dDRM to Capsule Integration
PC2's existing Rust/WASM crates compile to wasm32-wasip1 -- the exact same target the Runtime uses via Wasmtime. Repackaging them as capsules is straightforward.
Existing Code to Capsule Mapping
| Existing Code | Runtime Capsule | Capability |
|---|---|---|
cenc-decrypt/ (AES-128-CTR) | Media DRM Capsule | drm:decrypt-media |
cenc-encrypt/ | Encryption Capsule | drm:encrypt |
ddrm-renderer/ | dDRM Provider | drm:decrypt |
ipfs-assemble/ | Content Assembly | storage:assemble |
mp4-split/ | Media Processor | media:split |
pc2-media-runtime/ | Data Capsule viewer | Viewer for .ddrm.json |
Each existing crate becomes a separate capsule with its own CID, its own version, and an explicit capability scope. The broad implicit access these crates currently have is replaced by precise, auditable capability tokens.
How Data Capsules Enable dDRM
Data capsules are the runtime's native model for protected content. A .ddrm.json descriptor references encrypted content (by CID) and declares which viewer capsule can render it:
- The runtime loads the data capsule descriptor
- The runtime identifies the declared viewer capsule (by CID)
- The runtime loads the viewer capsule
- The runtime grants the viewer a scoped decrypt capability -- only for this specific content, only for the duration of playback
- The viewer decrypts and renders the content
- The capability expires when playback ends
This model enforces that:
- The viewer can only decrypt the content it was granted access to
- The decrypt capability is time-limited and use-limited
- The entire interaction is logged in the audit trail
- The content owner retains control through the capability system
Convergence Path
The dDRM integration follows the PC2 convergence timeline. Today, dDRM works in PC2 v1 with ambient authority. At v2.0, dDRM runs as a provider capsule with scoped capability tokens.
Blockchain Bridge (Planned)
When the blockchain integration is available, on-chain ACCESS_TOKEN ownership will bridge to runtime capability tokens:
- Purchasing an ACCESS_TOKEN on-chain triggers a capsule access grant
- The shell can verify: "You own the ACCESS_TOKEN. Granting 1-hour capability. Logged."
- Payment-aware flows connect on-chain commerce to runtime-enforced access control
The ACCESS_TOKEN to capability token bridge is listed as "What's Next" and is not yet available. The existing dDRM system in PC2 v1 continues to work independently.