[Hackathon] Auth: manifest-bound delegatable capability tokens#37
[Hackathon] Auth: manifest-bound delegatable capability tokens#37Charanarravindaa wants to merge 3 commits into
Conversation
|
Thanks @Charanarravindaa. There's a lot of engineering here — the What this PR actually proposesReading through the diff carefully, this isn't a hackathon plugin submission for one of the 12 layers. It's a framework proposal to add a 13th layer to the stack, alongside:
Totalling 53 files and +3517 lines. For reference, the largest problem-specific hackathon PRs so far have been 10-15 files and ~1500-1700 lines (Ricardo #31, Simon #30, swamx #33). Adding a layer to the 12-layer stack is a framework-level design change. It changes the README's headline claim, it changes the layer-count in the dashboard, it changes CONTRIBUTING's guidance, and it re-defines what a "complete Nanda Town test rig" is. That decision needs to happen in the open through a design discussion (an Issue, or a short RFC in Suggested path forwardTwo moves, in this order: 1. Extract
|
policy layer (load-bearing, additive)cb4f48d to
19b99a7
Compare
|
@dhve I’ve updated the PR to focus on Problem #4 as an Auth-layer submission. The diff now removes the broader policy-layer/framework scope and contains auth: delegatable, the delegated auth scenario, and the three adversarial validators required by the charter. |
|
@dhve I’ve pushed the requested updates to this branch. Summary:
Validation run locally:
GitHub currently reports the PR as mergeable. It shows no branch checks reported, so the merge state is marked unstable only for missing checks, not for conflicts. |
[Hackathon] Auth: manifest-bound delegatable capability tokens
Problem Picked
Problem #4 — Delegatable capability tokens with cascading revocation.
Layer 5 — Auth.
This PR adds
auth: delegatable, a reference Auth-layer plugin for manifest-bound delegatable capability tokens, plus the required adversarial validators andscenarios/delegated_auth.yamlproof scenario. It stays inside the existing 12-layer stack and does not introduce a new framework layer.Why
The default
jwtauth plugin can issue and verify bearer tokens, but it cannot model the delegation pattern called out in problem #4:That pattern matters for agent swarms because orchestrators routinely need constrained handoffs:
This PR makes that capability-delegation contract testable under attack in Nanda Town.
Core Idea
DelegatableAuthissues root tokens whose scopes are clamped to a signed manifest. A holder can mint a child token for another audience, but only under stricter caveats:PolicyManifest.The plugin is a deterministic, in-memory reference implementation for the Nanda Town test rig. Distributed revocation and cross-process token registry replication are intentionally out of scope.
Adversarial Contract
Problem #4 requires validators that catch three attacks. This PR ships all three:
auth: jwtauth: delegatableThe bundled scenario builds the required delegation tree: one coordinator, three intermediaries, and twelve leaves.
What Ships
nest_plugins_reference.auth.delegatable.DelegatableAuthauth: delegatablescenarios/delegated_auth.yamldelegated_authbuilt-in scenario with coordinator, 3 intermediaries, and 12 leavesdelegated_auth_scope_containmentdelegated_auth_no_stale_parentdelegated_auth_audience_bindingauth: delegatablePASS andauth: jwtFAILSecurity Properties Covered By Tests
aud,exp,chain, orscopesis rejectedHow To Test
Run the charter CI gate:
Equivalent local shortcut:
Focused Auth checks:
Scenario proof:
uv run nest run scenarios/delegated_auth.yaml -o /tmp/delegated_auth.jsonl uv run python -c "from pathlib import Path; from nest_core.validators import validate_trace; p=Path('/tmp/delegated_auth.jsonl'); [print('PASS' if r.passed else 'FAIL', r.name, '-', r.detail) for r in validate_trace(p, 'delegated_auth')]"Expected under
auth: delegatable: all three validators PASS.Flip the YAML layer to
auth: jwt, rerun, and the same three validators FAIL.Determinism
The plugin uses deterministic JSON payloads, deterministic HMAC chaining, and the scenario uses the Nanda Town seed path. Re-running the same scenario with the same seed produces a byte-identical trace.
API Fit
Authprotocol surface:issue,verify, andrevoke.delegate(parent_token, audience, scopes_subset, ttl) -> Token.nest_core.types.AgentId,Token, andAuthContext.auth: delegatable.Example::blocks.Threat Model And Limits
This is a reference plugin for deterministic Nanda Town simulations. It protects against scope widening, equal-authority delegation, parent TTL bypass, stale descendants after local revocation, audience confusion, manifest tampering, and token payload/signature tampering.
It does not attempt to solve distributed revocation, cross-process token registry replication, agent process sandboxing, hardware-backed key attestation, OAuth2 server endpoints, or network token introspection.
Persona
Security-minded agent-runtime engineer. The emphasis is on explicit authority boundaries, adversarial tests, deterministic replay, and making the Auth layer catch delegation bugs that the baseline
jwtplugin cannot catch.