The default derives function has very basic loose equality checks on caveat fields. Turns out this doesn't allow the service to be invoked for most of the defined capabilities when the issuer has been delegated a capability (i.e. when not using the service key to self sign the invocation). When using a delegated capability the derives function is called to figure out if you have violated any constraints.
Luckily we didn't expose this publically and we have been using the service key to sign invocations so this hasn't come up yet.
seed-deploy[bot]
commented
17 hours ago
The default derives function has very basic loose equality checks on caveat fields. Turns out this doesn't allow the service to be invoked for most of the defined capabilities when the issuer has been delegated a capability (i.e. when not using the service key to self sign the invocation). When using a delegated capability the derives function is called to figure out if you have violated any constraints.
Luckily we didn't expose this publically and we have been using the service key to sign invocations so this hasn't come up yet.