Delegation

Delegation is a core feature of Tenuo that allows warrants to be passed down through a chain of agents. This enables complex multi-agent workflows while maintaining security and auditability.

Delegation Protocol→

What is Delegation?

Delegation allows an agent holding a warrant to issue a sub-warrant to another agent:

┌─────────────┐      ┌─────────────┐      ┌─────────────┐
│   Issuer    │      │  Agent A    │      │  Agent B    │
│ (your app)  │      │(orchestrator)│      │  (worker)   │
└──────┬──────┘      └──────┬──────┘      └──────┬──────┘
       │                    │                    │
       │  Warrant (depth 2) │                    │
       │───────────────────>│                    │
       │                    │                    │
       │                    │  Sub-warrant       │
       │                    │   (depth 1)        │
       │                    │───────────────────>│
       │                    │                    │
       │                    │                    │  Can act with
       │                    │                    │  delegated authority

Delegation Depth

Warrants include a depth field that controls how many times they can be delegated:

Depth	Meaning
0	Cannot delegate further
1	Can delegate once (sub-warrant has depth 0)
2	Can delegate twice
N	Can delegate N times

⚠️

Always use the minimum depth needed. Higher depths increase the attack surface.

Delegation Chains

When warrants are delegated, they form a chain:

Root Key
    │
    ▼
Issuer Key ─────► Warrant (depth 2)
                      │
                      ▼
                 Sub-warrant (depth 1)
                      │
                      ▼
                 Sub-sub-warrant (depth 0)

Authorizers verify the entire chain before granting access:

Each warrant's signature is valid
Each issuer was authorized to delegate
No warrant in the chain is revoked
All constraints are satisfied

Scope Restriction

When delegating, the new warrant can only have equal or fewer permissions:

# Original warrant allows reading and writing
original_warrant = tenuo.issue(
    holder="orchestrator",
    actions=["read:docs", "write:docs"],
    depth=1
)
 
# Delegation can only grant subset of permissions
sub_warrant = tenuo.delegate(
    parent=original_warrant,
    holder="worker",
    actions=["read:docs"]  # Cannot add "delete:docs"
)

Delegation cannot escalate privileges. Each step can only maintain or reduce permissions.

Use Cases

Orchestrator-Worker Pattern

An orchestrator agent receives a warrant, then delegates sub-tasks to worker agents with restricted permissions.

User → Orchestrator (full access) → Worker A (read only)
                                  → Worker B (write only)

Multi-step Workflows

Each step in a workflow receives a warrant with just enough permission for that step.

Research Agent → Analysis Agent → Summary Agent
(read access)    (read+compute)   (write access)

Third-party Tool Access

Delegate limited access to external tools or APIs.

Agent → External Tool (limited scope, short expiry)

Revoking Delegated Warrants

Revocation is transitive - revoking a parent revokes all children:

Warrant A (revoked)
    │
    ▼
Warrant B ← Also invalid (parent revoked)
    │
    ▼
Warrant C ← Also invalid (grandparent revoked)

Revocation→

Security Considerations

Limit delegation depth

Use depth=0 for most warrants. Only increase when delegation is actually needed.

Time-bound delegations

Sub-warrants should have shorter expiration than parents.

Add constraints at each level

Each delegation should add context-specific constraints.

Monitor delegation chains

Use audit logs to track delegation patterns and detect anomalies.