A dregg capability is a database view. Present a token below and watch the
cell rows narrow — the same Row-Level-Security gate the node enforces, made
legible. A token confined to a resource prefix sees a strict subset; the
no-amplification property, observed, not asserted. This is the browser twin of the
pg-dregg cap-gated query cookbook (sql/cookbook.sql) — one
glass in SQL, one here.
A dregg token's authority is its caveats: an action it admits, a
resource prefix it is confined to, and an optional expiry. Build one here
(the shape cargo run --example mint -- --action read --prefix 5e produces),
or pick a preset.
| cell id | balance | lifecycle | verdict | reason (dregg_cap_explain) |
|---|
The same WITH RECURSIVE walk as cookbook recipe 1, over dregg.cap_edges.
Each edge is a delegation; the chain shows how an authority reaches a cell. The
red edge is a deliberate amplification
(bob grants admin, which bob never held) — recipe 2's audit catches it.
| depth | grantor | delegate | granted effects | chain |
|---|
The two glasses agree. This page renders the same seeded data the SQL
cookbook runs against. Recipe 6a (admitted rows) here is
BEGIN; SET LOCAL ROLE dregg_reader; SELECT set_config('dregg.token', …); SELECT … FROM dregg.cells;
in psql; recipe 6b (the reason) is dregg_cap_explain(token, 'read', cell, now).
See pg-dregg/docs/COOKBOOK.md and pg-dregg/sql/cookbook.sql.
The gate is never bypassed: a filtered row is redacted, exactly as RLS makes it vanish from a
SELECT. The capability discipline — provable attenuation, instant revocation,
explainable denial — is the dregg decision, carried to the row.