Skip to content

M28-D: Permission and secret delegation protocol #713

@bug-ops

Description

@bug-ops

M28-D: Permission and secret delegation protocol (zero-trust)

Context

Sub-agents operate under zero-trust model: no permissions by default, all grants are time-bounded and auto-revoked.

Acceptance Criteria

  • PermissionGrants struct with TTL-based grant tracking
  • Grant with GrantKind (Secret/Tool), granted_at, ttl fields
  • sweep_expired() called before every tool execution and secret access
  • revoke_all() called on sub-agent completion, cancellation, and crash (via Drop)
  • Secrets delivered via in-memory PermissionGrants, NOT via A2A message channel
  • Secrets never serialized into message history or logs
  • Secret memory zeroed on revoke (use zeroize crate or manual zeroing)
  • InputRequired handling for secret requests with metadata validation
  • Auto-deny if requested key not in definition's allowed secrets list
  • User approval flow shows: agent name, key name, TTL duration
  • Vault integration for secret retrieval on approval
  • Timeout on pending approval requests (configurable, default 60s)
  • tracing audit events for: grant, deny, expire, revoke
  • ttl_secs field in SubAgentPermissions (default = timeout_secs)
  • Drop impl on SubAgentHandle triggers revoke_all()

Zero-Trust Rules

  1. No default trust — definition declares what MAY be requested, not what IS granted
  2. Explicit user approval required for every secret at runtime
  3. TTL on all grants — auto-revoke on expiry
  4. Automatic revocation on sub-agent end (any reason)
  5. No persistence — secrets exist only in-memory
  6. Audit trail via tracing for all grant lifecycle events
  7. Sweep before access — expired grants cleaned on every check

Architecture Reference

See .local/plan/sub-agent-orchestration.md — "Zero-Trust Security Model" section

Blocked by

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions