liam-fitzgerald · October 18, 2020 23:14
diff --git a/lone-gall.hoon b/lone-gall.hoon
 ::  %lone: gall agent isolation subsystem
 ::  
 ::    Unincluded in this sketch, but potentially necessary:
 ::    - Optional permissions
 ::    - Scrying an agents permissions out of gall
 ::    - Dynamic permissions
 ::    Open questions:
 ::    - Is allowing pokes based on mark specific enough? Maybe not,
 ::      given %graph-store. Maybe poke-marks should be
 ::      $@(mark [=mark $-(vase ?)])
 ::    - How to handle upgrade logic?
 ::    - How do we allow agents to describe their own permissions?
 ::      e.g. in a hypothetical permissions popup, scries of chat-store 
 ::      should be described as 'This agent can read your chat messages',
 ::      and %chat-action pokes should be described as 'This agent can send
 ::      chat messages on your behalf'. This kinda belies a more general point
 ::      about the ability of agents to document themselves. 
 ::
 |%
 ::  scry paths and watch paths are prefixes, e.g. allowing 
 ::  /mailbox would allow to scry/watch anything that begins
 ::  with /mailbox
 +$  agent-permission  
  $:  scries=(set path)
      watches=(set path)
      poke-marks=(set term)
      foreign-watches=(set path)]
      foregin-poke-marks=(set term)
  ==
 ::
 +$  agent-permissions  (jug agent=term agent-permission)
 ::
 +$  arvo-permission
  $:  scry-paths=(set path)
      cards=(set _+<:note-arvo)
  ==
 ::
 +$  arvo-permissions  (jug vane=term arvo-permission)
 ::
 +$  permissions  [arvo=arvo-permissions agent=agent-permissions]
 ::
 ::  new arm for agent:gall, %gall should reject starting if permissions are not granted
 ::
 +$  on-required-permissions  permissions
 --
	:: %lone: gall agent isolation subsystem
	::
	:: Unincluded in this sketch, but potentially necessary:
	:: - Optional permissions
	:: - Scrying an agents permissions out of gall
	:: - Dynamic permissions
	:: Open questions:
	:: - Is allowing pokes based on mark specific enough? Maybe not,
	:: given %graph-store. Maybe poke-marks should be
	:: $@(mark [=mark $-(vase ?)])
	:: - How to handle upgrade logic?
	:: - How do we allow agents to describe their own permissions?
	:: e.g. in a hypothetical permissions popup, scries of chat-store
	:: should be described as 'This agent can read your chat messages',
	:: and %chat-action pokes should be described as 'This agent can send
	:: chat messages on your behalf'. This kinda belies a more general point
	:: about the ability of agents to document themselves.
	::
	\|%
	:: scry paths and watch paths are prefixes, e.g. allowing
	:: /mailbox would allow to scry/watch anything that begins
	:: with /mailbox
	+$ agent-permission
	$: scries=(set path)
	watches=(set path)
	poke-marks=(set term)
	foreign-watches=(set path)]
	foregin-poke-marks=(set term)
	==
	::
	+$ agent-permissions (jug agent=term agent-permission)
	::
	+$ arvo-permission
	$: scry-paths=(set path)
	cards=(set _+<:note-arvo)
	==
	::
	+$ arvo-permissions (jug vane=term arvo-permission)
	::
	+$ permissions [arvo=arvo-permissions agent=agent-permissions]
	::
	:: new arm for agent:gall, %gall should reject starting if permissions are not granted
	::
	+$ on-required-permissions permissions
	--