capability_ref Indirection Example

[flyingrobots]

Title
capability_ref Indirection Example

Goal
Demonstrate stable capability label in pointer and private policy-side mapping to KMS/keys, avoiding topology leakage.

Acceptance Criteria

• Pointer uses extensions.capability_ref (non-sensitive label).
• Policy maps capability_ref to actual resolver/key material.
• Docs show both authoring and resolution path.

Notes

• Reference: ADR‑0004 Security & Privacy notes; pointer extensions.