Bounded Delegation for AI Agents

How authority flows through the system

One warrant chain travels from the Control Plane to the Worker. At each hop, the delegating party re-signs a strictly narrower warrant.

depth 0 ยท root
Control Plane
Issues the root warrant.
Trust anchor.
Tools
read write search delete
Scope
/data/*
TTL
60s
Delegate
up to depth 2
Attenuates & re-signs
drops search, delete
narrows path to /data/research/*
halves TTL to 30s
depth 1 ยท attenuated
Orchestrator
Plans the task.
Re-signs a narrower warrant for the worker.
Tools
read write search delete
Scope
/data/research/*
TTL
30s
Delegate
one more hop
Attenuates & re-signs
drops read
narrows path to /data/research/summaries/*
shrinks TTL to 2s
depth 2 ยท leaf
Worker
Executes tool calls.
Signs each request (PoP).
Tools
read write search delete
Scope
/data/research/summaries/*
TTL
2s
Delegate
depth limit reached
Tool call
Worker sends the full chain plus a per-call PoP signature.
The authorizer verifies everything offline, before the tool runs.
verification
Authorizer
Fail-closed. Offline.
Chain links valid and monotonically narrowing
Requested tool and path inside leaf warrant
Within TTL, PoP window, and depth limit
Any expansion, missing signature, or stale request is denied.
Where this lives in the codebase
Delegation chain
tenuo-python/examples/research_agent_demo.py
Request signing (PoP)
Warrant.sign(...)
Enforcement
tenuo-core/src/bin/authorizer.rs

๐Ÿš€ Try It Yourself

Run this demo locally with Docker. The orchestrator and worker agents demonstrate the full delegation chain.

docker compose up
๐Ÿ“ฆ docker-compose.yml ๐ŸŽฏ orchestrator.rs โš™๏ธ worker.rs ๐Ÿ” authorizer.rs

๐Ÿ Python Demo: High-level features with MCP + LangChain

๐Ÿ”ฌ research_agent_demo.py ๐Ÿ”Œ mcp_research_server.py