dyolo-kya 1.0.0

Know Your Agent (KYA): cryptographic chain-of-custody for recursive AI delegation with provable scope narrowing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214

use blake3::Hasher;
use ed25519_dalek::{Signature, Verifier, VerifyingKey};

use crate::crypto::{DOMAIN_CERT_FP, DOMAIN_CERT_SIG};
use crate::identity::DyoloIdentity;
use crate::intent::IntentHash;
use crate::registry::fresh_nonce;
use crate::SubScopeProof;

/// A single cryptographically sealed delegation hop.
///
/// One `DelegationCert` represents the act of `delegator` granting
/// `delegate` the authority to act within `scope_root`, optionally
/// restricting that scope to a proven subset via `scope_proof`.
///
/// The Ed25519 signature covers every field including the `SubScopeProof`
/// commitment, making it impossible to swap or forge the scope proof on
/// an existing certificate.
#[derive(Clone, Debug)]
#[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
pub struct DelegationCert {
    /// The identity granting this delegation.
    pub delegator_pk: VerifyingKey,
    /// The identity receiving this delegation.
    pub delegate_pk: VerifyingKey,
    /// The Merkle root of the authorized intent set for `delegate`.
    pub scope_root: IntentHash,
    /// Proof that `scope_root` is a valid subset of the delegator's scope.
    pub scope_proof: SubScopeProof,
    /// Replay-prevention token. Must be globally unique per chain.
    pub nonce: [u8; 16],
    /// Unix timestamp at which this delegation becomes valid.
    pub issued_at: u64,
    /// Unix timestamp at which this delegation expires.
    pub expiration_unix: u64,
    /// Maximum number of further delegation hops permitted below this cert.
    pub max_depth: u8,
    /// Ed25519 signature by `delegator_pk` over all of the above.
    pub signature: Signature,
}

impl DelegationCert {
    #[inline(always)]
    pub(crate) fn signable_bytes(
        delegator_pk: &VerifyingKey,
        delegate_pk: &VerifyingKey,
        scope_root: &IntentHash,
        scope_proof: &SubScopeProof,
        nonce: &[u8; 16],
        issued_at: u64,
        expiration_unix: u64,
        max_depth: u8,
    ) -> Vec<u8> {
        let domain_bytes = DOMAIN_CERT_SIG.as_bytes();
        let exact_len = domain_bytes.len() + 32 + 32 + 32 + 32 + 16 + 8 + 8 + 1;

        let mut m = Vec::with_capacity(exact_len);
        m.extend_from_slice(domain_bytes);
        m.extend_from_slice(delegator_pk.as_bytes());
        m.extend_from_slice(delegate_pk.as_bytes());
        m.extend_from_slice(scope_root);
        m.extend_from_slice(&scope_proof.commitment());
        m.extend_from_slice(nonce);
        m.extend_from_slice(&issued_at.to_be_bytes());
        m.extend_from_slice(&expiration_unix.to_be_bytes());
        m.push(max_depth);

        debug_assert_eq!(
            m.len(),
            exact_len,
            "signable_bytes length mismatch: expected {exact_len}, got {}",
            m.len()
        );
        m
    }

    pub(crate) fn issue(
        delegator: &DyoloIdentity,
        delegate_pk: VerifyingKey,
        scope_root: IntentHash,
        scope_proof: SubScopeProof,
        nonce: [u8; 16],
        issued_at: u64,
        expiration_unix: u64,
        max_depth: u8,
    ) -> Self {
        let delegator_pk = delegator.verifying_key();
        let msg = Self::signable_bytes(
            &delegator_pk,
            &delegate_pk,
            &scope_root,
            &scope_proof,
            &nonce,
            issued_at,
            expiration_unix,
            max_depth,
        );
        Self {
            delegator_pk,
            delegate_pk,
            scope_root,
            scope_proof,
            nonce,
            issued_at,
            expiration_unix,
            max_depth,
            signature: delegator.sign(&msg),
        }
    }

    pub(crate) fn verify_signature(&self) -> bool {
        let msg = Self::signable_bytes(
            &self.delegator_pk,
            &self.delegate_pk,
            &self.scope_root,
            &self.scope_proof,
            &self.nonce,
            self.issued_at,
            self.expiration_unix,
            self.max_depth,
        );
        self.delegator_pk.verify(&msg, &self.signature).is_ok()
    }

    /// A 32-byte fingerprint of this certificate, suitable as a revocation key
    /// or an audit log entry identifier.
    #[must_use]
    pub fn fingerprint(&self) -> [u8; 32] {
        let mut h = Hasher::new_derive_key(DOMAIN_CERT_FP);
        h.update(&self.signature.to_bytes());
        h.finalize().into()
    }
}

// ── Certificate Builder ───────────────────────────────────────────────────────

/// Ergonomic builder for [`DelegationCert`].
///
/// # Examples
///
/// ```rust,ignore
/// // Full-scope delegation:
/// let cert = CertBuilder::new(agent.verifying_key(), scope_root, now, expiry)
///     .sign(&delegator);
///
/// // Narrowed scope with a depth cap:
/// let proof = SubScopeProof::build(&parent_tree, &[trade_intent])?;
/// let cert = CertBuilder::new(agent.verifying_key(), sub_root, now, expiry)
///     .scope_proof(proof)
///     .max_depth(4)
///     .sign(&delegator);
/// ```
pub struct CertBuilder {
    delegate_pk:     VerifyingKey,
    scope_root:      IntentHash,
    scope_proof:     SubScopeProof,
    nonce:           [u8; 16],
    issued_at:       u64,
    expiration_unix: u64,
    max_depth:       u8,
}

impl CertBuilder {
    /// Start building a certificate. A fresh nonce is generated automatically.
    pub fn new(
        delegate_pk: VerifyingKey,
        scope_root: IntentHash,
        issued_at: u64,
        expiration_unix: u64,
    ) -> Self {
        Self {
            delegate_pk,
            scope_root,
            scope_proof: SubScopeProof::full_passthrough(),
            nonce: fresh_nonce(),
            issued_at,
            expiration_unix,
            max_depth: 16,
        }
    }

    /// Attach a sub-scope proof. If omitted, the cert uses full-scope pass-through.
    pub fn scope_proof(mut self, proof: SubScopeProof) -> Self {
        self.scope_proof = proof;
        self
    }

    /// Override the auto-generated nonce. Use only in tests with a fixed value.
    pub fn nonce(mut self, nonce: [u8; 16]) -> Self {
        self.nonce = nonce;
        self
    }

    /// Set the maximum number of further delegation hops below this certificate.
    /// Defaults to `16`. Set to `0` to produce a terminal (leaf-only) delegation.
    pub fn max_depth(mut self, depth: u8) -> Self {
        self.max_depth = depth;
        self
    }

    /// Sign and produce the final certificate.
    pub fn sign(self, delegator: &DyoloIdentity) -> DelegationCert {
        DelegationCert::issue(
            delegator,
            self.delegate_pk,
            self.scope_root,
            self.scope_proof,
            self.nonce,
            self.issued_at,
            self.expiration_unix,
            self.max_depth,
        )
    }
}