@suluk/keys - v0.1.0
    Preparing search index...

    Function clampChildGrant

    @suluk/keys — the delegation-chain ALGEBRA for hierarchical API keys (C046, extracted from a real app).

    The app builds a ChainNode[] (a caller + its ancestors) and per-path SpendRow[] from its OWN store — the DB query is the seam (a Drizzle reference adapter is a follow-on, deferred per C046) — then calls these PURE functions for the money/abuse-correctness logic so it can never drift: • effectiveCaps — scope ∩, credit-cap/rate-share/expiry min up the chain (a child can't out-scope/out-spend a parent) • pooledHeadroom — a node's cap bounds its WHOLE subtree's total spend (the abuse-proof property) • expired/disabledAncestor — the read-time revocation/expiry cascade • clampChildGrant — clamp a minted child to the parent's effective grant plus the materialized-path utilities and the scope/metadata model.

    • Clamp a requested CHILD grant to the parent's EFFECTIVE grant — a child can never out-scope or out-spend an ancestor. scopes ⊆ parent's; each cap/expiry = min(requested ?? ∞, parent ?? ∞) (null only when BOTH are unbounded). Pure.

      Parameters

      • parent: EffectiveCaps
      • requested: {
            scopes: string[];
            creditLimit?: number | null;
            rateLimitSharePct?: number | null;
            expiresAt?: number | null;
        }

      Returns EffectiveCaps