Capability Taxonomy

Overview

Capabilities are permissions that control what actions an entity can perform. They are organized hierarchically in namespaces and gated by trust tier.

Capability Syntax

namespace:category/action[/scope]

namespace — Top-level domain (e.g., data, comm, execute)

category — Functional grouping within namespace

action — Specific operation

scope — Optional: restricts to specific resources

Examples:

data:read/public
comm:external/email
financial:transaction/medium
admin:policy/modify

Seven Namespaces

sandbox:

Min: Sandbox

Isolated testing capabilities

sandbox:test/executesandbox:mock/api

data:

Min: Provisional

Data access and manipulation

data:read/publicdata:write/internaldata:delete/owned

comm:

Min: Standard

Communication channels

comm:internal/messagecomm:external/emailcomm:external/api

execute:

Min: Standard

Code and workflow execution

execute:workflow/approvedexecute:code/sandboxed

financial:

Min: Certified

Financial operations

financial:transaction/lowfinancial:transaction/high

admin:

Min: Autonomous

Administrative functions

admin:entity/createadmin:policy/modify

custom:

Min: Configurable

Organization-defined capabilities

custom:org/workflowcustom:dept/approve

Tier-to-Capability Matrix

Capability	Sand	Prov	Std	Trust	Cert	Auto
sandbox:test/*	✓	✓	✓	✓	✓	✓
data:read/public	—	✓	✓	✓	✓	✓
data:read/internal	—	—	✓	✓	✓	✓
data:write/internal	—	—	✓	✓	✓	✓
data:read/sensitive	—	—	—	✓	✓	✓
comm:internal/*	—	✓	✓	✓	✓	✓
comm:external/read	—	—	✓	✓	✓	✓
comm:external/write	—	—	—	✓	✓	✓
execute:workflow/*	—	—	✓	✓	✓	✓
financial:transaction/low	—	—	—	✓	✓	✓
financial:transaction/medium	—	—	—	—	✓	✓
financial:transaction/high	—	—	—	—	✓	✓
admin:entity/*	—	—	—	—	—	✓
admin:policy/*	—	—	—	—	—	✓

Capability Checking Algorithm

def check_capability(
    entity_id: str,
    capability: str,
    context: dict
) -> CapabilityResult:
    # 1. Get entity's current trust tier
    entity = get_entity(entity_id)
    tier = get_trust_tier(entity.trust_score)

    # 2. Parse capability
    namespace, category, action, scope = parse_capability(capability)

    # 3. Check if tier unlocks this capability
    min_tier = get_minimum_tier(capability)
    if tier_order(tier) < tier_order(min_tier):
        return CapabilityResult(
            granted=False,
            reason="tier_insufficient",
            required_tier=min_tier,
            current_tier=tier
        )

    # 4. Check entity-specific grants/revocations
    if is_explicitly_revoked(entity_id, capability):
        return CapabilityResult(granted=False, reason="explicitly_revoked")

    if is_explicitly_granted(entity_id, capability):
        return CapabilityResult(granted=True, reason="explicitly_granted")

    # 5. Check inheritance (wildcard matching)
    if matches_granted_wildcard(entity_id, capability):
        return CapabilityResult(granted=True, reason="wildcard_match")

    # 6. Default: granted if tier sufficient
    return CapabilityResult(granted=True, reason="tier_sufficient")

For the complete capability taxonomy with all 100+ capabilities, see the full specification on GitHub.

View Full Taxonomy on GitHub