interface # we only have a single state state user-logged-in subject must have token "session" and be valid process user-change-passphrase required as input "new-passphrase" subject has (cap write) on attribute "passphrase" transition from user-logged-in to user-logged-in via user-change-passphrase on error revert changes