Skip to main content

Content-addressed delegation references for the AlgoVoi substrate (tamper-evident, chainable; L1 frozen)

Project description

algovoi-delegation-ref

Content-addressed delegation references for the AlgoVoi substrate. An agent delegates authority to another agent for a scope and a validity window; the delegation_ref is the content hash of that delegation envelope, so any tamper (widening the scope, extending the expiry, swapping the delegate) changes the ref and is detectable offline. Delegations chain (A→B→C) via prev_delegation_ref, giving a tamper-evident delegation chain.

This is the inverse of an opaque delegation token (an arbitrary label that does not change when the delegation's content is altered). Additive over the frozen substrate (Apache-2.0); no new cryptography:

delegation_ref = "sha256:" + SHA-256(JCS(RFC 8785)({
    delegate_id, delegator_id, not_after_ms, not_before_ms,
    prev_delegation_ref, scope }))

with integer-millisecond validity bounds.

Install

pip install algovoi-delegation-ref

Use

from algovoi_delegation_ref import delegation_ref, tamper_detected, verify_chain

root = {
    "delegator_id": "did:web:org.example",
    "delegate_id":  "did:web:agent-1.example",
    "scope":        "payments:usdc:<=100",
    "not_before_ms": 1716494400000,
    "not_after_ms":  1716498000000,
    "prev_delegation_ref": "",
}
ref = delegation_ref(root)
tamper_detected(ref, root)                              # False (matches)
tamper_detected(ref, {**root, "scope": "payments:usdc:*"})   # True (scope widened)

# chain a sub-delegation and verify integrity end to end
sub = {**root, "delegator_id": "did:web:agent-1.example",
       "delegate_id": "did:web:agent-2.example",
       "scope": "payments:usdc:<=50", "prev_delegation_ref": ref}
verify_chain([root, sub])    # -> [root_ref, sub_ref]; raises on a broken link

Envelope key order does not matter (JCS absorbs it). A non-integer validity bound (e.g. an RFC-3339 string) is rejected, not hashed.

Conformance

conformance/delegation_ref_v1/: 3 positives (root, reordered-key, chain link), 5 negatives (scope / expiry / delegate / chain-link tamper, plus a rejected malformed bound), and two invariants (key-order, chain integrity). The verifier imports only the standard library plus rfc8785 (no algovoi import):

pip install rfc8785
python conformance/delegation_ref_v1/verify.py

Adopters

Build on algovoi-delegation-ref, pin ==0.1.0, anchor a canonical vector hash, and keep the NOTICE, and you qualify for a free v0 licence key for algovoi-mandate-auditor. The gate is scripts/check_v0_adoption.py (dependency + canonical hash anchor + NOTICE + version pin → ISSUE_V0_KEY). Apply: email chopmob@gmail.com.

License

Apache-2.0. Copyright 2026 AlgoVoi. Preserve the NOTICE in any distribution.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

algovoi_delegation_ref-0.1.2-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl (178.9 kB view details)

Uploaded CPython 3.11manylinux: glibc 2.17+ x86-64

File details

Details for the file algovoi_delegation_ref-0.1.2-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl.

File metadata

File hashes

Hashes for algovoi_delegation_ref-0.1.2-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl
Algorithm Hash digest
SHA256 f94246d2d7789caad3aeeb23cd04100f91ebe8333c776308ee0b1154d5f99df6
MD5 5deecd41eb04735396561a4980b5a73a
BLAKE2b-256 2fca514266a2aa5442bfee6deb83eea0ad08f670cf30ef75c28e15a7d68dec80

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page