvous:publishaura-rendezvouscrates/aura-rendezvous/src/protocol.rs, crates/aura-rendezvous/src/protocol.rendezvous_exchange.tell, crates/aura-agent/src/handlers/rendezvous.rs, crates/aura-agent/src/runtime/services/rendezvous_manager.rs, token issuance, docs/113_rendezvous.mdCanonical descriptor publish capability
rendezvous:connectaura-rendezvouscrates/aura-rendezvous/src/protocol.rs, crates/aura-rendezvous/src/protocol.rendezvous_exchange.tell, crates/aura-agent/src/handlers/rendezvous.rs, crates/aura-agent/src/runtime/services/rendezvous_manager.rs, docs/113_rendezvous.mdCanonical direct connect capability
rendezvous:relayaura-rendezvouscrates/aura-rendezvous/src/protocol.rs, crates/aura-rendezvous/src/protocol.relayed_rendezvous.tell, crates/aura-agent/src/handlers/rendezvous.rs, docs/113_rendezvous.mdCanonical relayed connect capability
sync:request_digestaura-synccrates/aura-authorization/src/biscuit_token.rs, crates/aura-agent/src/runtime/effects.rsAnti-entropy digest request capability
sync:request_opsaura-synccrates/aura-authorization/src/biscuit_token.rs, crates/aura-agent/src/runtime/effects.rsAnti-entropy op request capability
sync:push_opsaura-synccrates/aura-authorization/src/biscuit_token.rs, crates/aura-agent/src/runtime/effects.rsAnti-entropy batch push capability
sync:announce_opaura-synccrates/aura-authorization/src/biscuit_token.rs, crates/aura-agent/src/runtime/effects.rsAnti-entropy announcement capability
sync:push_opaura-synccrates/aura-authorization/src/biscuit_token.rs, crates/aura-agent/src/runtime/effects.rsAnti-entropy single-op push capability
sync:epoch:propose_rotationaura-synccrates/aura-sync/src/protocols/epochs.tellEpoch rotation proposal
sync:epoch:confirm_readinessaura-synccrates/aura-sync/src/protocols/epochs.tellEpoch rotation readiness confirmation
sync:epoch:commit_rotationaura-synccrates/aura-sync/src/protocols/epochs.tellEpoch rotation commit

Legacy Aliases and Invalid Drift

These strings are present today but are not approved as long-lived capability surface. They exist only as migration or deletion targets.

Current stringClassificationCanonical targetCurrent sourcesDisposition
amp:send and cap:amp_send coexistlegacy split-brain namingamp:sendcrates/aura-simulator/tests/guarded_amp_anti_entropy.rs, crates/aura-amp/src/choreography.tell, token issuanceKeep amp:send; delete cap:amp_send
cap:amp_recvlegacy aliasamp:receivecrates/aura-amp/src/choreography.tellDelete alias during Phase 4
auth:request_guardianlegacy aliasauth:guardian:request_approvalcrates/aura-authentication/src/guards.rsRename in typed family
auth:approve_guardianlegacy aliasauth:guardian:verifycrates/aura-authentication/src/guards.rsRename in typed family
auth:authenticateinvalid driftauth:verify or a new explicit auth:status if the owner decides status needs its own capabilitycrates/aura-agent/src/handlers/auth.rsPhase 2/5 owner decision, then delete drift
initiate_consensuslegacy choreography aliasconsensus:initiatecrates/aura-consensus/src/protocol/choreography.tell, crates/aura-consensus/src/protocol/guards.rsTemporary parse bridge only if needed in Phase 4
witness_noncelegacy choreography aliasconsensus:witness_noncesame as aboveTemporary parse bridge only if needed in Phase 4
aggregate_nonceslegacy choreography aliasconsensus:aggregate_noncessame as aboveTemporary parse bridge only if needed in Phase 4
witness_signlegacy choreography aliasconsensus:witness_signsame as aboveTemporary parse bridge only if needed in Phase 4
finalize_consensuslegacy choreography aliasconsensus:finalizesame as aboveTemporary parse bridge only if needed in Phase 4
invitation:devicelegacy umbrella namesplit to invitation:device:enroll and invitation:device:acceptcrates/aura-invitation/src/guards.rs, token issuanceRemove umbrella capability
message:sendlegacy unowned namespacechat:message:sendtoken issuance, crates/aura-agent/src/runtime/effects.rs, docs/tests in aura-guards, aura-mpst, aura-macrosMigrate examples/tests or move to example:*; product code uses chat:*
rendezvous:publish_descriptorinvalid driftrendezvous:publishcrates/aura-agent/src/handlers/rendezvous.rsDelete drift
rendezvous:initiate_channelinvalid driftrendezvous:connectcrates/aura-agent/src/handlers/rendezvous.rsDelete drift
rendezvous:relay_requestinvalid driftrendezvous:relaycrates/aura-agent/src/handlers/rendezvous.rsDelete drift
recovery:completelegacy aliasrecovery:finalizecrates/aura-agent/src/handlers/recovery.rsRename to finalized vocabulary
accept_guardian_invitation,verify_setup_invitationinvalid composite choreography stringsplit to recovery:guardian_setup:accept_invitation and recovery:guardian_setup:verify_invitationcrates/aura-recovery/src/guardian_setup.tellDelete comma-joined string syntax on this path
vote_membership_change,verify_membership_proposalinvalid composite choreography stringsplit to recovery:membership_change:vote and recovery:membership_change:verify_proposalcrates/aura-recovery/src/guardian_membership.tellDelete comma-joined string syntax on this path
sync:readinvalid umbrella namereplace with operation-specific sync:* capability per call sitecrates/aura-sync/src/infrastructure/peers.rsDelete umbrella capability
sync_journalinvalid legacy namereplace with operation-specific sync:* capability per call sitecrates/aura-sync/src/protocols/anti_entropy.rs, archived work notesDelete legacy name
recover:deviceinvalid drift in test payloadowner should replace with a canonical recovery:* capability or a typed role fieldcrates/aura-invitation/src/protocol.rs test serializationDo not preserve as compatibility alias
invitation:createinvalid test-only driftdelete or replace with a real invitation capabilitycrates/aura-core/src/ownership.rs test helperDo not preserve
recovery_initiatelegacy test fixture aliasrecovery:initiatecrates/aura-testkit/src/fixtures/biscuit.rsDelete alias in fixture
recovery_approvelegacy test fixture aliasrecovery:approvecrates/aura-testkit/src/fixtures/biscuit.rsDelete alias in fixture
threshold_signinvalid / unowned test fixture nameowner must replace with canonical family or remove fixture dependencycrates/aura-testkit/src/fixtures/biscuit.rsDelete or replace

Choreography and Example Names That Must Become Namespaced

These current names are intentionally not approved as canonical product capabilities. They either move into an owned first-party namespace or into the reserved host-owned example:* namespace for teaching material.

Current string(s)ClassificationCanonical target
send_ping, send_pong, send_request, send_response, send_message, send, coordinate, coordinate_signing, participate_signingdocs/examples legacy placeholdersexample:* names in docs, examples, macro tests, and MPST tests
create_session, join_session, decline_session, activate_session, broadcast_message, check_status, report_status, end_sessionexample-only session choreography namesexample:* names unless the session protocol becomes a real first-party family
request_session, invite_participants, respond_session, create_session, notify_participants, reject_session_creation, notify_participants_failureinvalid unnamespaced internal choreography namesfuture owned session:* family if retained; otherwise delete
request_guardian_approval, coordinate_guardians, submit_guardian_proof, verify_guardianlegacy unnamespaced auth choreography namesauth:guardian:* family
initiate_recovery, approve_recovery, coordinate_recovery, finalize_recovery, initiate_guardian_setup, accept_guardian_invitation, verify_setup_invitation, complete_guardian_setup, initiate_membership_change, vote_membership_change, verify_membership_proposal, complete_membership_changelegacy unnamespaced recovery choreography namesrecovery:* subfamilies
propose_epoch_rotation, confirm_epoch_readiness, commit_epoch_rotationlegacy unnamespaced sync choreography namessync:epoch:* family

Explicit Audit Exclusions

These strings were caught by broad Phase 0 grep passes but are not part of the authorization capability vocabulary:

StringReason for exclusionCurrent sources
ceremony_supersessionversion-handshake feature flag, not an authorization capabilitycrates/aura-protocol/src/handlers/version_handshake.rs, crates/aura-core/src/protocol/versions.rs
fact_journalversion-handshake feature flag, not an authorization capabilitysame as above plus docs
unknown_capabilitynegative-test placeholder for version capability queriescrates/aura-protocol/src/handlers/version_handshake.rs, crates/aura-core/src/protocol/versions.rs
capability_namedocumentation placeholder in MPST docscrates/aura-mpst/src/lib.rs
bundle linkingdiagnostic label passed to a reconfiguration capability check, not a capability namecrates/aura-agent/src/runtime/services/reconfiguration_manager.rs
session delegationdiagnostic label passed to a reconfiguration capability check, not a capability namesame as above

Quarantine Notes

  • Historical scratch notes remain explicitly quarantined as non-authoritative archive material.
  • This file replaces ad hoc capability-name scratch lists for the Phase 0 refactor inventory.
  • Remaining legacy names are recorded here only as migration/deletion targets. They are not approved compatibility surfaces.

Audit Commands

Phase 0 inventory data was gathered with:

rg -n --no-heading 'CAP_[A-Z0-9_]+: &str = "[^"]+"' crates -g'*.rs'
rg -n --no-heading 'CapabilityId::from\("[^"]+"|has_capability\("[^"]+"' crates -g'*.rs'
rg -n --no-heading 'guard_capability = "[^"]+"|#\[guard_capability\("[^"]+"\)\]' crates docs examples -g'*.rs' -g'*.md' -g'*.tell'
rg -n --no-heading 'capability\("[^"]+"\)' crates docs examples -g'*.rs' -g'*.md'