Skip to main content
Run any Skill in Manus
with one click

macaroon-capability-credentials

Stars1
Forks0
UpdatedJuly 6, 2026 at 10:23

Implement macaroons (Birgisson et al. 2014) as unforgeable, attenuate-only bearer capability credentials, with cross-language byte-parity. Use for capability tokens, bearer-credential attenuation, third-party caveats + discharge gates, delegation chains, "rent-paid"/compulsion caveats, or keeping a Rust and a TypeScript macaroon impl byte-identical via shared test vectors. Covers HMAC-chained first-party caveats, the two vid (verification-id) constructions (HMAC commitment vs AES-GCM sealing) and when to use each, per-hop verification soundness, request-binding, constant-time + fail-closed verification, and the structured caveat grammar. Pairs with agentic-zero-trust-security and rust-kernel-ffi. NOT for: OAuth/OIDC/JWT web-session auth, centralized token servers, or confining a malicious same-UID process (that needs OS/VM isolation — macaroons make the gate unforgeable, not the holder confined).

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

SKILL.md
readonly