Skip to content

[Hackathon] theritwik: delegatable capability tokens with cascading revocation#56

Open
theritwik wants to merge 1 commit into
projnanda:mainfrom
theritwik:hackathon/theritwik-reputation
Open

[Hackathon] theritwik: delegatable capability tokens with cascading revocation#56
theritwik wants to merge 1 commit into
projnanda:mainfrom
theritwik:hackathon/theritwik-reputation

Conversation

@theritwik

Copy link
Copy Markdown

Problem

Implements hackathon problem #4 (docs/hackathon/problems/04-auth-capability-delegation.md):
delegatable capability tokens with cascading revocation for the auth layer.

What this adds

  • Plugin auth/delegatable.py — macaroon-style HMAC chaining (Birgisson et al., 2014).
    delegate(parent_token, audience, scopes_subset, ttl) mints a narrower, time-bounded
    sub-token without the issuer's secret; child scopes must be a subset of the parent's
    (else ScopeEscalationError), child expiry is clamped to the parent's.
    verify_presented(token, presenter) adds audience binding. Revoking any ancestor fails
    every descendant at the next verify (RevokedAncestorError) — cascading by construction.
  • Adversarial validator validators/auth_validators.py — three pure checks: scope
    escalation, stale/revoked ancestor, audience confusion. FAILS against the reference
    jwt plugin, PASSES against delegatable
    (proven in tests).
  • Scenario scenarios/delegated_auth.yaml — 16-agent delegation tree (1 coordinator,
    3 intermediaries, 12 leaves). Mid-run one intermediary is revoked; exactly its 4 leaves
    fail with RevokedAncestorError, the other 8 keep verifying. Deterministic under seeds
    42, 7, 1337.
  • Tests — 30 new: unit, Hypothesis property tests, forged-token defenses (validly-signed
    scope-widening and ttl-extension rejected at verify), validator discrimination, and
    full-simulator integration.
  • Registered as ("auth", "delegatable") builtin + nest.plugins.auth entry point;
    docs in docs/layers/auth.md.

Determinism

Token ids are content hashes, signatures are HMAC-SHA256 over canonical JSON, expiry uses
a logical tick clock — no wall time, no unseeded RNG.

Verify

make ci-local
# or just the new tests:
uv run pytest packages/nest-plugins-reference/tests/test_delegatable_auth.py \
              packages/nest-plugins-reference/tests/test_delegated_auth_scenario.py -v

All five CI commands exit 0 locally (ruff check, ruff format --check, pyright strict,
pytest: 766 passed).

…evocation

Implements hackathon problem projnanda#4 (auth layer). Adds a macaroon-style
`delegatable` auth plugin: an agent can mint narrower, time-bounded
sub-capabilities from a parent token WITHOUT the issuer's secret, and
revoking any ancestor fails every descendant at the next verify.

- plugin: packages/nest-plugins-reference/.../auth/delegatable.py
    * delegate(parent, audience, scopes_subset, ttl) -> Token (subset-only,
      ttl clamped to parent), verify_presented(token, presenter) audience bind
    * cascading revocation by construction (chains embed ancestor ids)
    * verify-time defenses: scope-escalation, ttl-extension, tampering, and
      stale/expired ancestors are all rejected even for validly-signed forgeries
    * deterministic: content-hash ids, HMAC-SHA256, logical tick clock
- adversarial validator: validators/auth_validators.py — three pure checks
  (scope escalation, stale ancestor, audience confusion) that FAIL against the
  reference `jwt` plugin and PASS against `delegatable`
- scenario: scenarios/delegated_auth.yaml + factory — 16-agent delegation tree
  (coordinator + 3 intermediaries + 12 leaves) that revokes one subtree and
  shows only its 4 leaves fail; deterministic across seeds 42/7/1337
- tests: unit + Hypothesis property + forged-token + validator-discrimination
  + full-simulator integration
- registration: plugins.py builtin + pyproject entry point; docs/layers/auth.md

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JZnTVq55dAzSPfxeCQMRNy
@theritwik

Copy link
Copy Markdown
Author

CI appears to be awaiting first-time-contributor approval — could a maintainer approve the workflow run? All five checks (ruff, format, pyright, pytest) pass locally via make ci-local.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants