Capability Catalog

Appendix: Capability Catalog

Generated from CAPABILITY_CATALOG in core/crates/astrid-core/src/capability_grammar.rs, the single source of truth shared by the kernel drift tests and the gateway /api/sys/capabilities route. Do not hand-edit. Regenerate with astrid-book/tools/gen-appendices.sh.

Scope self means the capability acts only on the caller’s own principal. global means it can target any principal or system-wide state. Danger tiers, lowest to highest: Safe, Normal, Elevated, Extreme. Order matches the catalog, which is part of the stable wire contract.

CapabilityScopeDangerDescription
system:shutdownglobalExtremeGracefully stop the Astrid daemon. The CLI and dashboard disconnect; pending work is allowed to finish under the configured shutdown grace period.
system:statusglobalSafeView daemon PID, uptime, connected-client count, and loaded-capsule list.
capsule:installglobalExtremeInstall a new capsule into the system-wide capsule directory. Affects every principal on the host.
self:capsule:installselfElevatedInstall a capsule into the caller’s own workspace. Future kernel work; see also: capsule:install.
capsule:reloadglobalNormalTrigger a re-discovery of installed capsules system-wide. Causes a brief pause as capsules unload and reload.
self:capsule:reloadselfNormalSelf-scoped variant of capsule:reload.
capsule:listglobalSafeEnumerate every capsule installed on the host, including manifest metadata.
self:capsule:listselfSafeSelf-scoped variant of capsule:list. Always granted to the agent built-in.
agent:createglobalNormalProvision a new agent principal. Doesn’t grant any caps by itself, combine with caps:grant or move the new agent into a group.
agent:deleteglobalElevatedRemove an agent principal. Cannot delete the bootstrap default principal. The principal’s home directory is NOT scrubbed (ops concern).
agent:enableglobalNormalRe-enable a previously disabled agent. New invocations resume.
agent:disableglobalElevatedSuspend an agent without deleting it. In-flight invocations finish under the old value; new ones are refused.
agent:modifyglobalElevatedAdd or remove group memberships on an agent. Changes which capabilities the agent inherits.
agent:listglobalSafeEnumerate every agent principal on this host with their groups, grants, and revokes.
self:agent:listselfSafeRead this principal’s own AgentSummary. Always granted to the agent built-in so members can introspect their own permissions.
quota:setglobalNormalSet resource ceilings (RAM, CPU time, IPC throughput) on any agent.
self:quota:setselfNormalSelf-scoped quota:set, typically only used to relax quotas the operator already permits.
quota:getglobalSafeView the resource ceilings configured on any agent.
self:quota:getselfSafeRead the caller’s own resource ceilings. Always granted to the agent built-in.
group:createglobalElevatedDefine a new custom capability group. Members inherit the group’s capabilities.
group:deleteglobalElevatedRemove a custom capability group. Built-in groups (admin, agent, restricted) cannot be deleted.
group:modifyglobalElevatedEdit the capabilities, description, or unsafe_admin flag on a custom group. Changes propagate to every member on the next authz check.
group:listglobalSafeEnumerate every group (built-in + custom) with its capability set.
self:group:listselfSafeSelf-scoped group:list, for resolving the caller’s own inherited capabilities. Always granted to the agent built-in.
caps:grantglobalExtremeAppend capability patterns to a principal’s grants. With unsafe_admin, can mint wildcard (*) grants. Effectively a meta-permission, anyone with this can elevate themselves.
caps:revokeglobalElevatedAppend capability patterns to a principal’s revokes (highest-precedence deny). Cannot revoke from the bootstrap default principal.
invite:issueglobalElevatedMint invite tokens that let new principals self-enroll into a designated group. The token IS the auth, anyone holding it can redeem.
invite:redeemglobalNormalCapability name preserved for completeness, the kernel bypasses the cap check on redemption because the token itself is the auth. Granting this to anyone is a no-op.
invite:listglobalSafeEnumerate outstanding invite tokens by fingerprint (never the raw token).
invite:revokeglobalNormalInvalidate an outstanding invite token before it’s redeemed.
audit:read_allglobalElevatedSubscribe to every audit entry across every principal via /api/events. Without this cap, the SSE stream is filtered to the caller’s own entries only.
self:approval:respondselfSafeRespond to capability-approval prompts addressed to this principal. Always granted to the agent built-in (an agent can only approve its own requests, never another’s).
self:auth:pairselfNormalMint a short-lived pair-device token that lets a new device add its ed25519 public key to this principal’s AuthConfig.public_keys. The kernel always binds the token to the caller’s own principal regardless of wire-level hints.
auth:pair:redeemglobalNormalCapability name preserved for completeness, the kernel bypasses the cap check on pair-device redemption because the token itself is the auth. Granting this to anyone is a no-op.

34 capabilities.

Runtime exemption capabilities

These are not management-API capabilities. They are operator-granted profile capabilities that lift a runtime ceiling (the per-invocation CPU epoch interrupt or the bind/uplink restriction). A capsule cannot self-grant them through its manifest.

ConstantCapability string
CAP_RESOURCES_UNBOUNDEDsystem:resources:unbounded
CAP_NET_BINDnet_bind
CAP_UPLINKuplink