Skip to content

selfradiance/agentgate-delegation-proof

BranchesTags

Repository files navigation

Delegation Identity Proof

A proof-of-concept for bounded human-to-agent delegation with economic accountability. A human delegates scoped authority to an agent, both parties post bonds, and actions are settled through AgentGate.

v0.4.0 keeps the real narrow checkpoint path introduced in v0.2.0 and the local transparency log added in v0.3.0, then adds a local tamper-evident hash chain for transparency-log rows. The local delegation system only recognizes, accounts for, and logs delegated actions that pass through this repo's checkpoint. Direct AgentGate calls outside that checkpoint are outside delegation accounting and outside this local transparency log. AgentGate itself remains semantically unchanged.

Why This Exists

Current agent identity systems answer "who is this agent?" but not "who authorized it, to do what, within what limits, and with what accountability?" Delegation Identity Proof fills that gap. The human has skin in the game too — not just the agent.

What v0.4 Proves

  • Delegated actions are only recognized, accounted for, and bounded when they pass through the local checkpoint in this repo.
  • The checkpoint enforces delegation existence, delegate binding, request freshness, allowed action type, per-action exposure, total exposure, and max-actions limits before forwarding anything to AgentGate.
  • If a checkpoint reservation survives initial admission but the parent delegation later becomes revoked, settling, or expired before pre-attachment forward/execute preparation, the reservation is failed locally instead of continuing forward.
  • The repo keeps an ordered local transparency log for delegation lifecycle events and checkpoint transitions, readable through npx tsx src/cli.ts status --delegation <id> --log.
  • The local transparency log now has a local tamper-evident hash chain. It is local only. It can detect in-place edits, row reordering, and middle-row deletions within the existing log file. It does not detect replacement of the entire DB file with a fresh consistent log. It does not cover direct AgentGate calls outside this repo. There is no repair path: verification reports a broken chain, but does not rebuild or fix it.
  • Direct AgentGate calls outside the checkpoint are outside the delegation system's accounting and are not treated as delegated in-scope actions.
  • AgentGate remains unchanged. The delegation checkpoint is a sidecar layer in this repo, not a change to AgentGate core semantics.

Server-Mediated Scope Enforcement

delegate request
  -> checkpoint in this repo
     -> validate + authenticate
     -> enforce delegated scope + local accounting
     -> reserve locally
     -> forward to AgentGate execute
     -> attach returned agentgate_action_id
     -> later resolve through AgentGate
     -> finalize locally

direct AgentGate call
  -> AgentGate only
  -> outside delegation accounting in this repo

The checkpoint-managed path also produces an outsider-legible local event trail for the delegation and its checkpoint transitions.

How It Relates to AgentGate

AgentGate is the enforcement substrate. This project calls AgentGate's REST API for identity registration, bond management, action execution, and resolution. No changes to AgentGate core were needed — this is a client, not an extension.

AgentGate must be running for this project to work.

Proof Path

  1. POST /v1/delegations/:id/execute Validates and authenticates the delegated request, enforces local delegated scope, creates a local reservation, starts the forward attempt, performs the real AgentGate execute call, attaches the returned agentgate_action_id, and returns either a forwarded result or a narrow pre-attachment failure. Existing reservations also re-check parent delegation eligibility before forward/execute preparation and fail locally with a machine-readable ineligibility reason instead of continuing after revocation, settling, or expiry.
  2. POST /v1/delegations/:id/actions/:reservationId/finalize Accepts only success or failed, requires a forwarded and attached checkpoint reservation, resolves through AgentGate, lands in the local finalize seam, and returns either a finalized result or a narrow resolution failure. When that finalization resolves the last open checkpoint action on a revoked settling delegation, the delegation now completes through the same local auto-complete path used by normal actions.

What You Should See

  • An in-scope delegated action reaches stage: "forwarded" and carries both a local reservationId and an attached agentgateActionId.
  • The explicit finalize step reaches stage: "finalized" with outcome: "success" or outcome: "failed".
  • A disallowed action type is rejected before any AgentGate execute call.
  • An exposure-limit violation is rejected before any AgentGate execute call.
  • A pre-attachment AgentGate execute failure returns a machine-readable failure and lands in the local pre-attachment failure seam.
  • A reservation whose parent delegation has since been revoked, entered settling, or expired is failed locally with a machine-readable ineligibility reason before more checkpoint forward work happens.
  • status --log shows the ordered local transparency log for delegation lifecycle events plus checkpoint transitions recorded in this repo.
  • status --log --verify verifies the local tamper-evident chain for the whole local transparency log, not just the selected delegation's displayed rows, and reports either ok or the first broken row.

Local Transparency Log

Delegation Identity Proof now keeps a local transparency log in repo-local SQLite. It records delegation lifecycle events (delegation_created, delegation_accepted, delegation_revoked, delegation_closed) plus checkpoint transitions for checkpoint-managed execution (delegated_execute_requested, reservation, forward start, attachment, finalization, and pre-attachment failure).

The local transparency log now has a local tamper-evident hash chain. It is local only. It can detect in-place edits, row reordering, and middle-row deletions within the existing log file. It does not detect replacement of the entire DB file with a fresh consistent log. It does not cover direct AgentGate calls outside this repo. There is no repair path: verification reports a broken chain, but does not rebuild or fix it.

Legacy rows written before this hardening pass remain readable and are reported as unchained rather than broken.

status --log --verify verifies the whole local transparency log. The row listing printed by status --delegation <id> --log is still just that delegation's rows.

You can inspect it with:

npx tsx src/cli.ts status --delegation <id> --log
npx tsx src/cli.ts status --delegation <id> --log --verify

What's Implemented

  • 6-state machine: pending → accepted → active → settling → completed (+ failed)
  • Terminal reason separation: exhausted, closed, revoked, expired
  • Two-phase transaction pattern (no SQLite locks across HTTP calls)
  • Zod-validated delegation scope with capacity math
  • Dual bond mechanics (human commitment deposit + agent action bond)
  • CLI with 7 commands: delegate, accept, act, resolve, revoke, close, status
  • status --log appends the local transparency-log section for one delegation
  • status --log --verify verifies the whole local transparency-log chain and reports the first broken row when the chain is no longer consistent
  • Ed25519 signed requests for human, agent, and resolver roles
  • Bond TTL alignment (human bond = delegation TTL + 1hr margin)
  • Auto-complete on scope exhaustion
  • Crash recovery for orphaned action reservations
  • Checkpoint execute endpoint: POST /v1/delegations/:id/execute
  • Checkpoint finalize endpoint: POST /v1/delegations/:id/actions/:reservationId/finalize
  • Real AgentGate execute handoff plus explicit AgentGate resolution bridge for checkpoint-managed actions
  • Narrow local seams for reservation, forward start, attachment, pre-attachment failure, and finalization
  • Parent-delegation re-checks for pre-attachment checkpoint reservations so revoked / settling / expired parents fail locally instead of continuing forward
  • Checkpoint finalization now reuses the existing delegation auto-complete path when the last settling checkpoint action resolves
  • Local transparency log for delegation lifecycle events and checkpoint transitions
  • Local tamper-evident hash chain for transparency-log rows with no repair command

Quick Start

# 1. Start AgentGate
cd ~/Desktop/projects/agentgate && npm run restart

# 2. Run Delegation Proof
cd ~/Desktop/projects/delegation-identity-proof
cp .env.example .env  # add AGENTGATE_REST_KEY
npm install

# Create a delegation
npx tsx src/cli.ts delegate --max-actions 5 --max-exposure 500 --ttl 3600

# Agent accepts
npx tsx src/cli.ts accept --delegation-id <id>

# Agent acts
npx tsx src/cli.ts act --delegation-id <id> --action "file-transform" --exposure 100

# Check status
npx tsx src/cli.ts status --delegation <id>

# Check status with transparency log
npx tsx src/cli.ts status --delegation <id> --log

# Verify the local transparency-log chain
npx tsx src/cli.ts status --delegation <id> --log --verify

Non-Goals / Limits

  • The checkpoint does not globally block all direct AgentGate calls. Calls made outside it are simply outside delegation accounting in this repo.
  • AgentGate does not understand delegation scope. It still sees normal execute and resolve calls.
  • No retries, queues, background workers, or broader orchestration.
  • No recursive chain-of-custody.
  • The transparency log is local and narrow. It does not cover direct AgentGate calls outside the checkpoint.
  • The tamper-evident chain does not detect replacement of the entire DB file with a fresh consistent log.
  • There is no rebuild, repair, or heal command for a broken chain.
  • No generalized authorization framework or UI.
  • Human bond remains a commitment deposit rather than a slashable delegation stake.

Tests

npm test, npm run typecheck, and npm run build pass. 3 integration tests are opt-in via RUN_INTEGRATION_TESTS=1 and require live AgentGate.

npm test

Related Projects

Status

v0.1.0 shipped and credible. v0.4.0 keeps the real narrow delegated execution checkpoint path, keeps the local transparency log inspectable through status --log, and adds a local tamper-evident verification pass through status --log --verify. The claim stays narrow: local only, detects in-place edits/reordering/deletions in the existing log file, does not detect full DB replacement with a fresh consistent log, and has no repair path.

Next Narrow Steps

  • Surface the persisted local reason for pre-attachment reservation failure through the reservation-status read helpers, not only through the immediate blocking response and transparency row.
  • Decide whether the same settling auto-complete hook should also run for every other locally resolved checkpoint failure seam, not just this revocation-propagation/finalization slice.

Design note: v0.2 server-mediated scope enforcement.

License

MIT

About

Bounded human-to-agent delegation with checkpointed execution, dual-bond accountability, and a local append-only transparency log.

github.com/selfradiance/agentgate

Topics

nodejs identity cryptography typescript sqlite delegation ed25519 accountability ai-agents tamper-evident ai-security transparency-log llm-agents agent-security agent-governance agentgate bonded-execution delegated-authority

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 5

v0.4.0 — Tamper-Evident Transparency Log Verification Latest
Apr 24, 2026
+ 4 releases

Packages

 
 
 

Contributors

Languages