capabilities

capabilities

RBAC capability system — fine-grained permission model for tool dispatch.

Classes

Capability

Bases: str, Enum

Fine-grained capability labels.

CapabilityGrant dataclass

CapabilityGrant(capability: str, pattern: str = '*')

A single capability grant for an agent.

AgentPolicy dataclass

AgentPolicy(agent_id: str, grants: List[CapabilityGrant] = list(), deny: List[str] = list())

Policy for a specific agent.

CapabilityPolicy

CapabilityPolicy(*, policy_path: Optional[str] = None, default_deny: bool = False)

RBAC capability policy for tool dispatch.

Checks whether an agent has the required capability to invoke a tool. Policy can be loaded from a JSON file or configured programmatically.

Default policy: if no explicit policy exists for an agent, all capabilities are granted (open by default). Set default_deny=True to flip to deny-by-default.

Source code in src/openjarvis/security/capabilities.py

def __init__(
    self,
    *,
    policy_path: Optional[str] = None,
    default_deny: bool = False,
) -> None:
    self._policies: Dict[str, AgentPolicy] = {}
    self._default_deny = default_deny

    from openjarvis._rust_bridge import get_rust_module
    _rust = get_rust_module()
    self._rust_impl = _rust.CapabilityPolicy(default_deny=default_deny)

    if policy_path:
        self._load_file(Path(policy_path))

Functions

grant

grant(agent_id: str, capability: str, pattern: str = '*') -> None

Grant a capability to an agent.

Source code in src/openjarvis/security/capabilities.py

def grant(self, agent_id: str, capability: str, pattern: str = "*") -> None:
    """Grant a capability to an agent."""
    policy = self._policies.setdefault(
        agent_id, AgentPolicy(agent_id=agent_id),
    )
    policy.grants.append(CapabilityGrant(capability=capability, pattern=pattern))
    self._rust_impl.grant(agent_id, capability, pattern)

deny

deny(agent_id: str, capability: str) -> None

Explicitly deny a capability to an agent.

Source code in src/openjarvis/security/capabilities.py

def deny(self, agent_id: str, capability: str) -> None:
    """Explicitly deny a capability to an agent."""
    policy = self._policies.setdefault(
        agent_id, AgentPolicy(agent_id=agent_id),
    )
    policy.deny.append(capability)
    self._rust_impl.deny(agent_id, capability)

check

check(agent_id: str, capability: str, resource: str = '') -> bool

Check whether agent_id has capability for resource.

Returns True if allowed, False if denied.

Source code in src/openjarvis/security/capabilities.py

def check(self, agent_id: str, capability: str, resource: str = "") -> bool:
    """Check whether *agent_id* has *capability* for *resource*.

    Returns True if allowed, False if denied.
    """
    return self._rust_impl.check(agent_id, capability, resource)

list_grants

list_grants(agent_id: str) -> List[CapabilityGrant]

List all grants for an agent.

Source code in src/openjarvis/security/capabilities.py

def list_grants(self, agent_id: str) -> List[CapabilityGrant]:
    """List all grants for an agent."""
    policy = self._policies.get(agent_id)
    return list(policy.grants) if policy else []

list_agents

list_agents() -> List[str]

List all agents with explicit policies.

Source code in src/openjarvis/security/capabilities.py

def list_agents(self) -> List[str]:
    """List all agents with explicit policies."""
    return list(self._policies.keys())

save

save(path: Path) -> None

Save policy to a JSON file.

Source code in src/openjarvis/security/capabilities.py

def save(self, path: Path) -> None:
    """Save policy to a JSON file."""
    agents = []
    for agent_id, policy in self._policies.items():
        agents.append({
            "agent_id": agent_id,
            "grants": [
                {"capability": g.capability, "pattern": g.pattern}
                for g in policy.grants
            ],
            "deny": policy.deny,
        })
    path.write_text(json.dumps({"agents": agents}, indent=2))