Expand description
§dyolo-kya — Know Your Agent v2.0.0
Cryptographic chain-of-custody for recursive AI agent delegation.
§What it solves
When one AI agent delegates a task to another, the authorization chain breaks down — a liability called the “Recursive Delegation Gap.” This library closes that gap with a native Know Your Agent (KYA) protocol: every action executed by any agent in a delegation tree carries an irrefutable, cryptographically verified chain proving exactly which human authorized it, with enforced scope boundaries that hold offline.
§v2.0.0 additions over v1
-
Namespace isolation —
DyoloChain::with_namespace("tenant-id")cryptographically binds a chain to a single tenant. A cert issued for tenant-a cannot authorize under tenant-b. Hard multi-tenant separation with zero configuration overhead. -
Storage health checks —
NonceStore::health_check()andRevocationStore::health_check()propagate to gateway/healthzso load balancers pull degraded instances automatically. -
Rate limiting trait —
RateLimitStore+MemoryRateLimitStorecap intent executions per principal per time window. Plug in a Redis or Postgres backend for distributed enforcement. -
KyaContext builder — wire all dependencies in three lines:
ⓘlet ctx = KyaContext::builder().namespace("my-tenant").build(); let action = ctx.authorize(&chain, &agent_pk, &intent, &proof)?;
§Feature flags
| Flag | Description |
|---|---|
serde | Serialization for all core types. Required for most integrations. |
async | AsyncNonceStore, AsyncRevocationStore, AsyncKyaContext. |
wire | SignedChain, VerifiedToken, CertExtensions (requires serde). |
tracing | Structured tracing spans during authorization. |
ffi | C ABI for Python, Go, Java, and Node.js (requires wire). |
policy-yaml | Parse delegation policies from YAML files. |
schema | JSON Schema export for SignedChain. |
full | All of the above except ffi. |
Re-exports§
pub use audit::AuditEvent;pub use audit::AuditOutcome;pub use audit::AuditSink;pub use audit::CompositeAuditSink;pub use audit::LogAuditSink;pub use audit::NoopAuditSink;pub use cert::CertBuilder;pub use cert::CertBundle;pub use cert::DelegationCert;pub use cert::CERT_VERSION;pub use chain::AuthorizedAction;pub use chain::BatchAuthorizeResult;pub use chain::Clock;pub use chain::DyoloChain;pub use chain::SystemClock;pub use chain::VerificationReceipt;pub use context::KyaContext;pub use error::KyaError;pub use error::KyaStorageError;pub use error::StorageErrorKind;pub use identity::DyoloIdentity;pub use identity::Signer;pub use intent::intent_hash;Deprecated pub use intent::Intent;pub use intent::IntentHash;pub use intent::IntentTree;pub use intent::MerkleProof;pub use intent::SiblingNode;pub use intent::SubScopeProof;pub use policy::CapabilitySet;pub use policy::DelegationPolicy;pub use policy::PolicySet;pub use registry::fresh_nonce;pub use registry::MemoryNonceStore;pub use registry::MemoryRateLimitStore;pub use registry::MemoryRevocationStore;pub use registry::NonceStore;pub use registry::RateLimitStore;pub use registry::RevocationStore;pub use cert_extensions::CertExtensions;wirepub use cert_extensions::ExtValue;wirepub use context::AsyncKyaContext;asyncpub use registry::async::AsyncNonceStore;asyncpub use registry::async::AsyncRateLimitStore;asyncpub use registry::async::AsyncRevocationStore;asyncpub use registry::async::SyncNonceAdapter;asyncpub use registry::async::SyncRevocationAdapter;asyncpub use audit::async::AsyncAuditSink;asyncpub use audit::async::SyncAuditAdapter;asyncpub use identity::AsyncSigner;async