Skip to main content

ADR-011: Capability-Based Security

Status

Accepted

Context

Need fine-grained permissions for plugins without complexity.

Decision

Implement capability-based security model for plugins.

Consequences

Positive

Principle of least privilege
User-friendly permissions
Runtime enforcement

Negative

Requires careful API design

Alternatives Considered

All-or-nothing: Too coarse
ACL-based: Too complex
Sandboxing only: Limited functionality

Implementation

Plugins request capabilities in manifest:

vr.overlay.create - Create overlays
network.http - Make HTTP requests
filesystem.read - Read files
system.process - Spawn processes

Capabilities are granted at install time and enforced at runtime through API proxies.

Status
Context
Decision
Consequences
- Positive
- Negative
Alternatives Considered
Implementation