x/motr-enclave
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
motr-enclave/internal/codec/ucan-schemas.json

1161 lines
28 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://ucan.xyz/schemas/ucan-complete.json",
"title": "UCAN Complete Schema Definitions",
"description": "Comprehensive JSON Schema definitions for User-Controlled Authorization Network (UCAN) v1.0.0-rc.1 including Tokens, Delegation, and Invocation specifications",
"$defs": {
"DID": {
"$id": "#DID",
"title": "Decentralized Identifier",
"description": "A W3C Decentralized Identifier (DID) string. Must be a valid DID URL.",
"type": "string",
"pattern": "^did:[a-z0-9]+:[a-zA-Z0-9._%-]+(:[a-zA-Z0-9._%-]+)*([/?#].*)?$",
"examples": [
"did:key:z6MkiTBz1ymuepAQ4HEHYSF1H8quG5GLVVQR3djdX3mDooWp",
"did:key:zDnaerDaTF5BXEavCrfRZEk316dpbLsfPDZ3WJ5hRTPFU2169",
"did:web:example.com",
"did:plc:abc123"
]
},
"CID": {
"$id": "#CID",
"title": "Content Identifier",
"description": "IPLD Content Identifier (CIDv1) with DAG-CBOR codec and SHA-256 multihash. Encoded in base58btc, starting with 'zdpu'.",
"type": "object",
"properties": {
"/": {
"type": "string",
"pattern": "^zdpu[a-km-zA-HJ-NP-Z1-9]+$"
}
},
"required": [
"/"
],
"additionalProperties": false,
"examples": [
{
"/": "zdpuAzx4sBrBCabrZZqXgvK3NDzh7Mf5mKbG11aBkkMCdLtCp"
}
]
},
"Bytes": {
"$id": "#Bytes",
"title": "Binary Data",
"description": "Binary data encoded as base64 in DAG-JSON format",
"type": "object",
"properties": {
"/": {
"type": "object",
"properties": {
"bytes": {
"type": "string",
"contentEncoding": "base64"
}
},
"required": [
"bytes"
],
"additionalProperties": false
}
},
"required": [
"/"
],
"additionalProperties": false,
"examples": [
{
"/": {
"bytes": "bGlnaHQgd29yay4"
}
},
{
"/": {
"bytes": "TWFueSBopvcs"
}
}
]
},
"Timestamp": {
"$id": "#Timestamp",
"title": "Unix Timestamp",
"description": "Unix timestamp in seconds since epoch (UTC). Must be within 53-bit integer range for JavaScript compatibility.",
"type": "integer",
"minimum": -9007199254740991,
"maximum": 9007199254740991,
"examples": [
1529496683,
1575606941,
1697409438
]
},
"NullableTimestamp": {
"$id": "#NullableTimestamp",
"title": "Nullable Unix Timestamp",
"description": "Unix timestamp or null for non-expiring tokens",
"oneOf": [
{
"$ref": "#/$defs/Timestamp"
},
{
"type": "null"
}
]
},
"VarsigHeader": {
"$id": "#VarsigHeader",
"title": "Varsig Header",
"description": "Variable signature header containing cryptographic algorithm metadata",
"allOf": [
{
"$ref": "#/$defs/Bytes"
}
],
"examples": [
{
"/": {
"bytes": "NBIFEgEAcQ"
}
}
]
},
"Signature": {
"$id": "#Signature",
"title": "Cryptographic Signature",
"description": "Raw signature bytes over the signed payload",
"allOf": [
{
"$ref": "#/$defs/Bytes"
}
],
"examples": [
{
"/": {
"bytes": "7aEDQLYvb3lygk9yvAbk0OZD0q+iF9c3+wpZC4YlFThkiNShcVriobPFr/wl3akjM18VvIv/Zw2LtA4uUmB5m8PWEAU"
}
}
]
},
"Command": {
"$id": "#Command",
"title": "UCAN Command",
"description": "A slash-delimited path describing the action to perform. Must be lowercase, start with '/', and not have a trailing slash.",
"type": "string",
"pattern": "^/([a-z0-9_\\u00C0-\\u024F]+(/[a-z0-9_\\u00C0-\\u024F]+)*)?$",
"examples": [
"/",
"/crud",
"/crud/create",
"/crud/read",
"/crud/update",
"/crud/delete",
"/msg/send",
"/msg/receive",
"/ucan/revoke",
"/wasm/run",
"/crypto/sign",
"/blog/post/create"
]
},
"Selector": {
"$id": "#Selector",
"title": "Policy Selector",
"description": "jq-inspired selector for navigating IPLD data structures in policy evaluation",
"type": "string",
"pattern": "^\\.(([a-zA-Z_][a-zA-Z0-9_]*)|(\\[[^\\]]+\\])|(\\[\\])|(\\[-?\\d+\\])|(\\[\\d*:\\d*\\]))?((\\.[a-zA-Z_][a-zA-Z0-9_]*)|(\\[[^\\]]+\\])|(\\[\\])|(\\[-?\\d+\\])|(\\[\\d*:\\d*\\]))*\\??$",
"examples": [
".",
".foo",
".bar.baz",
".items[0]",
".items[-1]",
".data[2:5]",
".optional?",
"[\"special-key\"]",
".array[]"
]
},
"GlobPattern": {
"$id": "#GlobPattern",
"title": "Glob Pattern",
"description": "Pattern string for 'like' operator. Use * for wildcard, \\* for literal asterisk.",
"type": "string",
"examples": [
"*@example.com",
"prefix*suffix",
"exact-match",
"escaped\\*asterisk"
]
},
"EqualityOperator": {
"$id": "#EqualityOperator",
"title": "Equality Operator",
"type": "string",
"enum": [
"==",
"!="
]
},
"InequalityOperator": {
"$id": "#InequalityOperator",
"title": "Inequality Operator",
"type": "string",
"enum": [
">",
">=",
"<",
"<="
]
},
"ConnectiveOperator": {
"$id": "#ConnectiveOperator",
"title": "Connective Operator",
"type": "string",
"enum": [
"and",
"or"
]
},
"QuantifierOperator": {
"$id": "#QuantifierOperator",
"title": "Quantifier Operator",
"type": "string",
"enum": [
"all",
"any"
]
},
"EqualityStatement": {
"$id": "#EqualityStatement",
"title": "Equality Statement",
"description": "Deep comparison of selector result against any IPLD value",
"type": "array",
"prefixItems": [
{
"$ref": "#/$defs/EqualityOperator"
},
{
"$ref": "#/$defs/Selector"
},
{}
],
"minItems": 3,
"maxItems": 3,
"examples": [
[
"==",
".status",
"draft"
],
[
"!=",
".deleted",
true
],
[
"==",
".tags",
[
"news",
"press"
]
]
]
},
"InequalityStatement": {
"$id": "#InequalityStatement",
"title": "Inequality Statement",
"description": "Numeric comparison of selector result",
"type": "array",
"prefixItems": [
{
"$ref": "#/$defs/InequalityOperator"
},
{
"$ref": "#/$defs/Selector"
},
{
"type": "number"
}
],
"minItems": 3,
"maxItems": 3,
"examples": [
[
">",
".age",
18
],
[
"<=",
".price",
100.50
],
[
">=",
".count",
0
]
]
},
"LikeStatement": {
"$id": "#LikeStatement",
"title": "Like Statement",
"description": "Glob pattern matching on string values",
"type": "array",
"prefixItems": [
{
"const": "like"
},
{
"$ref": "#/$defs/Selector"
},
{
"$ref": "#/$defs/GlobPattern"
}
],
"minItems": 3,
"maxItems": 3,
"examples": [
[
"like",
".email",
"*@example.com"
],
[
"like",
".path",
"/users/*"
]
]
},
"NotStatement": {
"$id": "#NotStatement",
"title": "Not Statement",
"description": "Logical negation of a statement",
"type": "array",
"prefixItems": [
{
"const": "not"
},
{
"$ref": "#/$defs/PolicyStatement"
}
],
"minItems": 2,
"maxItems": 2,
"examples": [
[
"not",
[
"==",
".deleted",
true
]
]
]
},
"AndStatement": {
"$id": "#AndStatement",
"title": "And Statement",
"description": "Logical AND of multiple statements. Empty array evaluates to true.",
"type": "array",
"prefixItems": [
{
"const": "and"
},
{
"type": "array",
"items": {
"$ref": "#/$defs/PolicyStatement"
}
}
],
"minItems": 2,
"maxItems": 2,
"examples": [
[
"and",
[
[
"==",
".name",
"Katie"
],
[
">=",
".age",
21
]
]
]
]
},
"OrStatement": {
"$id": "#OrStatement",
"title": "Or Statement",
"description": "Logical OR of multiple statements. Empty array evaluates to true.",
"type": "array",
"prefixItems": [
{
"const": "or"
},
{
"type": "array",
"items": {
"$ref": "#/$defs/PolicyStatement"
}
}
],
"minItems": 2,
"maxItems": 2,
"examples": [
[
"or",
[
[
"==",
".status",
"active"
],
[
"==",
".status",
"pending"
]
]
]
]
},
"AllStatement": {
"$id": "#AllStatement",
"title": "All Statement",
"description": "Universal quantifier - statement must hold for all elements in collection",
"type": "array",
"prefixItems": [
{
"const": "all"
},
{
"$ref": "#/$defs/Selector"
},
{
"$ref": "#/$defs/PolicyStatement"
}
],
"minItems": 3,
"maxItems": 3,
"examples": [
[
"all",
".reviewers",
[
"like",
".email",
"*@example.com"
]
]
]
},
"AnyStatement": {
"$id": "#AnyStatement",
"title": "Any Statement",
"description": "Existential quantifier - statement must hold for at least one element in collection",
"type": "array",
"prefixItems": [
{
"const": "any"
},
{
"$ref": "#/$defs/Selector"
},
{
"$ref": "#/$defs/PolicyStatement"
}
],
"minItems": 3,
"maxItems": 3,
"examples": [
[
"any",
".tags",
[
"==",
".",
"urgent"
]
]
]
},
"PolicyStatement": {
"$id": "#PolicyStatement",
"title": "Policy Statement",
"description": "A single policy predicate expression",
"oneOf": [
{
"$ref": "#/$defs/EqualityStatement"
},
{
"$ref": "#/$defs/InequalityStatement"
},
{
"$ref": "#/$defs/LikeStatement"
},
{
"$ref": "#/$defs/NotStatement"
},
{
"$ref": "#/$defs/AndStatement"
},
{
"$ref": "#/$defs/OrStatement"
},
{
"$ref": "#/$defs/AllStatement"
},
{
"$ref": "#/$defs/AnyStatement"
}
]
},
"Policy": {
"$id": "#Policy",
"title": "UCAN Policy",
"description": "Array of policy statements forming an implicit AND conjunction. Constrains the args field of eventual invocations.",
"type": "array",
"items": {
"$ref": "#/$defs/PolicyStatement"
},
"examples": [
[],
[
[
"==",
".from",
"alice@example.com"
]
],
[
[
"==",
".status",
"draft"
],
[
"all",
".reviewer",
[
"like",
".email",
"*@example.com"
]
],
[
"any",
".tags",
[
"or",
[
[
"==",
".",
"news"
],
[
"==",
".",
"press"
]
]
]
]
]
]
},
"Metadata": {
"$id": "#Metadata",
"title": "UCAN Metadata",
"description": "Optional map of arbitrary metadata, facts, and proofs of knowledge. Must be self-evident and externally verifiable.",
"type": "object",
"additionalProperties": true,
"examples": [
{
"challenges": {
"example.com": "abcdef"
}
},
{
"env": "development",
"tags": [
"blog",
"post"
]
}
]
},
"Arguments": {
"$id": "#Arguments",
"title": "Command Arguments",
"description": "Map of arguments for a command. Shape is defined by the command type.",
"type": "object",
"additionalProperties": true,
"examples": [
{
"from": "mailto:alice@example.com",
"to": [
"bob@example.com"
],
"subject": "Hello",
"body": "World"
},
{
"uri": "https://example.com/resource",
"payload": {
"key": "value"
}
}
]
},
"Capability": {
"$id": "#Capability",
"title": "UCAN Capability",
"description": "The semantically-relevant claim of a delegation: subject × command × policy",
"type": "object",
"properties": {
"sub": {
"description": "The Subject DID this capability is about, or null for powerline delegation",
"oneOf": [
{
"$ref": "#/$defs/DID"
},
{
"type": "null"
}
]
},
"cmd": {
"$ref": "#/$defs/Command",
"description": "The command being delegated"
},
"pol": {
"$ref": "#/$defs/Policy",
"description": "Constraints on eventual invocation arguments"
}
},
"required": [
"sub",
"cmd",
"pol"
],
"additionalProperties": false,
"examples": [
{
"sub": "did:key:z6MkiTBz1ymuepAQ4HEHYSF1H8quG5GLVVQR3djdX3mDooWp",
"cmd": "/crud/read",
"pol": []
},
{
"sub": null,
"cmd": "/",
"pol": []
}
]
},
"DelegationPayload": {
"$id": "#DelegationPayload",
"title": "UCAN Delegation Payload",
"description": "The payload of a UCAN Delegation token (ucan/dlg@1.0.0-rc.1)",
"type": "object",
"properties": {
"iss": {
"$ref": "#/$defs/DID",
"description": "Issuer DID - the principal delegating authority"
},
"aud": {
"$ref": "#/$defs/DID",
"description": "Audience DID - the principal receiving delegated authority"
},
"sub": {
"description": "Subject DID - the principal the chain is about, or null for powerline",
"oneOf": [
{
"$ref": "#/$defs/DID"
},
{
"type": "null"
}
]
},
"cmd": {
"$ref": "#/$defs/Command",
"description": "The command being delegated"
},
"pol": {
"$ref": "#/$defs/Policy",
"description": "Policy constraints on invocation arguments"
},
"nonce": {
"$ref": "#/$defs/Bytes",
"description": "Random nonce ensuring unique CID"
},
"meta": {
"$ref": "#/$defs/Metadata",
"description": "Optional arbitrary metadata"
},
"nbf": {
"$ref": "#/$defs/Timestamp",
"description": "Not-before timestamp (optional)"
},
"exp": {
"$ref": "#/$defs/NullableTimestamp",
"description": "Expiration timestamp, or null for non-expiring"
}
},
"required": [
"iss",
"aud",
"sub",
"cmd",
"pol",
"nonce",
"exp"
],
"additionalProperties": false
},
"DelegationSigPayload": {
"$id": "#DelegationSigPayload",
"title": "Delegation Signature Payload",
"description": "The content signed in a UCAN Delegation",
"type": "object",
"properties": {
"h": {
"$ref": "#/$defs/VarsigHeader",
"description": "Varsig v1 header with algorithm metadata"
},
"ucan/dlg@1.0.0-rc.1": {
"$ref": "#/$defs/DelegationPayload",
"description": "The delegation payload"
}
},
"required": [
"h",
"ucan/dlg@1.0.0-rc.1"
],
"additionalProperties": false
},
"Delegation": {
"$id": "#Delegation",
"title": "UCAN Delegation",
"description": "Complete UCAN Delegation envelope with signature",
"type": "array",
"prefixItems": [
{
"$ref": "#/$defs/Signature",
"description": "Signature over the SigPayload by the issuer"
},
{
"$ref": "#/$defs/DelegationSigPayload",
"description": "The signed content"
}
],
"minItems": 2,
"maxItems": 2
},
"ProofChain": {
"$id": "#ProofChain",
"title": "Proof Chain",
"description": "Ordered array of CID references to Delegations forming the authority chain from Subject to Invoker",
"type": "array",
"items": {
"$ref": "#/$defs/CID"
},
"examples": [
[
{
"/": "zdpuAzx4sBrBCabrZZqXgvK3NDzh7Mf5mKbG11aBkkMCdLtCp"
},
{
"/": "zdpuApTCXfoKh2sB1KaUaVSGofCBNPUnXoBb6WiCeitXEibZy"
}
]
]
},
"InvocationPayload": {
"$id": "#InvocationPayload",
"title": "UCAN Invocation Payload",
"description": "The payload of a UCAN Invocation token (ucan/inv@1.0.0-rc.1)",
"type": "object",
"properties": {
"iss": {
"$ref": "#/$defs/DID",
"description": "Issuer DID - the invoker requesting execution"
},
"sub": {
"$ref": "#/$defs/DID",
"description": "Subject DID - the principal being invoked"
},
"aud": {
"$ref": "#/$defs/DID",
"description": "Optional audience DID if executor differs from subject"
},
"cmd": {
"$ref": "#/$defs/Command",
"description": "The command to execute"
},
"args": {
"$ref": "#/$defs/Arguments",
"description": "Command arguments"
},
"prf": {
"$ref": "#/$defs/ProofChain",
"description": "Proof chain of delegations"
},
"meta": {
"$ref": "#/$defs/Metadata",
"description": "Optional metadata"
},
"nonce": {
"$ref": "#/$defs/Bytes",
"description": "Optional nonce for non-idempotent invocations"
},
"exp": {
"$ref": "#/$defs/NullableTimestamp",
"description": "Expiration timestamp"
},
"iat": {
"$ref": "#/$defs/Timestamp",
"description": "Optional issuance timestamp"
},
"cause": {
"$ref": "#/$defs/CID",
"description": "Optional CID of Receipt that enqueued this task"
}
},
"required": [
"iss",
"sub",
"cmd",
"args",
"prf",
"exp"
],
"additionalProperties": false
},
"InvocationSigPayload": {
"$id": "#InvocationSigPayload",
"title": "Invocation Signature Payload",
"description": "The content signed in a UCAN Invocation",
"type": "object",
"properties": {
"h": {
"$ref": "#/$defs/VarsigHeader",
"description": "Varsig v1 header"
},
"ucan/inv@1.0.0-rc.1": {
"$ref": "#/$defs/InvocationPayload",
"description": "The invocation payload"
}
},
"required": [
"h",
"ucan/inv@1.0.0-rc.1"
],
"additionalProperties": false
},
"Invocation": {
"$id": "#Invocation",
"title": "UCAN Invocation",
"description": "Complete UCAN Invocation envelope with signature",
"type": "array",
"prefixItems": [
{
"$ref": "#/$defs/Signature",
"description": "Signature over the SigPayload by the invoker"
},
{
"$ref": "#/$defs/InvocationSigPayload",
"description": "The signed content"
}
],
"minItems": 2,
"maxItems": 2
},
"Task": {
"$id": "#Task",
"title": "UCAN Task",
"description": "The subset of Invocation fields uniquely determining work to perform. Task ID is the CID of these fields.",
"type": "object",
"properties": {
"sub": {
"$ref": "#/$defs/DID",
"description": "Subject DID"
},
"cmd": {
"$ref": "#/$defs/Command",
"description": "Command to execute"
},
"args": {
"$ref": "#/$defs/Arguments",
"description": "Command arguments"
},
"nonce": {
"$ref": "#/$defs/Bytes",
"description": "Nonce for uniqueness"
}
},
"required": [
"sub",
"cmd",
"args",
"nonce"
],
"additionalProperties": false
},
"ReceiptPayload": {
"$id": "#ReceiptPayload",
"title": "UCAN Receipt Payload",
"description": "The payload of a UCAN Receipt (execution result)",
"type": "object",
"properties": {
"iss": {
"$ref": "#/$defs/DID",
"description": "Executor DID that produced this receipt"
},
"ran": {
"$ref": "#/$defs/CID",
"description": "CID of the Invocation that was executed"
},
"out": {
"description": "Result of execution - either success or error",
"oneOf": [
{
"type": "object",
"properties": {
"ok": {
"description": "Success value"
}
},
"required": [
"ok"
],
"additionalProperties": false
},
{
"type": "object",
"properties": {
"err": {
"description": "Error value"
}
},
"required": [
"err"
],
"additionalProperties": false
}
]
},
"fx": {
"type": "array",
"items": {
"$ref": "#/$defs/CID"
},
"description": "Effects - CIDs of Tasks to enqueue"
},
"meta": {
"$ref": "#/$defs/Metadata",
"description": "Optional metadata"
},
"iat": {
"$ref": "#/$defs/Timestamp",
"description": "Issuance timestamp"
}
},
"required": [
"iss",
"ran",
"out"
],
"additionalProperties": false
},
"RevocationPayload": {
"$id": "#RevocationPayload",
"title": "UCAN Revocation Payload",
"description": "Payload for revoking a previously issued delegation",
"type": "object",
"properties": {
"iss": {
"$ref": "#/$defs/DID",
"description": "Revoker DID - must be an issuer in the delegation chain"
},
"sub": {
"$ref": "#/$defs/DID",
"description": "Subject of the delegation being revoked"
},
"cmd": {
"const": "/ucan/revoke",
"description": "Revocation command"
},
"args": {
"type": "object",
"properties": {
"ucan": {
"$ref": "#/$defs/CID",
"description": "CID of the delegation to revoke"
}
},
"required": [
"ucan"
],
"additionalProperties": false
},
"prf": {
"$ref": "#/$defs/ProofChain",
"description": "Proof chain showing revoker's authority"
},
"nonce": {
"$ref": "#/$defs/Bytes"
},
"exp": {
"$ref": "#/$defs/NullableTimestamp"
}
},
"required": [
"iss",
"sub",
"cmd",
"args",
"prf",
"nonce",
"exp"
],
"additionalProperties": false
},
"UCANEnvelope": {
"$id": "#UCANEnvelope",
"title": "UCAN Envelope",
"description": "Generic UCAN envelope format used by all UCAN token types",
"type": "array",
"prefixItems": [
{
"$ref": "#/$defs/Signature",
"description": "Signature by payload's issuer over the SigPayload"
},
{
"type": "object",
"properties": {
"h": {
"$ref": "#/$defs/VarsigHeader",
"description": "Varsig v1 header"
}
},
"required": [
"h"
],
"additionalProperties": true
}
],
"minItems": 2,
"maxItems": 2
},
"CryptoAlgorithm": {
"$id": "#CryptoAlgorithm",
"title": "Supported Cryptographic Algorithm",
"description": "Signature algorithms supported by UCAN",
"type": "string",
"enum": [
"Ed25519",
"P-256",
"secp256k1"
],
"default": "Ed25519"
},
"HashAlgorithm": {
"$id": "#HashAlgorithm",
"title": "Hash Algorithm",
"description": "Hash algorithm for content addressing",
"type": "string",
"enum": [
"sha2-256"
],
"default": "sha2-256"
},
"ValidationError": {
"$id": "#ValidationError",
"title": "Validation Error",
"description": "Error returned when UCAN validation fails",
"type": "object",
"properties": {
"code": {
"type": "string",
"enum": [
"EXPIRED",
"NOT_YET_VALID",
"INVALID_SIGNATURE",
"PRINCIPAL_MISALIGNMENT",
"POLICY_VIOLATION",
"REVOKED",
"INVALID_PROOF_CHAIN",
"UNKNOWN_COMMAND",
"MALFORMED_TOKEN"
]
},
"message": {
"type": "string"
},
"details": {
"type": "object",
"additionalProperties": true
}
},
"required": [
"code",
"message"
]
},
"ValidationResult": {
"$id": "#ValidationResult",
"title": "Validation Result",
"description": "Result of UCAN validation",
"oneOf": [
{
"type": "object",
"properties": {
"valid": {
"const": true
},
"capability": {
"$ref": "#/$defs/Capability"
}
},
"required": [
"valid",
"capability"
]
},
{
"type": "object",
"properties": {
"valid": {
"const": false
},
"error": {
"$ref": "#/$defs/ValidationError"
}
},
"required": [
"valid",
"error"
]
}
]
}
},
"oneOf": [
{
"$ref": "#/$defs/Delegation"
},
{
"$ref": "#/$defs/Invocation"
}
]
}
Reference in New Issue View Git Blame Copy Permalink