Delegation
Delegation chains track how credentials are passed between agents. Each hop can only narrow scope — never widen. The chain is validated for expired hops, broken links, and scope violations.Chain Operations
addDelegation(vault, passportId, delegation, actor)
Add a delegation hop. The new hop’s scope must be a subset of the current effective scope.
revokeDelegation(vault, passportId, actor)
Remove the most recent delegation hop.
clearDelegations(vault, passportId, actor)
Remove all delegation hops from a passport.
Chain Analysis
| Function | Returns | Description |
|---|---|---|
getDelegationDepth(passport) | number | Number of hops in the chain |
getCurrentHolder(passport) | string | The to field of the last hop |
getOriginalIssuer(passport) | string | The from field of the first hop |
getAllDelegationParties(passport) | string[] | Every entity in the chain |
isInDelegationChain(passport, entity) | boolean | Whether an entity appears in the chain |
getDelegationPath(passport) | string | Human-readable path (e.g., alice → agent-01 → sub-agent) |
Expiry Detection
hasExpiredDelegation(passport)— Any hop past itsexpiresAtgetExpiredDelegations(passport)— List of expired hopsgetExpiringDelegations(passport, withinDays?)— Hops expiring soon
Scope Analysis
getEffectiveScope(passport)
Calculate the effective scope after all delegation narrowing. Returns the intersection of all hops’ scope arrays.
isScopePermitted(passport, scope)
Check if a specific scope string is permitted given the current delegation chain.
getScopeRestrictions(passport)
Show what each hop removed: original scope, effective scope, and which hop restricted which scopes.
validateDelegationChain(passport)
Validate the entire chain. Returns { valid: boolean, issues: string[] }.