M28-D: Permission and secret delegation protocol

[bug-ops]

M28-D: Permission and secret delegation protocol (zero-trust)

Context

Sub-agents operate under zero-trust model: no permissions by default, all grants are time-bounded and auto-revoked.

Acceptance Criteria

• PermissionGrants struct with TTL-based grant tracking
• Grant with GrantKind (Secret/Tool), granted_at, ttl fields
• sweep_expired() called before every tool execution and secret access
• revoke_all() called on sub-agent completion, cancellation, and crash (via Drop)
• Secrets delivered via in-memory PermissionGrants, NOT via A2A message channel
• Secrets never serialized into message history or logs
• Secret memory zeroed on revoke (use zeroize crate or manual zeroing)
• InputRequired handling for secret requests with metadata validation
• Auto-deny if requested key not in definition's allowed secrets list
• User approval flow shows: agent name, key name, TTL duration
• Vault integration for secret retrieval on approval
• Timeout on pending approval requests (configurable, default 60s)
• tracing audit events for: grant, deny, expire, revoke
• ttl_secs field in SubAgentPermissions (default = timeout_secs)
• Drop impl on SubAgentHandle triggers revoke_all()

Zero-Trust Rules

1. No default trust — definition declares what MAY be requested, not what IS granted
2. Explicit user approval required for every secret at runtime
3. TTL on all grants — auto-revoke on expiry
4. Automatic revocation on sub-agent end (any reason)
5. No persistence — secrets exist only in-memory
6. Audit trail via tracing for all grant lifecycle events
7. Sweep before access — expired grants cleaned on every check

Architecture Reference

See .local/plan/sub-agent-orchestration.md — "Zero-Trust Security Model" section

Blocked by

• M28-B: SubAgentManager core with in-process A2A channels #711 (SubAgentManager core)