Skip to content

Epic: implement the OCAP enforcement floor (complete mediation) — algebra is sound, enforcement is the gap #749

Description

@hartsock

Finding (docs/ocap/authority-model-design-review.md §7 + the paper docs/ocap/caveat-lattice-paper.md)

The Caveats meet-lattice algebra is sound (GLB on all 6 axes; property-tested) and the per-axis predicates already exist (newt-core CaveatsExt: permits_fs_read/fs_write/exec/net + permits_one_more). The gap is the enforcement floor: the crew/team path consults only fs_write (+ top-level exec), ignores fs_read/net/max_calls, and crew_runner never .meet()s — crews run at the full session grant despite docstrings claiming attenuation. This epic implements complete mediation (Saltzer & Schroeder 1975): the algebra made real.

Stacked PR series (review + merge in order; each TDD: red on today's code, green after)

  1. docs — the design review + the caveat-lattice paper (the rationale). [docs/ocap-authority-review]
  2. crew_runner .meet-attenuates the crew to ≤ session + true docstrings (the structural Confused-Deputy bound).
  3. crew.rs complete mediation: fs_read (navigator reads gated by permits_fs_read).
  4. crew complete mediation: net + max_calls (permits_net + permits_one_more).
  5. gate the team-mode per-subtask verify (exec axis).
  6. role_profile clampNamedPermissionPreset clamps fs_read + default-deny (fix the default-top).
  7. route run_team through Plan/run_plan (+ the plan-path re-entry gap).
  8. per-subtask team_clamp (now with teeth) + the ceiling-tightness lint.

Each step's TDD test is a machine-checked claim; the before/after is empirical evidence for the conference-paper series (paper 1 = docs/ocap/caveat-lattice-paper.md). Single-repo (newt-agent); the agent-mesh algebra is sound + unchanged. Refs #739, #741.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ocapObject-capability / authority-security; pending full design review

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions