{"slug":"oip-security-model","title":"OIP Security Model","body":"## Introduction to OIP Security Model\nThe OIP security model is a capability-based security framework that ensures secure access to objects and resources. It utilizes capability tokens, which are issued to tenants with specific scopes, such as row, rows, pfx, act, and read. The Model Context Protocol (MCP) is a related standard that connects models to servers, but OIP's security model has its own distinct properties, including time-to-live (TTL), uses, revocation, and risk ceilings.\n## Capability Tokens and Scopes\nCapability tokens are issued to tenants with specific scopes, which define the level of access granted. The scopes include row, rows, pfx, act, and read. For example, a tenant with a scope of \"row\" can only access a specific row in a database, while a tenant with a scope of \"rows\" can access multiple rows. The OIP security model ensures that capability tokens are validated and verified before granting access to resources. The route to issue a capability token is `POST /api/dispatch` with a JSON body containing the tenant's information and the desired scope.\n## Time-to-Live (TTL) and Uses\nCapability tokens have a time-to-live (TTL) and a limited number of uses. The TTL defines the duration for which the token is valid, and the number of uses defines how many times the token can be used before it expires. Once the token's TTL or uses are exhausted, it is automatically revoked. The receipt that proves the issuance of a capability token contains the token's TTL and number of uses.\n## Revocation and Risk Ceilings\nCapability tokens can be revoked at any time, and the OIP security model ensures that revoked tokens are no longer valid. The model also includes risk ceilings, which define the maximum level of risk that can be taken by a tenant. If a tenant's risk exceeds the defined ceiling, their capability token is automatically revoked. The route to revoke a capability token is `POST /api/dispatch` with a JSON body containing the token's ID.\n## Tenancy and Fail-Closed Errors\nThe OIP security model includes a tenancy system, which ensures that each tenant's resources and data are isolated from other tenants. The model also includes fail-closed errors, which ensure that if an error occurs, the system defaults to a secure state, denying access to resources rather than granting it. The receipt that proves the issuance of a capability token contains the tenant's information and the token's scope.\n## Example and Receipt Rule\nFor example, a tenant can request a capability token with a scope of \"row\" and a TTL of 1 hour using the route `POST /api/dispatch` with a JSON body containing the tenant's information and the desired scope. The receipt that proves the issuance of the capability token will contain the token's ID, TTL, and number of uses. The receipt rule is that the receipt must be returned at `/api/dispatch?receipt=inv_ID`, where inv_ID is the ID of the invocation.\n## Conformance Rule\nThe conformance rule for the OIP security model is that all capability tokens must be issued and validated according to the defined scopes, TTL, and uses. The model must also ensure that revoked tokens are no longer valid and that risk ceilings are enforced. The conformance rule can be tested using the `curl` command against the `https://miscsubjects.com/api/dispatch` route.","register":"oip_protocol","tags":["oip","object-invocation-protocol","protocol-specification","machine-native-json","dynamic"],"style":{"accent":"#16324f","measure":860},"claims":[{"id":"oip-c1","tier":"system","text":"The OIP article layer is generated from live directory rows, so it documents the objects that actually run the reference implementation.","who_claims":"system/oip_articles","source_ids":["oip-s3","oip-s4"]},{"id":"oip-c2","tier":"system","text":"The OIP operating path is caller to directory object to dispatch runner to invocation ledger to receipt.","who_claims":"system/oip_articles","source_ids":["oip-s1"]},{"id":"oip-c3","tier":"system","text":"Every executable capability in the reference implementation is reachable as an OIP object with a human article, a machine document, invocation history, and receipt path.","who_claims":"system/oip_articles","source_ids":["oip-s2","oip-s3"]},{"id":"oip-c4","tier":"system","text":"Tap & Go is the copy primitive: one drop carries credential, protocol, tree, search, execute, and receipt instructions without a separate token-map-bundle assembly step.","who_claims":"system/oip_articles","source_ids":["oip-s2"]},{"id":"oip-c5","tier":"system","text":"OIP receipts are the proof object for actions: they record request, response, actor, links, replay, repair, and lineage.","who_claims":"system/oip_articles","source_ids":["oip-s2","oip-s5"]}],"sources":[{"id":"oip-s1","type":"protocol","title":"BUILD_SPEC object invocation path","url":"https://miscsubjects.com/api/file/docs/BUILD_SPEC.md","summary":"Defines directory rows, dispatch, ledger, and the escalation path for changing the build.","quote":"Run anything: POST https://miscsubjects.com/api/dispatch {key, body}","claim_ids":["oip-c2"],"link_status":"ok","hash":"oipbuildspec0001"},{"id":"oip-s2","type":"protocol","title":"Object Invocation Protocol spec","url":"https://miscsubjects.com/api/file/docs/OIP.md","summary":"Defines OIP surfaces, invariant loop, receipt/replay/repair, and invocation envelopes.","quote":"identify, explain, invoke, ledger, yield","claim_ids":["oip-c3","oip-c4","oip-c5"],"link_status":"ok","hash":"oipspec00000002"},{"id":"oip-s3","type":"protocol","title":"Live OIP capability tree","url":"https://miscsubjects.com/api/dispatch?map=1&format=markdown","summary":"Public recursive capability tree.","quote":"root > shelf > system article > capability article > receipt","claim_ids":["oip-c1","oip-c3"],"link_status":"ok","hash":"oipmap0000000002"},{"id":"oip-s4","type":"protocol","title":"Directory row documentation","url":"https://miscsubjects.com/api/dispatch?key=OIP_TREE&format=markdown","summary":"Capability articles are generated from live rows.","quote":"Machine Contract","claim_ids":["oip-c1"],"link_status":"ok","hash":"oiprow0000000003"},{"id":"oip-s5","type":"protocol","title":"Invocation ledger","url":"https://miscsubjects.com/api/invocations","summary":"Append-only invocation records and receipt links.","quote":"invocations","claim_ids":["oip-c5"],"link_status":"ok","hash":"oipinvocations0005"}],"prov":{"model":"system/oip_articles","action":"generate"}}