Delegation Root Certificate for Autonomous Agents
Project description
HumanRoot
Delegation Root Certificate for Autonomous Agents
Every agent action traces back to a human decision. HumanRoot makes that traceable, provable, and legally defensible.
The Problem
Autonomous AI agents send emails, execute API calls, write to databases, and delegate tasks to other agents. Yet the moment a human delegates authority to an agent is entirely informal — a checkbox, a system prompt, an API key.
When a chain of agents acts — Agent A delegating to Agent B delegating to Agent C — the original human intent disappears entirely.
HumanRoot solves this with a single primitive: the Delegation Root Certificate (DRC).
Install
pip install humanroot
Quickstart
from humanroot import delegate
drc = delegate(
human_id="alice@example.com",
agent_id="my-agent-v1",
scopes=["email.read", "calendar.write"],
expires_in="24h",
)
# DRC propagates automatically through all agent calls
agent.run(task, drc=drc)
What is a DRC?
A Delegation Root Certificate is a signed, structured, machine-readable record of a human delegation act. It guarantees:
| Property | Guarantee |
|---|---|
| Non-repudiation | Human principal cannot deny having issued the delegation |
| Scope-binding | Actions constrained by explicit scopes — anything outside is unauthorized |
| Causal traceability | Every action → DRC → parent DRC → human. Always reconstructible |
| Restriction-only | Sub-delegations may only restrict, never expand, parent authority |
| Provider-agnostic | Works across OpenAI, Anthropic, LangChain, CrewAI, custom agents |
| Revocability | Any DRC revoked instantly, cascades to all children |
Framework Integrations
Anthropic Claude
from humanroot import delegate
from humanroot.integrations.anthropic_claude import HumanRootAnthropic
drc = delegate(human_id="alice@example.com", agent_id="claude-agent",
scopes=["text.generate"], expires_in="1h")
client = HumanRootAnthropic(drc=drc)
response = client.messages.create(
model="claude-opus-4-6",
max_tokens=1024,
messages=[{"role": "user", "content": "Summarise this contract."}],
)
OpenAI
from humanroot.integrations.openai_chat import HumanRootOpenAI
client = HumanRootOpenAI(drc=drc)
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Draft this email."}],
)
LangChain
from humanroot.integrations.langchain import drc_runnable, DRCCallbackHandler
# Option A: wrap any Runnable
secured_llm = drc_runnable(llm, drc)
result = secured_llm.invoke([HumanMessage(content="Hello")])
# Option B: non-invasive callback
result = llm.invoke(input, config={"callbacks": [DRCCallbackHandler(drc)]})
CrewAI
from humanroot.integrations.crewai import drc_crew
crew = drc_crew(Crew(agents=[...], tasks=[...]), drc)
result = crew.kickoff()
Sub-delegation
Agents can delegate to other agents — but only within the bounds of their own authority:
from humanroot import sub_delegate
# Agent A delegates to Agent B with reduced scope
child_drc = sub_delegate(
parent_drc,
agent_id="agent-b",
scopes=["email.read"], # subset of parent scopes only
expires_at=parent_drc.expires_at - timedelta(hours=1),
)
Rules enforced automatically:
- Child scopes ⊆ parent scopes (expansion forbidden)
- Child expiry ≤ parent expiry
- Delegation depth decrements at every hop
root_hashalways points to the human-signed origin
CLI
# Generate a key pair
humanroot keygen --out ./keys
# Issue a DRC
humanroot issue \
--human-id alice@example.com \
--agent-id my-agent-v1 \
--scopes email.read calendar.write \
--expires-in 24h \
--key ./keys/private.pem \
--out drc.json
# Verify a DRC file
humanroot verify --drc-file drc.json --pubkey ./keys/public.pem
# Inspect a delegation chain (requires server)
humanroot chain --drc-id <uuid>
# Revoke a DRC and all children
humanroot revoke --drc-id <uuid> --reason "key compromised"
# Check revocation status
humanroot status --drc-id <uuid>
API Server
pip install "humanroot[server]"
uvicorn server.app:app --reload --port 8001
Endpoints:
| Method | Path | Description |
|---|---|---|
| POST | /drc/issue |
Issue a root DRC |
| POST | /drc/sub-delegate |
Sub-delegate from existing DRC |
| GET | /drc/{id} |
Fetch a DRC |
| GET | /drc/{id}/chain |
Full delegation chain |
| POST | /drc/revoke |
Revoke DRC + children |
| GET | /drc/{id}/status |
Revocation status |
| GET | /drcs |
List all DRCs |
Interactive docs: http://localhost:8001/docs
Dashboard: http://localhost:8001/dashboard
Cryptography
HumanRoot uses ES256 (ECDSA P-256) — lightweight, widely supported, no external PKI required.
from humanroot import generate_keypair, sign_drc, verify_drc
priv, pub = generate_keypair()
signed_drc = sign_drc(drc, priv)
assert verify_drc(signed_drc, pub)
Design Principles
- No blockchain — cryptographic signing does not require a shared ledger
- No centralized authority — any party can issue and verify DRCs independently
- No action content — DRCs authorize; they do not log what agents actually did
- No government identity required —
human_idis any stable identifier you control - Provider-agnostic — the standard is independent of any AI provider or cloud
Project Structure
humanroot/
├── humanroot/ # Core SDK
│ ├── models.py # DRC data model
│ ├── crypto.py # ES256 sign/verify
│ ├── chain.py # Sub-delegation + chain validation
│ ├── delegate.py # Public API: delegate()
│ └── cli.py # CLI entry point
├── integrations/ # Framework integrations
│ ├── anthropic_claude.py
│ ├── openai_chat.py
│ ├── langchain.py
│ └── crewai.py
├── server/ # FastAPI server
│ ├── app.py
│ ├── db.py # SQLite persistence
│ └── revocation.py # Revocation with cascade
├── dashboard/ # Web UI — chain explorer
│ └── index.html
├── tests/ # 30 tests
└── spec/ # Formal specification
└── DRC-SPEC-0.1.md
Spec
The formal DRC specification is in spec/DRC-SPEC-0.1.md.
Open questions, contributions, and objections welcome:
github.com/humanrootspec@humanroot.dev
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file humanroot-0.1.0.tar.gz.
File metadata
- Download URL: humanroot-0.1.0.tar.gz
- Upload date:
- Size: 35.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
12c568f2e6eeaf2a7b6ad2d3e2e7c002af16d95ee68fc1d0292ea15a5965ebc8
|
|
| MD5 |
3dce33529fc4184cdeca2541d2ab2e4f
|
|
| BLAKE2b-256 |
fa64f1c3daa8ecedfb77075b3073ef5f3c116a61bf4e5eb5592b7db81536c76c
|
File details
Details for the file humanroot-0.1.0-py3-none-any.whl.
File metadata
- Download URL: humanroot-0.1.0-py3-none-any.whl
- Upload date:
- Size: 25.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c415afc5592517c25143c345621d8d25c36ab2feb8f3a3f2743e3d879113960f
|
|
| MD5 |
09a2106d8c2a6b58be284a975f610b2d
|
|
| BLAKE2b-256 |
da17d8575332b63c8409621733821dac95a41e47b93b2e9098054b3dc9a5286d
|
