Capabilities overview
This section documents every capability TrustPlane Auth ships today, one page each, in the
same shape: Concept → Implementation → Example. Nothing here is aspirational — each maps to
real code, a real CLI command, or a real make target.
The capability map
What each capability is, in one line
| # | Capability | One-liner | Page |
|---|---|---|---|
| 1 | Passport issue/verify | Mint and locally verify a short-lived proof-bound artifact | → |
| 2 | Request binding | Bind a passport to this exact request with transcript-v1 | → |
| 3 | Replay protection | Consume each jti once, atomically (memory or Redis) | → |
| 4 | Bundle policy & freshness | Per-route rules + fail-closed staleness from a local bundle | → |
| 5 | Signed bundle lifecycle | Sign, verify, refresh, and remove trust/policy material safely | → |
| 6 | Trust anchors & allowed_sources | Authorize many issuers/clients per route; add clients with no redeploy | → |
| 7 | Brownfield adapter | Reverse-proxy verifier in front of an unmodified API | → |
| 8 | Broker & attested_workload | Local issuer; optional SPIFFE/SPIRE-attested identity | → |
| 9 | Audit events | Stable JSON record of every allow/deny decision | → |
Capability → example mapping (quick view)
Every capability has a runnable proof. The full table with reason codes lives in the Capability → example map; here is the short version:
| Capability | Try it with |
|---|---|
| Passport issue/verify | trustplane issue + trustplane verify; make demo |
| Request binding | make demo-provider-gateway; trustplane sign --curl |
| Replay protection | make demo-provider-gateway (duplicate → jti_replay) |
| Bundle policy & freshness | trustplane bundle build; make demo-provider-gateway |
| Signed bundle lifecycle | trustplane bundle sign; trustplane bundle verify; trustplane bundle remove-source |
| Trust anchors & merge | trustplane bundle merge-source; multi-anchor fixture |
| Brownfield adapter | make demo-adapter (valid / 401 / 403) |
| Broker & attested_workload | trustplane broker issue; trustplane up; SPIRE M2M smoke |
| Audit events | emitted by broker/verifier/adapter decisions |
A note on scope
These capabilities are the v0.1 boundary — a local product-readiness contract, gated by
make v01-acceptance. Deployment of the adapter is
covered separately under Deployment overview, and uses these same
capabilities unchanged. See the v0.1 boundary for exactly what is
in and out of scope.