feat: implement access, blob/replicate, and pdp/* capabilities

.github/workflows/codegen.yml

@@ -0,0 +1,29 @@
+name: Codegen
+
+on:
+  pull_request:
+  push:
+    branches: ["main"]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event_name == 'push' && github.sha || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  codegen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      # Compile the generators under the `codegen` build tag. The reusable
+      # go-check/go-test workflows build without this tag, so a generator that
+      # no longer compiles would otherwise slip through CI.
+      - run: make codegen-build
+      # Run `go generate` and fail if the committed generated files are stale.
+      - run: make gen-check

.gitignore

@@ -0,0 +1 @@
+.idea

Makefile

@@ -1,4 +1,26 @@
-.PHONY: gen
+.PHONY: gen build test codegen-build gen-check ci
 
 gen:
 	go generate ./...
+
+build:
+	go build ./...
+
+test:
+	go test ./...
+
+# Compile the code generators under the `codegen` build tag they actually run
+# with. A normal `go build ./...` never sets this tag, so a generator that no
+# longer compiles (e.g. it references a renamed or removed type) would otherwise
+# go unnoticed until someone runs `go generate`.
+codegen-build:
+	go build -tags codegen $(shell go list ./... | grep '/gen$$')
+
+# Regenerate everything and fail if the committed output changed, catching both
+# generators that no longer compile and generated files that are out of date.
+gen-check: gen
+	@git diff --exit-code -- '*_gen.go' '*_gen.*.go' || \
+		{ echo "generated files are out of date; run 'make gen' and commit the result" >&2; exit 1; }
+
+# Aggregate target suitable for CI.
+ci: build codegen-build gen-check test

commands/access/gen/main.go

@@ -30,6 +30,7 @@ func main() {
 		access.ClaimOK{},
 		access.ConfirmArguments{},
 		access.DelegateArguments{},
+		access.GrantArguments{},
 	}
 	const (
 		cborFile = "../cbor_gen.go"

commands/access/grant.go

@@ -0,0 +1,36 @@
+//go:build !codegen
+
+package access
+
+import (
+	"github.com/fil-forge/ucantone/errors"
+
+	"github.com/fil-forge/libforge/commands"
+)
+
+const GrantCommand = "/access/grant"
+
+// GrantOK mirrors ClaimOK / ConfirmOK: a successful grant resolves into a
+// bundle of delegation CIDs. The actual delegation envelopes ride in the
+// receipt response container as metadata.
+type GrantOK = ClaimOK
+
+// Grant can be invoked by an agent to request that a set of capabilities be
+// granted directly. Unlike Request -> Confirm, Grant is one-shot: the
+// executor decides immediately whether to issue the delegation.
+var Grant = commands.MustParse[*GrantArguments](GrantCommand)
+
+const (
+	UnknownAbilityErrorName    = "UnknownAbility"
+	MissingCapabilityErrorName = "MissingCapability"
+	UnknownCauseErrorName      = "UnknownCause"
+	MissingCauseErrorName      = "MissingCause"
+	InvalidCauseErrorName      = "InvalidCause"
+	UnauthorizedCauseErrorName = "UnauthorizedCause"
+)
+
+var (
+	ErrMissingCapability = errors.New(MissingCapabilityErrorName, "grant requires one or more capabilities")
+	ErrMissingCause      = errors.New(MissingCauseErrorName, "grant requires a supporting contextual invocation")
+	ErrUnknownCause      = errors.New(UnknownCauseErrorName, "unknown cause invocation")
+)