macula_ucan_revocation (macula v0.20.5)
View SourceUCAN Revocation Module.
Manages revocation of UCAN tokens via mesh PubSub gossip. Revocations are stored in an ETS cache and checked during authorization.
Revocation Flow
1. Issuer calls revoke/2` with their DID and the UCAN CID 2. Module broadcasts revocation to `io.macula.system.ucan_revoked` topic 3. All mesh nodes receive via PubSub subscription 4. Each node validates signature (issuer must be UCAN creator) 5. Valid revocations stored in local ETS cache with TTL 6. Authorization checks consult cache via `is_revoked/2` == System Topic == All revocations are published to: `io.macula.system.ucan_revoked
Rate Limiting
Maximum 10 revocations per issuer per minute to prevent abuse.
Cache Auto-Expiry
Revocation entries expire based on original UCAN expiry time. A cleanup process runs periodically to purge expired entries.
Summary
Functions
Clear all revocation cache entries (uses default server).
Clear all revocation cache entries via specific server.
Get revocation statistics (uses default server).
Get revocation statistics via specific server.
Handle incoming revocation message from PubSub.
Handle incoming revocation message via specific server.
Check if a UCAN is revoked (uses default server).
Check if a UCAN is revoked via specific server.
Revoke a UCAN token (uses default server).
Revoke a UCAN token via specific server.
Start the revocation server with default name.
Start the revocation server with options.
Stop the revocation server (default name).
Stop a specific revocation server.
Types
Functions
-spec clear_cache() -> ok.
Clear all revocation cache entries (uses default server).
Clear all revocation cache entries via specific server.
Get revocation statistics (uses default server).
Get revocation statistics via specific server.
-spec handle_revocation_message(Msg :: revocation_msg()) -> ok | {error, term()}.
Handle incoming revocation message from PubSub.
-spec handle_revocation_message(ServerRef :: atom() | pid(), Msg :: revocation_msg()) -> ok | {error, term()}.
Handle incoming revocation message via specific server.
Check if a UCAN is revoked (uses default server).
-spec is_revoked(ServerRef :: atom() | pid(), IssuerDID :: did(), UcanCID :: ucan_cid()) -> boolean().
Check if a UCAN is revoked via specific server.
-spec revoke(IssuerDID :: did(), UcanToken :: ucan_token(), ExpiresAt :: timestamp()) -> {ok, ucan_cid()} | {error, term()}.
Revoke a UCAN token (uses default server).
The issuer must sign the revocation message. The revocation is broadcast to all mesh nodes via PubSub.
UcanToken is the full UCAN JWT token being revoked. ExpiresAt is the original expiry time of the UCAN. PrivateKey is used to sign the revocation (Ed25519).
-spec revoke(ServerRef :: atom() | pid(), IssuerDID :: did(), UcanToken :: ucan_token(), ExpiresAt :: timestamp()) -> {ok, ucan_cid()} | {error, term()}.
Revoke a UCAN token via specific server.
Start the revocation server with default name.
Start the revocation server with options.
-spec stop() -> ok.
Stop the revocation server (default name).
Stop a specific revocation server.