Delegation Chains

Overview

Delegations allow a mandate's authority to flow through multiple agents. Each hop narrows the scope — the receiving agent always has equal or fewer permissions than the delegating agent. This enables hierarchical authorization patterns across teams and organizations.

Creating a Delegation

truss mandate delegate <parent-id> <child-id> \
  --delegating-agent <id> \
  --receiving-agent <id> \
  --receiving-org <id> \
  --scope-reduction read-only

Cross-Boundary Delegations

To delegate across organizations, add the cross-boundary flags:

truss mandate delegate <parent-id> <child-id> \
  --delegating-agent <id> \
  --receiving-agent <id> \
  --receiving-org <id> \
  --scope-reduction read-only \
  --cross-boundary \
  --boundary-type organization

Security

  • Nonce replay protection: each delegation hop carries a unique nonce, preventing replay attacks.
  • Automatic expiry: each hop expires after 24 hours by default. The mandate must be renewed or re-delegated to extend the chain.

Viewing Delegations

truss delegation list -m <mandate-id>
truss delegation get <hop-id>
PreviousCI/CD IntegrationNextSelf-Hosted Deployment