Skip to content

Releases: enkronos/captoken

v0.1.0-alpha.1

14 Mar 16:36
@enkronos enkronos
v0.1.0-alpha.1
12a5b3e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.1.0-alpha.1 Latest
Latest

CapToken v0.1.0-alpha.1

First public alpha release of CapToken — a lightweight capability token layer for governed agent and tool authorization.

Tagline: Capability tokens for governed agent and tool authorization.

Why CapToken

Modern agent systems increasingly rely on modular capabilities, tool access, delegated execution, and bounded operational contexts.

But authorization in these systems is often too implicit.

An agent may appear to be allowed to do something simply because:

  • it has access to a runtime
  • it has access to a tool
  • it received a task
  • it inherited context from a supervisor

CapToken exists to make those authorization boundaries more explicit, portable, and inspectable.

What’s included in this alpha

Core token model

  • captoken.yaml parsing
  • portable token structure for agent and tool authorization
  • support for:
    • subject
    • issuer
    • capabilities
    • scope
    • constraints
    • limits
    • delegation
    • expiry

Validation

  • structural validation of capability tokens
  • heuristic validation for weak or missing authorization signals
  • runtime schema validation with Ajv
  • detection of issues such as:
    • invalid enums
    • invalid types
    • unknown/additional properties
    • structural mismatches against schema

CLI

Initial CLI commands for working with tokens:

  • validate
  • inspect
  • explain
  • mint-dev
  • format

Output and versioning

  • machine-readable JSON output support
  • initial output schema support
  • foundational versioning support for future evolution

Schemas and examples

  • capability token schema
  • CLI output schema
  • example tokens for:
    • web research
    • extraction
    • repo triage
    • invalid admin token case

Documentation and OSS readiness

  • README and technical docs
  • CHANGELOG
  • CONTRIBUTING
  • CODE_OF_CONDUCT
  • SECURITY
  • GitHub Actions CI
  • npm package hardening
  • verified package contents via npm pack --dry-run

Current positioning

CapToken is not a full IAM platform.

It is a focused specification and validation layer for bounded authorization in modular agent systems.

Its role is to help make explicit:

  • what an agent or tool is allowed to do
  • under what scope
  • with which limits
  • with what delegation rights
  • for how long

What is not included yet

This alpha does not yet aim to provide:

  • cryptographic signing infrastructure
  • distributed revocation
  • full trust or identity federation
  • enterprise policy engines
  • runtime authorization services
  • dashboard-based administration

Those areas may be explored in future iterations, but this release intentionally keeps the scope narrow and practical.

Notes

  • This is an alpha release.
  • Token semantics, JSON output details, and versioning policy may evolve.
  • The current focus is a strong portable foundation for capability authorization in agentic systems.

Feedback

Feedback, issues, and suggestions are welcome through GitHub as the project evolves.

Assets 2
Loading