The goal here is to make it so applications can take the rights one would normally get by calling caph_limit_stream() on a descriptor and build on them as needed.
My current use-case is inetd, where the control socket's rights will be caph_stream_rights() + ACCEPT/BIND/LISTEN/SETSOCKOPT, and once a client connects we limit those sockets further to caph_stream_rights() + SETSOCKOPT. inetd must at least use a superset of caph_stream_rights in case invoked program leads to caph_limit_stdio(), which is quite common. I *think* this is a feasible approach, at least.