agent-authority 0.1.0

package/dist/types.d.ts

@@ -0,0 +1,173 @@
+/**
+ * Core type definitions for Behalf.
+ *
+ * A Mandate is a signed, scoped, time-bound capability token that proves who
+ * authorized what, within which limits, and through which chain of agents.
+ *
+ * The token is a biscuit-style Ed25519 signature chain of blocks. Each block
+ * carries restrictions (caveats) and publishes a fresh public key; the next
+ * block is signed by the matching private key, which the holder must possess to
+ * attenuate (append a narrowing block) or to authorize (prove possession of the
+ * terminal key). The intersection rule is enforced structurally — every cap
+ * caveat must be satisfied — so a downstream agent can only ever shrink
+ * authority, never widen it, and a holder cannot present a truncated prefix of
+ * its chain because it lacks that prefix's terminal key.
+ */
+/** Restriction attached to a mandate. */
+export type Caveat = {
+    t: "principal";
+    principal: string;
+} | {
+    t: "agent";
+    agent: string;
+} | {
+    t: "cap";
+    can: string[];
+} | {
+    t: "expires";
+    at: number;
+} | {
+    t: "id";
+    id: string;
+}
+/**
+ * Cryptographic agent identity binding (SVID-style): the holder must, at
+ * authorize, also prove possession of the private key for this public key.
+ * Conjunctive — every `agentKey` caveat must be satisfied — so a thief who
+ * holds the credential cannot append their own binding to bypass it.
+ */
+ | {
+    t: "agentKey";
+    key: string;
+};
+/**
+ * One link in the delegation chain: a set of restrictions plus the public key
+ * (`nextPub`) that authorizes whoever signs the *next* block.
+ */
+export interface Block {
+    caveats: Caveat[];
+    /** base64url SPKI Ed25519 public key for the next block's signature. */
+    nextPub: string;
+}
+/** Wire form of a mandate — exactly what gets serialized/transmitted. */
+export interface MandateToken {
+    /** Format version. */
+    v: 2;
+    /** Root identifier (stable across the whole delegation chain). */
+    id: string;
+    /** Ordered blocks: root grant first, narrowings appended after. */
+    blocks: Block[];
+    /** Per-block Ed25519 signatures (base64url). sigs[i] signs blocks[i]. */
+    sigs: string[];
+    /** Issuer (root) public key, base64url SPKI — pin this to establish trust. */
+    rootPub: string;
+}
+/**
+ * Proof of possession of a mandate's terminal key, presented at authorize time
+ * to prove the bearer is the legitimate tail of the chain (not a truncated
+ * prefix). `ts` is when it was minted (checked for freshness); `sig` is the
+ * Ed25519 signature over the proof message.
+ */
+export interface Proof {
+    ts: number;
+    sig: string;
+    /**
+     * Optional verifier-issued single-use nonce (from `engine.challenge()`).
+     * When present it is bound into the signature and consumed on use, giving
+     * true anti-replay; without it, replay is bounded only by `proofSkewMs`.
+     */
+    nonce?: string;
+    /**
+     * Agent-identity signatures over the same proof message, one per agent key the
+     * holder controls. At authorize, every `agentKey` caveat in the chain must be
+     * satisfied by one of these (conjunctive), proving the presenter is the bound
+     * agent — not merely a possessor of the credential.
+     */
+    agentSigs?: string[];
+}
+/** Options for {@link Behalf.grant}. */
+export interface GrantOptions {
+    /** The human/org authorizing the agent. */
+    principal: string;
+    /** The agent being authorized. */
+    agent: string;
+    /** Capabilities granted (capability grammar strings). */
+    can: string[];
+    /** Lifetime, e.g. "1h", "10m", "30s", or milliseconds as a number. */
+    expiresIn: string | number;
+    /**
+     * Cryptographically bind this grant to an agent identity (the agent's public
+     * key, base64url). The holder must then prove possession of the matching
+     * private key at authorize — see the `agentKey` caveat.
+     */
+    bindAgent?: string;
+}
+/** Options for {@link Mandate.attenuate}. */
+export interface AttenuateOptions {
+    /** Narrowed capability set — must be a subset/narrowing of the parent's. */
+    can?: string[];
+    /** New (shorter) lifetime relative to now. Never extends past the parent. */
+    expiresIn?: string | number;
+    /** Optionally re-bind to a specific sub-agent. */
+    agent?: string;
+    /**
+     * Add a cryptographic agent-identity binding (the agent's public key,
+     * base64url). Conjunctive with any inherited `agentKey` caveats, so it can
+     * only ever add a requirement, never remove one.
+     */
+    bindAgent?: string;
+}
+/** The decision fields of an audit record, before it is sealed into the chain. */
+export type AuditFields = Pick<AuditEntry, "mandateId" | "chain" | "action" | "decision" | "reason" | "issuer">;
+/** A single hash-chained audit record (integrity-chained; see README Limitations). */
+export interface AuditEntry {
+    seq: number;
+    ts: number;
+    mandateId: string;
+    /** Issuer (root) public key of the mandate, for per-tenant scoping. */
+    issuer?: string;
+    /** Full chain of ids this token belongs to (root → leaf). */
+    chain: string[];
+    action: string;
+    decision: "allow" | "deny";
+    reason?: string;
+    /** Hash of the previous entry (hash chain). */
+    prevHash: string;
+    /** sha256 over (prevHash + canonical entry body). */
+    hash: string;
+}
+/** Result of verifying audit-log integrity. */
+export interface AuditIntegrity {
+    ok: boolean;
+    /** seq of the first broken entry, if any. */
+    brokenAt?: number;
+}
+/**
+ * A signed anchor over the audit log's head. Because the head hash commits to
+ * every prior entry, a stored checkpoint makes later tail-deletion or rewrites
+ * detectable — something the unkeyed hash chain alone cannot do.
+ */
+export interface AuditCheckpoint {
+    /** seq of the head entry at checkpoint time (-1 for an empty log). */
+    seq: number;
+    /** Head entry's hash (the genesis hash for an empty log). */
+    hash: string;
+    ts: number;
+    /** Public key (base64url) of the engine that signed this checkpoint. */
+    signer: string;
+    /** Ed25519 signature over the canonical {seq, hash, ts} message. */
+    sig: string;
+}
+/** A just-in-time consent request tracked by the control plane. */
+export interface ConsentRecord {
+    id: string;
+    agent: string;
+    capability: string;
+    context?: Record<string, unknown>;
+    /** Tenant issuer this request belongs to (set when created with a tenant token). */
+    issuer?: string;
+    status: "pending" | "approved" | "denied" | "expired";
+    createdAt: number;
+    decidedAt?: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,yCAAyC;AACzC,MAAM,MAAM,MAAM,GACd;IAAE,CAAC,EAAE,WAAW,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,CAAC,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,CAAC,EAAE,KAAK,CAAC;IAAC,GAAG,EAAE,MAAM,EAAE,CAAA;CAAE,GAC3B;IAAE,CAAC,EAAE,SAAS,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,GAC5B;IAAE,CAAC,EAAE,IAAI,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE;AACzB;;;;;GAKG;GACD;IAAE,CAAC,EAAE,UAAU,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnC;;;GAGG;AACH,MAAM,WAAW,KAAK;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,yEAAyE;AACzE,MAAM,WAAW,YAAY;IAC3B,sBAAsB;IACtB,CAAC,EAAE,CAAC,CAAC;IACL,kEAAkE;IAClE,EAAE,EAAE,MAAM,CAAC;IACX,mEAAmE;IACnE,MAAM,EAAE,KAAK,EAAE,CAAC;IAChB,yEAAyE;IACzE,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,8EAA8E;IAC9E,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,wCAAwC;AACxC,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,yDAAyD;IACzD,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,sEAAsE;IACtE,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,6CAA6C;AAC7C,MAAM,WAAW,gBAAgB;IAC/B,4EAA4E;IAC5E,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,kDAAkD;IAClD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,kFAAkF;AAClF,MAAM,MAAM,WAAW,GAAG,IAAI,CAC5B,UAAU,EACV,WAAW,GAAG,OAAO,GAAG,QAAQ,GAAG,UAAU,GAAG,QAAQ,GAAG,QAAQ,CACpE,CAAC;AAEF,sFAAsF;AACtF,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,uEAAuE;IACvE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6DAA6D;IAC7D,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,IAAI,EAAE,MAAM,CAAC;CACd;AAED,+CAA+C;AAC/C,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,OAAO,CAAC;IACZ,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,sEAAsE;IACtE,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,wEAAwE;IACxE,MAAM,EAAE,MAAM,CAAC;IACf,oEAAoE;IACpE,GAAG,EAAE,MAAM,CAAC;CACb;AAED,mEAAmE;AACnE,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAC;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB"}

package/dist/types.js

@@ -0,0 +1,17 @@
+/**
+ * Core type definitions for Behalf.
+ *
+ * A Mandate is a signed, scoped, time-bound capability token that proves who
+ * authorized what, within which limits, and through which chain of agents.
+ *
+ * The token is a biscuit-style Ed25519 signature chain of blocks. Each block
+ * carries restrictions (caveats) and publishes a fresh public key; the next
+ * block is signed by the matching private key, which the holder must possess to
+ * attenuate (append a narrowing block) or to authorize (prove possession of the
+ * terminal key). The intersection rule is enforced structurally — every cap
+ * caveat must be satisfied — so a downstream agent can only ever shrink
+ * authority, never widen it, and a holder cannot present a truncated prefix of
+ * its chain because it lacks that prefix's terminal key.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG"}

package/llms.txt

@@ -0,0 +1,106 @@
+# Behalf
+
+> The reference implementation of agent authority. Behalf gives any AI agent a
+> verifiable, scoped, revocable identity and delegation chain in five verbs.
+> MIT-licensed and AI-legible: read this, then use it directly.
+
+Everything is one primitive — a **Mandate**: a signed, scoped, time-bound
+capability token proving who authorized what, within which limits, and through
+which chain of agents. There is exactly one canonical way to do each thing.
+
+## The five verbs (TypeScript)
+
+```ts
+import { Behalf } from "agent-authority";
+
+// 1. GRANT — a principal authorizes an agent: scoped, capped, short-lived
+const mandate = await Behalf.grant({
+  principal: user.id,
+  agent: "research-agent",
+  can: ["read:calendar", "spend:usd<=50"],
+  expiresIn: "1h",
+});
+
+// 2. AUTHORIZE — prove authority before acting (throws if denied)
+await mandate.authorize("spend:usd=20");
+
+// 3. ATTENUATE — hand a NARROWED mandate to a sub-agent; can only shrink scope
+const child = mandate.attenuate({ can: ["read:calendar"], expiresIn: "10m" });
+
+// 4. REVOKE — kill a mandate and its whole downstream chain, instantly
+await Behalf.revoke(mandate.id);
+
+// 5. AUDIT — every authorize() already wrote a hash-chained record
+const trail = await Behalf.audit(mandate.id);
+```
+
+Five verbs: grant, authorize, attenuate, revoke, audit. Do not add a sixth.
+
+## MCP middleware (secure a whole agent in ~6 lines)
+
+```ts
+import { withBehalf } from "agent-authority/mcp";
+
+const server = withBehalf(myMcpServer, {
+  policy: {
+    send_email: "write:email",
+    read_calendar: "read:calendar",
+    transfer_funds: (args) => `spend:usd<=${args.amount}`,
+  },
+  onDenied: "throw", // or "prompt" for just-in-time user consent
+});
+```
+
+Pass the caller's mandate on the call context: `server.callTool(name, args, { mandate })`.
+
+## Capability grammar
+
+```
+read:calendar           # simple capability
+write:repo/acme-app     # resource-scoped (path segments)
+spend:usd<=50           # quantitative limit
+send:email rate<=10/h   # rate limit
+*                       # wildcard (discouraged; lint warns)
+```
+
+When authorizing, name a concrete amount: `spend:usd=20` is checked against the
+grant's `spend:usd<=50`.
+
+## Rules an agent must follow
+
+- Use only the five verbs. `attenuate()` only ever narrows (throws `WideningError`
+  on a wider or direction-flipped request).
+- Effective authority = the principal's grant ∩ every narrowing along the chain.
+  A compromised middle agent can never widen scope.
+- A mandate is a biscuit-style Ed25519 signature chain. **Authorizing requires
+  proving possession of the chain's terminal key**, so a serialized token is not
+  a usable bearer credential and a holder cannot truncate its chain to regain a
+  parent's scope. `mandate.authorize(action)` does this in-process. Across a
+  boundary, present `mandate.prove(action)` and verify with
+  `engine.authorize(token, action, proof)` (or use `agent-authority/a2a`).
+- For an advisory "would this scope allow X?" check (no possession), use
+  `engine.inspect(token, action)`.
+- Verification is offline (signature + scope + expiry + possession), public-key
+  only. Revocation and the shared rate cap need a network check.
+- Prefer short `expiresIn` and the tightest `can` that still does the job.
+
+## Discovery tools (MCP)
+
+`agent-authority/mcp` exposes `request_mandate`, `present_mandate`, and `check_authority`
+(advisory) so any agent can obtain and reason about authority natively. Get them
+via `behalfMcpTools()`, or run the standalone server: `node dist/mcp-server.js`.
+
+## Quickstarts & schemas
+
+- `agent-authority quickstart <surface>` wires it into Claude Code, Cursor, Copilot,
+  Gemini, GPT, or any AI (see QUICKSTART.md).
+- Typed schemas: /schemas/mandate.schema.json, /schemas/capability.schema.json.
+
+## What maps to the standard underneath
+
+- Mandate ↔ Agentic JWT / capability tokens (IBCT-style)
+- attenuate() + proof-of-possession ↔ biscuit-style attenuation & sealing
+- principal → agent grant ↔ OAuth 2.1 On-Behalf-Of / token exchange (RFC 8693)
+- agent identity ↔ SPIFFE / SVID
+- audit record ↔ provenance / non-repudiation records
+- transport ↔ MCP + A2A authorization layers

package/package.json

@@ -0,0 +1,107 @@
+{
+  "name": "agent-authority",
+  "version": "0.1.0",
+  "description": "Authorization for AI agents: verifiable, scoped, revocable capability tokens (mandates) with attenuable delegation, for MCP and A2A. The reference implementation of agent authority — zero-dependency TypeScript & Python.",
+  "type": "module",
+  "license": "MIT",
+  "sideEffects": false,
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/novaai0401-ui/agent-authority.git"
+  },
+  "homepage": "https://github.com/novaai0401-ui/agent-authority#readme",
+  "bugs": {
+    "url": "https://github.com/novaai0401-ui/agent-authority/issues"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "keywords": [
+    "agent-authority",
+    "agent",
+    "authority",
+    "authorization",
+    "ai-agents",
+    "agentic",
+    "llm",
+    "delegation",
+    "capability",
+    "capability-tokens",
+    "capability-based-security",
+    "least-privilege",
+    "mandate",
+    "macaroons",
+    "biscuit",
+    "oauth",
+    "on-behalf-of",
+    "spiffe",
+    "ed25519",
+    "revocation",
+    "mcp",
+    "mcp-server",
+    "a2a",
+    "tool-calling",
+    "permissions"
+  ],
+  "files": [
+    "dist",
+    "schemas",
+    "vectors",
+    "llms.txt",
+    "QUICKSTART.md",
+    "CHANGELOG.md"
+  ],
+  "bin": {
+    "agent-authority": "./dist/cli.js",
+    "agent-authority-mcp": "./dist/mcp-server.js",
+    "agent-authority-control-plane": "./dist/control-plane.js"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./mcp": {
+      "types": "./dist/mcp.d.ts",
+      "import": "./dist/mcp.js"
+    },
+    "./a2a": {
+      "types": "./dist/a2a.d.ts",
+      "import": "./dist/a2a.js"
+    },
+    "./server": {
+      "types": "./dist/mcp-server.d.ts",
+      "import": "./dist/mcp-server.js"
+    },
+    "./control-plane": {
+      "types": "./dist/control-plane.d.ts",
+      "import": "./dist/control-plane.js"
+    },
+    "./remote": {
+      "types": "./dist/remote.d.ts",
+      "import": "./dist/remote.js"
+    },
+    "./llms.txt": "./llms.txt"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "tsc -p tsconfig.test.json && node scripts/run-tests.mjs",
+    "test:interop": "npm run build && node scripts/interop.mjs",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "prepublishOnly": "npm run build && npm test",
+    "example:data-access": "node dist-test/examples/data-access-agent.js",
+    "example:spend": "node dist-test/examples/spend-limited-agent.js",
+    "example:delegation": "node dist-test/examples/two-agent-delegation.js",
+    "example:a2a": "node dist-test/examples/a2a-delegation.js",
+    "example:control-plane": "node dist-test/examples/control-plane.js",
+    "examples": "tsc -p tsconfig.test.json && node scripts/run-examples.mjs"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "devDependencies": {
+    "@types/node": "^25.9.2",
+    "typescript": "^5.4.0"
+  }
+}

package/schemas/capability.schema.json

@@ -0,0 +1,14 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://behalf.dev/schemas/capability.schema.json",
+  "title": "Behalf Capability",
+  "description": "A capability string in the Behalf grammar: <verb>:<resource>[<op><amount>] [rate<op><value>/<unit>]. Examples: read:calendar, write:repo/acme-app, spend:usd<=50, send:email rate<=10/h, * (wildcard, discouraged).",
+  "type": "string",
+  "pattern": "^(\\*|[^:\\s]+:[^<>=\\s]+((<=|>=|<|>|=)[0-9]*\\.?[0-9]+)?(\\s+rate(<=|>=|<|>|=)[0-9]*\\.?[0-9]+(/[smhd])?)*)$",
+  "examples": [
+    "read:calendar",
+    "write:repo/acme-app",
+    "spend:usd<=50",
+    "send:email rate<=10/h"
+  ]
+}

package/schemas/mandate.schema.json

@@ -0,0 +1,68 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://behalf.dev/schemas/mandate.schema.json",
+  "title": "Behalf Mandate Token",
+  "description": "The wire form of a Mandate: a signed, scoped, time-bound capability token. Macaroon-style: a root identifier plus ordered caveats bound by an HMAC chain. Holders may append narrowing caveats (attenuation) but can never widen.",
+  "type": "object",
+  "required": ["v", "id", "caveats", "sig"],
+  "additionalProperties": false,
+  "properties": {
+    "v": { "const": 1, "description": "Token format version." },
+    "id": {
+      "type": "string",
+      "description": "Root identifier, stable across the whole delegation chain."
+    },
+    "caveats": {
+      "type": "array",
+      "description": "Ordered restrictions; root grant first, narrowings appended.",
+      "items": { "$ref": "#/$defs/caveat" }
+    },
+    "sig": {
+      "type": "string",
+      "pattern": "^[0-9a-f]+$",
+      "description": "HMAC chain signature over (id, caveats...). Hex."
+    }
+  },
+  "$defs": {
+    "caveat": {
+      "oneOf": [
+        {
+          "type": "object",
+          "required": ["t", "principal"],
+          "additionalProperties": false,
+          "properties": { "t": { "const": "principal" }, "principal": { "type": "string" } }
+        },
+        {
+          "type": "object",
+          "required": ["t", "agent"],
+          "additionalProperties": false,
+          "properties": { "t": { "const": "agent" }, "agent": { "type": "string" } }
+        },
+        {
+          "type": "object",
+          "required": ["t", "can"],
+          "additionalProperties": false,
+          "properties": {
+            "t": { "const": "cap" },
+            "can": {
+              "type": "array",
+              "items": { "$ref": "https://behalf.dev/schemas/capability.schema.json" }
+            }
+          }
+        },
+        {
+          "type": "object",
+          "required": ["t", "at"],
+          "additionalProperties": false,
+          "properties": { "t": { "const": "expires" }, "at": { "type": "integer", "description": "Expiry, ms since epoch." } }
+        },
+        {
+          "type": "object",
+          "required": ["t", "id"],
+          "additionalProperties": false,
+          "properties": { "t": { "const": "id" }, "id": { "type": "string" } }
+        }
+      ]
+    }
+  }
+}

package/vectors/mandate-vector.json

@@ -0,0 +1,63 @@
+{
+  "description": "Cross-language Behalf test vector. Verify with trust=[pubkey] and a clock fixed at proof.ts: engine.authorize(token, action, proof) must ALLOW; tampering any field must DENY. Proof message: behalf-pop\\n{id}\\n{sigs,}\\n{ts}\\n{action}\\n{nonce-or-empty}.",
+  "action": "spend:usd=10",
+  "pubkey": "h4tQPvHL33UEH-y-vAbp37Q0DgCaUvKhNUb1RPITXBg",
+  "token": {
+    "v": 2,
+    "id": "fc05e43e-5299-4725-8912-20a525a54135",
+    "blocks": [
+      {
+        "caveats": [
+          {
+            "t": "principal",
+            "principal": "vector"
+          },
+          {
+            "t": "agent",
+            "agent": "root"
+          },
+          {
+            "t": "cap",
+            "can": [
+              "read:calendar",
+              "spend:usd<=50"
+            ]
+          },
+          {
+            "t": "expires",
+            "at": 1781270690715
+          }
+        ],
+        "nextPub": "DuqOtYTt-eMazEo0IRCEFK77rtMz0GVGgRGeUX3wBtE"
+      },
+      {
+        "caveats": [
+          {
+            "t": "cap",
+            "can": [
+              "spend:usd<=20"
+            ]
+          },
+          {
+            "t": "agent",
+            "agent": "sub"
+          },
+          {
+            "t": "id",
+            "id": "d067b7fe-02a9-46be-ab40-dbebeecea96e"
+          }
+        ],
+        "nextPub": "hJn-jjbxXzcow0tf-bnMuTa5EVFAEZO-k5B7qfa9Www"
+      }
+    ],
+    "sigs": [
+      "ncNFmqcb5omNijLf1d2KZk-vj-Kw5VTQDZluc6L1XHYcKC9KJlWiuNQNd9RLWV1TU8bs1TZo367RC3Q6VG4gDA",
+      "uFaNyCSQI6P2lRiyvykqTDyobZ2SKOvG8yetGzv0po9ee6oqn-2QeW0SFWxQRPnhWfj4xXwA_t6s1olF3X8dDQ"
+    ],
+    "rootPub": "h4tQPvHL33UEH-y-vAbp37Q0DgCaUvKhNUb1RPITXBg"
+  },
+  "proof": {
+    "ts": 1781267090717,
+    "sig": "bgzRquVLdMnQrFKgD0Sese6MbcRGXC_7dXWMVSV9F3EMT6LpfrCgH_YQABhVWpgvCqkX9z9ZJsrq_9OGPAioAg"
+  }
+}