Docs / Standard Library / Auth

Auth

The Auth modules define Kit's object-capability authority tokens. Programs receive root authority from the runtime, derive narrower tokens, and pass those tokens to functions that need file, network, process, or concurrency access.

Unforgeable Authorities

Authority constructors are protected outside test blocks, including through imported package code. Application code should derive authority from env.root with Auth.* helpers instead of constructing tokens directly.

Authority Hierarchy

RootAuth
  +-- FileAuth
  |     +-- FileReadAuth
  |     +-- FileWriteAuth
  +-- NetAuth
  |     +-- TCPAuth
  |     |     +-- TCPConnectAuth
  |     |     +-- TCPListenAuth
  |     +-- UDPAuth
  |     +-- DNSAuth
  +-- ProcessAuth
  +-- ConcurrencyAuth
        +-- ActorAuth
        +-- ChannelAuth
        +-- ParallelAuth

Auth.Root

RootAuth
type RootAuth
Root authority represents complete system access and is the source for all narrower authorities.

Auth.File

file-auth
RootAuth -> FileAuth
Derives general file authority from root authority.
import Auth.File.{file-auth, file-read-auth}

main = fn(env: Env) =>
  file = file-auth env.root
  read = file-read-auth file
file-read-auth / file-write-auth
FileAuth -> FileReadAuth / FileAuth -> FileWriteAuth
Derives read-only or write-only file authority from general file authority.

Auth.Net

net-auth
RootAuth -> NetAuth
Derives general network authority from root authority.
tcp-auth / udp-auth / dns-auth
NetAuth -> TCPAuth / NetAuth -> UDPAuth / NetAuth -> DNSAuth
Derives protocol-specific network authority. TCPAuth can be further narrowed with tcp-connect-auth or tcp-listen-auth.

Auth.Process

process-auth
RootAuth -> ProcessAuth
Derives authority to spawn and manage external processes.

Auth.Concurrency

concurrency-auth
RootAuth -> ConcurrencyAuth
Derives full concurrency authority from root authority.
actor-auth / channel-auth / parallel-auth
ConcurrencyAuth -> ActorAuth / ConcurrencyAuth -> ChannelAuth / ConcurrencyAuth -> ParallelAuth
Derives narrower authority for actors, channels, or parallel execution.

Testing

Test blocks may construct mock authority tokens directly so capability-aware wrappers can be tested without granting real process-wide authority. Outside tests, direct constructors are rejected; use the derivation helpers above and pass the resulting tokens explicitly.