Skip to content
docsv0.1.0

Actor

A verified identity: who is acting ({@see self::$id}, {@see self::$type}), what they are allowed to do ({@see self::$scopes}), and whatever else the verifier proved about them ({@see self::$claims}). It is produced by verifying a {@see Credential} — an `Actor` only ever exists because some credential was checked — and it is the unit the policy layer authorises against. Immutable by construction.

Actor::__construct()

public function __construct(string $id, Milpa\Auth\ActorType $type, array $scopes = [], array $claims = []):

Parameters

Parameters of __construct()
NameTypeDescription
$idstringthe identity's opaque id, unique within its {@see self::$type}
$typeActorTypewhether this is a user, agent, or service
$scopeslist<string>the exact permission strings this identity holds; the only wildcard is the explicit `'*'`, which grants every scope
$claimsarray<string, mixed>everything else the verifier proved (email, name, tenant, …)

Actor::hasScope()

public function hasScope(string $scope): bool

Whether this actor holds `$scope`. Fail-closed: an exact string match, or the presence of the explicit wildcard `'*'` in {@see self::$scopes}. Nothing else grants — no prefix, suffix, or glob magic. The `'*'` is the one documented escape hatch (a superuser, a trusted stdio process), never an implicit one.

Parameters

Parameters of hasScope()
NameTypeDescription
$scopestring

Actor::hasAnyScope()

public function hasAnyScope(array $scopes): bool

Whether this actor holds at least one of `$scopes`. Fail-closed: an empty list is never satisfied, and each entry is checked with the exact-match rules of {@see self::hasScope()}.

Parameters

Parameters of hasAnyScope()
NameTypeDescription
$scopeslist<string>