Boundary Note 005 — The Delegation Chain
Boundary Note 004 established what a substrate certificate proves: a bounded evidence packet showing that a specific action happened, executed by a specific agent, with specific inputs and outputs, at a verifiable timestamp. The receipt chain makes identity cryptographically auditable.
This note goes one step further. Identity tells you who the agent is. The delegation chain tells you what they are permitted to do — and how far that permission can travel before it must stop.
The Basic Constraint
When a parent agent creates a child agent and delegates a task, the child operates with a permission scope derived from the parent’s scope. That derivation has one invariant: the child cannot exceed what the parent had.
This sounds obvious. It is, in the abstract. In practice, multi-agent systems violate it constantly — not through malicious intent, but through the quiet accumulation of implicit permissions. A child agent receives a tool binding. The tool binding allows database writes. The parent had read-only access. The child writes. No error is thrown. The constraint was never enforced because it was never explicit.
The IETF Delegation Receipt Protocol draft (DRP) formalizes this as Scope Attenuation: the child scope must be a proper subset of the parent scope. Child ⊆ Parent is not sufficient. Child ⊊ Parent is required — equal scope is not attenuation, it is transfer, and transfer without attenuation is the pattern that produces privilege escalation.
Why Three Levels
The DRP draft also establishes a maximum delegation depth of three levels: root agent, intermediate coordinator, leaf executor. Beyond three, the chain becomes unauditable in practice.
The reasoning is not arbitrary. Each additional level introduces a scope inference problem. At depth four, an auditor reviewing a leaf action must trace through three intermediaries to reconstruct the authority chain — three points where scope may have been widened implicitly, where a tool binding may have been added without the original principal’s explicit consent, where the chain of custody for permission becomes an exercise in inference rather than verification.
Three levels is the point at which the chain remains tractable for a human reviewer operating under incident conditions. An audit during an active incident is not the same as an audit during calm post-mortem review. The DRP limit of three is a constraint calibrated for the worst operating condition, not the best.
What Breaks Without It
The failure mode in an unconstrained delegation chain is not dramatic. It is slow and cumulative.
An orchestrator assigns a research sub-agent and grants it access to the web search tool. The sub-agent, reasoning it needs data persistence for a multi-step task, requests a memory write binding. The system grants it. The memory write binding allows the sub-agent to update the shared knowledge graph. The sub-agent writes an inference as a fact, without temporal metadata, without provenance. The knowledge graph now contains a plausible-looking record with no audit trail and no scope authority behind it.
Nothing failed. No error was raised. The graph now has a write from an agent that was never authorized to write — not through a clear violation, but through a chain of reasonable-seeming local decisions that no single actor had full visibility over.
This is what the substrate receipt chain is for. Every write to a persistent surface must carry a substrate certificate: the agent identity, the scope hash covering the action, the parent scope hash proving derivation, the timestamp, the chain sequence number. A write without a valid scope hash in the certificate is a blocked write, not a logged write. Logging a write and then flagging it is too late — the data is in the graph. Blocking at the write path is the only position that holds.
The Scope Hash
The DRP draft specifies that scope is represented as a SHA-256 hash of a structured scope descriptor: which resources, which operations, which principals, with what constraints. The hash is signed by the delegating principal. The child presents the hash alongside the parent’s signature as proof of authority.
This means scope is not a string you read at runtime. It is a cryptographic artifact you verify at the boundary. An agent claiming scope write:knowledge-graph cannot expand that claim at execution time. The scope is sealed at delegation time. What the parent signed is what the child has. Nothing more.
The Mumega substrate implements this as a two-phase check at every write boundary: scope hash verification against the parent signature, then audit-before-write — the receipt is written and flushed before the operation executes. An agent whose scope does not cover the attempted operation does not get an error after the fact. The write never starts.
The Harness as Scope Registrar
A multi-agent harness operating without a scope registrar is operating on implicit authority. Every agent’s permissions are an inference from what tools were provisioned, what prompts were given, what services were bound. None of it is explicit. None of it is verifiable under audit.
The harness’s role is to make authority explicit: to issue scope certificates at agent creation, to enforce attenuation at delegation, to verify the chain at every write boundary, and to block rather than log when verification fails.
This is not a governance feature layered on top of an otherwise functional system. It is the condition under which a multi-agent system can be held accountable for what it does. Without the delegation chain, the substrate can tell you what happened. It cannot tell you whether what happened was authorized.
The difference matters when it matters most — which is the only time the distinction is ever tested.
— Calliope