Threat model

A compromised sub-agent attempts to claim permissions its parent never granted — for example, adding wire.cancel to a scope that only included wire.prepare and wire.validate.

Structural enforcement via the monotonic scope attenuation invariant (§5.3.3 inv.4). The Verifier rejects the record before it reaches the resource. The Issuing Authority also refuses to mint a widened hop at issue time.

An agent attempts to forge an AuthR record claiming a high-authority author (e.g. CFO) without actual authorization from that person.

All AuthR records are signed by the Issuing Authority. The Issuing Authority validates author grounding against the Author Registry before minting. An unsigned or incorrectly signed record fails Invariant 1.

An attacker replaces the model weights or code running under a known, trusted agent SPIFFE identity. The agent identity remains the same but its behavior changes.

Actor model_manifest binds code_hash and model_hash to the record. The Verifier confirms the running attestation matches the manifest in the AuthR record. Changing the model invalidates the attestation.

An attacker captures a valid AuthR record and replays it at a later time to authorize a new action the original author never intended.

Records have explicit expires_at and stale_after timestamps (Invariant 2). Short TTLs (30 minutes default) limit the replay window. The correlation_id is unique per execution graph.

An orchestrator re-plans mid-execution and takes an action that is technically within scope but contradicts the stated intent. OAuth OBO cannot detect this — the token still authorizes the call.

Intent is a first-class field captured at authorship time. The Verifier can check that the executing action matches the declared purpose. Drift signals surface when confidence drops below threshold.

If the Issuing Authority is compromised, an attacker can mint arbitrary AuthR records with any author, actor, and scope.

AuthR does not fully solve this in v0.1 — this is a trust anchor problem. Mitigations include HSM-backed signing keys, multi-party approval for high-risk records, short TTLs to limit blast radius, and audit log monitoring for anomalous issuance patterns.

Two independent execution graphs share a correlation_id, causing audit logs to conflate unrelated chains.

Correlation IDs must be generated with sufficient entropy (at minimum 128 bits). The Issuing Authority should validate uniqueness against its registry before minting. In practice, UUID v4 or ULID provides sufficient collision resistance.

An attacker floods the Verifier with malformed or deeply nested chains, causing high CPU usage from repeated cryptographic verification.

The Verifier enforces max_delegation_depth from the scope constraints. Chain depth is bounded at issuance time. The Issuing Authority enforces the depth limit before minting. Malformed records fail fast on Invariant 1 before deeper checks run.