DEV Community: Chudah The latest articles on DEV Community by Chudah (@chudah1). https://dev.to/chudah1 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3842085%2F1e355b55-bd79-4f00-be99-2d11af9da5b6.png DEV Community: Chudah https://dev.to/chudah1 en The Missing Protocol for AI Agent Authorization Chudah Tue, 24 Mar 2026 19:01:34 +0000 https://dev.to/chudah1/the-missing-protocol-for-ai-agent-authorization-2532 https://dev.to/chudah1/the-missing-protocol-for-ai-agent-authorization-2532 <p><em>Your agents have credentials. But can you prove that a specific agent action was authorized by a specific human instruction?</em></p> <h2> The assumption that broke </h2> <p>OAuth was built for one hop. Human clicks "Allow," client gets a token, token hits an API.</p> <p>Agent pipelines don't work like that. A user tells an orchestrator to "research our top 3 competitors and email a summary to the board." The orchestrator spawns a research agent, which calls a web search tool, which feeds results into a summarizer, which hands output to an email agent, which calls the Gmail API. Five hops. Three agents. The original instruction is buried in a context window.</p> <p>OAuth can't represent this. There is no standard mechanism for issuing a narrower downstream token at each hop so the same token gets forwarded, with the same permissions, to every service <br> in the chain. <br> The intent, <em>why</em> this access was granted is nowhere in the token. Scope at each layer is whatever the developer hardcoded. And there's no record of who spawned whom, with what permissions, under whose authority.</p> <p>If you're deploying agents in a regulated environment such as finance, healthcare, anything where an auditor eventually shows up, you have nothing to hand them.</p> <h2> Four gaps that aren't fixable with configuration </h2> <p><strong>1. Multi-hop delegation with scope reduction.</strong><br> OAuth tokens don't narrow. A token with <code>read write</code> can be forwarded to any downstream service with the same permissions. You can build narrowing in application code, but it's not cryptographically enforced. A compromised agent in the middle can forward the full-privilege token.</p> <p><strong>2. Intent binding.</strong><br> No OAuth token carries a commitment to the original instruction. The <code>scope</code> field says <em>what</em> is allowed; nothing says <em>why</em>. An agent with <code>email:send</code> might be running a legitimate task or exfiltrating data. The token is identical either way.</p> <p><strong>3. Delegation ancestry.</strong><br> OAuth introspection tells you about one token. It won't tell you that token B came from token A, which came from token C, which exists because Alice said "research competitors." Reconstructing that graph from logs across services is fragile and breaks the moment one service logs differently.</p> <p><strong>4. Cascade revocation.</strong><br> Revoke the orchestrator's token and every downstream agent should lose access immediately. OAuth doesn't do this. Each token is independent. Tracking and revoking every descendant is entirely your problem.</p> <h2> What a purpose-built credential looks like </h2> <p>I built the <a href="https://github.com/chudah1/attest-dev/blob/main/spec/WCS-01.md" rel="noopener noreferrer">Attest Credential Standard</a> (ACS-01) to fill these gaps. It's a JWT same base format as OAuth with additional claims that encode delegation depth, scope constraints, intent provenance, and chain ancestry.</p> <p>A root credential, issued when a human starts a task:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://api.attestdev.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"agent:orchestrator-v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1742386800</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1742473200</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a1b2c3d4-e5f6-7890-abcd-ef1234567890"</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_tid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"f9e8d7c6-b5a4-3210-fedc-ba9876543210"</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_depth"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_scope"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"email:read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"email:draft"</span><span class="p">,</span><span class="w"> </span><span class="s2">"web:read"</span><span class="p">],</span><span class="w"> </span><span class="nl">"att_intent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3b4c2a...64 hex chars...d2c1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_chain"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"a1b2c3d4-e5f6-7890-abcd-ef1234567890"</span><span class="p">],</span><span class="w"> </span><span class="nl">"att_uid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user:alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>When the orchestrator delegates to an email agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"agent:email-agent-v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c3d4e5f6-a7b8-9012-cdef-012345678901"</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_tid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"f9e8d7c6-b5a4-3210-fedc-ba9876543210"</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_pid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a1b2c3d4-e5f6-7890-abcd-ef1234567890"</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_depth"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_scope"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"email:draft"</span><span class="p">],</span><span class="w"> </span><span class="nl">"att_intent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3b4c2a...same hash...d2c1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"att_chain"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"a1b2c3d4-e5f6-7890-abcd-ef1234567890"</span><span class="p">,</span><span class="w"> </span><span class="s2">"c3d4e5f6-a7b8-9012-cdef-012345678901"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"att_uid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user:alice"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li><p><strong><code>att_scope</code> narrowed.</strong> Parent had three permissions. Child got one. The server enforced the subset check before signing, not application code, the protocol itself.</p></li> <li><p><strong><code>att_intent</code> didn't change.</strong> Same SHA-256 hash of Alice's original instruction, all the way down. A compliance officer can hash the instruction on file and verify it matches any credential in this tree.</p></li> <li><p><strong><code>att_chain</code> grew.</strong> Parent's chain plus this credential's <code>jti</code>. Full ancestry in the token. No log correlation needed.</p></li> <li><p><strong><code>att_pid</code> links to the parent.</strong> The delegation graph is reconstructable from any single token.</p></li> <li><p><strong><code>att_depth</code> incremented.</strong> Capped at 10. Unbounded delegation depth is a security hazard.</p></li> </ul> <h2> How chains grow in practice </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Human: "Review Q1 expenses and flag anomalies to the CFO" │ ├─ orchestrator-v1 depth:0 scope:[finance:read, email:send] │ att_chain: [jti_A] │ ├─ expense-analyzer-v1 depth:1 scope:[finance:read] │ att_chain: [jti_A, jti_B] │ att_pid: jti_A │ └─ email-agent-v1 depth:2 scope:[email:send] att_chain: [jti_A, jti_B, jti_C] att_pid: jti_B </code></pre> </div> <p>Any service receiving <code>jti_C</code> can see the full path back to Alice's instruction. Scope narrowed at every hop. Intent hash identical across all three. Depth caps at 10.</p> <p>Scope uses a <code>resource:action</code> grammar with wildcards (<code>email:*</code>, <code>*:read</code>). At delegation time, the server checks that every child scope entry is covered by a parent entry. You can't forge broader scope without the signing key.</p> <p>Revoke <code>jti_A</code> and the entire tree dies. One call, one transaction.</p> <h2> Cascade revocation </h2> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">jti</span> <span class="k">FROM</span> <span class="n">credentials</span> <span class="k">WHERE</span> <span class="n">jti</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">OR</span> <span class="k">chain</span> <span class="o">@&gt;</span> <span class="n">ARRAY</span><span class="p">[</span><span class="err">$</span><span class="mi">1</span><span class="p">]::</span><span class="nb">text</span><span class="p">[]</span> </code></pre> </div> <p>One query finds every descendant via the chain array (GIN-indexed). Revoke the root, everything downstream is invalidated.</p> <h2> Tamper-evident audit log </h2> <p>Every event, issuance, delegation, verification, revocation, tool calls goes into an append-only, hash-chained log:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>entry_hash = SHA-256(prev_hash || event_type || jti || timestamp) </code></pre> </div> <p>Modify any historical entry and the chain breaks from that point forward. Partitioned by task tree (<code>att_tid</code>), so pulling a complete trail is one query.</p> <h2> Human-in-the-loop approval that doesn't evaporate </h2> <p>Every agent framework has "ask the human first." The problem is the approval disappears. It's a click event in memory. A month later, nobody can prove it happened.</p> <p>Attest separates the approval UI from the proof. The framework keeps its own UX. Attest stamps it cryptographically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Agent needs approval for a dangerous action 2. POST /v1/approvals → challenge_id 3. Framework shows the user whatever it normally would: "Run git push --force? [Approve] [Reject]" 4. User clicks Approve → POST /v1/approvals/{id}/grant with the user's IdP session token 5. Attest verifies identity via OIDC, mints a new credential: att_hitl_req: "challenge_abc123" att_hitl_uid: "usr_alice" att_hitl_iss: "https://login.okta.com/..." 6. Agent proceeds. Approval is on record permanently. </code></pre> </div> <p>The credential is like any other, same chain, same scope, same intent hash but with three extra claims binding a verified human identity to a specific approval. It's a signed artifact, not a log line.</p> <p>Approvals propagate. If the approved credential gets delegated further, the HITL claims come along:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">approved</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">attest</span><span class="p">.</span><span class="nf">grantApproval</span><span class="p">(</span><span class="nx">challengeId</span><span class="p">,</span> <span class="nx">idToken</span><span class="p">);</span> <span class="c1">// approved.claims.att_hitl_uid === "usr_alice"</span> <span class="kd">const</span> <span class="nx">formatter</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">attest</span><span class="p">.</span><span class="nf">delegate</span><span class="p">({</span> <span class="na">parent_token</span><span class="p">:</span> <span class="nx">approved</span><span class="p">.</span><span class="nx">token</span><span class="p">,</span> <span class="na">child_agent</span><span class="p">:</span> <span class="dl">'</span><span class="s1">html-formatter-v1</span><span class="dl">'</span><span class="p">,</span> <span class="na">child_scope</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">email:send</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="c1">// formatter.claims.att_hitl_uid === "usr_alice" ← inherited</span> </code></pre> </div> <p>Sub-agents don't re-prompt the human. The proof flows down the chain.</p> <h2> Action reporting </h2> <p>Credentials prove authorization. Auditors also want to know what happened. Agents report tool calls and lifecycle events into the same hash-chained log:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /v1/audit/report { "token": "&lt;credential&gt;", "tool": "gmail:send", "outcome": "success", "meta": { "to": "board@example.com", "subject": "Competitor Analysis" } } </span></code></pre> </div> <p>Worth being upfront: action reports are self-reported. An agent can lie, or crash before reporting. The credential chain is server-issued and cryptographically enforced. Action reporting is best-effort. For hard enforcement, the tool should verify the credential via <code>AttestVerifier</code> before executing.</p> <h2> In code </h2> <p>Go server with Postgres. TypeScript and Python SDKs on <a href="https://www.npmjs.com/package/@attest-dev/sdk" rel="noopener noreferrer">npm</a> and <a href="https://pypi.org/project/attest-sdk/" rel="noopener noreferrer">PyPI</a>.</p> <p><strong>Issue, delegate, revoke:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AttestClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@attest-dev/sdk</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">attest</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AttestClient</span><span class="p">({</span> <span class="na">baseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://api.attestdev.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">att_live_...</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">root</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">attest</span><span class="p">.</span><span class="nf">issue</span><span class="p">({</span> <span class="na">agent_id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">orchestrator-v1</span><span class="dl">'</span><span class="p">,</span> <span class="na">user_id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usr_alice</span><span class="dl">'</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">research:read</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">gmail:send</span><span class="dl">'</span><span class="p">],</span> <span class="na">instruction</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Research competitors and email a summary to the board</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">child</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">attest</span><span class="p">.</span><span class="nf">delegate</span><span class="p">({</span> <span class="na">parent_token</span><span class="p">:</span> <span class="nx">root</span><span class="p">.</span><span class="nx">token</span><span class="p">,</span> <span class="na">child_agent</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email-agent-v1</span><span class="dl">'</span><span class="p">,</span> <span class="na">child_scope</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">gmail:send</span><span class="dl">'</span><span class="p">],</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">attest</span><span class="p">.</span><span class="nf">reportAction</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">child</span><span class="p">.</span><span class="nx">token</span><span class="p">,</span> <span class="na">tool</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gmail:send</span><span class="dl">'</span><span class="p">,</span> <span class="na">outcome</span><span class="p">:</span> <span class="dl">'</span><span class="s1">success</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">attest</span><span class="p">.</span><span class="nf">revoke</span><span class="p">(</span><span class="nx">root</span><span class="p">.</span><span class="nx">claims</span><span class="p">.</span><span class="nx">jti</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">audit</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">attest</span><span class="p">.</span><span class="nf">audit</span><span class="p">(</span><span class="nx">root</span><span class="p">.</span><span class="nx">claims</span><span class="p">.</span><span class="nx">att_tid</span><span class="p">);</span> </code></pre> </div> <p><strong>Python with Anthropic SDK integration:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">attest</span> <span class="kn">import</span> <span class="n">AttestClient</span> <span class="kn">from</span> <span class="n">attest.integrations.anthropic_sdk</span> <span class="kn">import</span> <span class="n">AttestSession</span> <span class="n">attest</span> <span class="o">=</span> <span class="nc">AttestClient</span><span class="p">(</span><span class="n">base_url</span><span class="o">=</span><span class="sh">"</span><span class="s">https://api.attestdev.com</span><span class="sh">"</span><span class="p">,</span> <span class="n">api_key</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nc">AttestSession</span><span class="p">(</span> <span class="n">client</span><span class="o">=</span><span class="n">attest</span><span class="p">,</span> <span class="n">agent_id</span><span class="o">=</span><span class="sh">"</span><span class="s">orchestrator</span><span class="sh">"</span><span class="p">,</span> <span class="n">user_id</span><span class="o">=</span><span class="sh">"</span><span class="s">usr_alice</span><span class="sh">"</span><span class="p">,</span> <span class="n">scope</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">web:read</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">files:read</span><span class="sh">"</span><span class="p">],</span> <span class="n">instruction</span><span class="o">=</span><span class="sh">"</span><span class="s">Refactor the authentication module</span><span class="sh">"</span><span class="p">,</span> <span class="n">system_prompt</span><span class="o">=</span><span class="n">SYSTEM_PROMPT</span><span class="p">,</span> <span class="p">)</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="n">child</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">delegate</span><span class="p">(</span><span class="sh">"</span><span class="s">code-reviewer</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">files:read</span><span class="sh">"</span><span class="p">])</span> <span class="n">review</span> <span class="o">=</span> <span class="nf">run_reviewer_agent</span><span class="p">(</span><span class="n">child</span><span class="p">.</span><span class="n">token</span><span class="p">,</span> <span class="sh">"</span><span class="s">src/auth.py</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Block exit revokes the root and all descendants. </span></code></pre> </div> <p>The <code>system_prompt</code> parameter SHA-256s the prompt and tool definitions into <code>att_ack</code>. If the agent's configuration is tampered with between issuance and execution, the checksum breaks. Deterministic, not a heuristic.</p> <p><strong>Verify credentials — no API key needed:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AttestVerifier</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@attest-dev/sdk</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">verifier</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AttestVerifier</span><span class="p">({</span> <span class="na">orgId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">org_abc123</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">verifier</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">7</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">valid</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">invalid credential</span><span class="dl">'</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">claims</span><span class="p">.</span><span class="nx">att_scope</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">gmail:send</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">insufficient scope</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <p>The verifier fetches the org's JWKS once, caches it, and validates signature, expiry, chain integrity, and live revocation. No API key. No runtime dependency on the Attest server.</p> <h2> What this doesn't solve </h2> <p><strong>Misuse of valid credentials.</strong> If an agent with <code>email:send</code> gets prompt-injected, it can send emails the human never intended. The credential is valid since the scope covers the action. Attest limits blast radius and the intent hash helps detect it after the fact. It does not prevent it.</p> <p><strong>Application-level authorization.</strong> A resource server still decides whether to accept a credential. Attest provides the signed token with scope and ancestry. The server decides policy. Same split as OAuth.</p> <p><strong>Key storage.</strong> The RSA signing key is the root of trust. The server handles rotation and exposes JWKS for verifiers. HSM integration is on you.</p> <h2> Why this exists </h2> <p>Multi-agent systems are in production. Companies are deploying pipelines that send emails, execute code, and move money. The authorization model for most of them is the developer's API key, shared across every agent in the pipeline.</p> <p>That works until something goes wrong or until someone asks you to prove it was right. In sectors where algorithmic decisions carry legal weight, that question arrives eventually. Most teams currently have no answer.</p> <p>ACS-01 is a deployable answer. The spec is open. The server is running. The question it answers is straightforward: can you prove this agent action was authorized?</p> <p><em>Apache 2.0. Spec, server, and SDKs at <a href="https://github.com/chudah1/attest-dev" rel="noopener noreferrer">github.com/chudah1/attest-dev</a>.</em><br> <em>Built with help from Claude Code. The spec, server, <br> SDKs, and demo were scaffolded and iterated in Claude <br> Code sessions.</em></p> ai security agents