proposal: reputation-gated authority — compose trust scoring with delegation chains

[aeoess]

Adds a design proposal for composing AgentMesh's TrustManager trust scoring with its delegation system, so that effective authority is resolved component-wise at execution time. Covers:

• 6 formal invariants (no widening, trust monotonicity, revocation precedence, enforcement freshness, deterministic resolution, lineage bound)
• Component-wise narrowing (capability intersection, spend minimum, policy-selected enforcement)
• Capability matching semantics (wildcards, namespaces, deny precedence, expansion at load time)
• Split capability families (admin:observability vs admin:policy vs admin:identity)
• Event-driven cache invalidation for live trust rechecks
• Trust feedback isolation (denials don't create death spirals)
• Bootstrap/cold-start behavior with lineage-bound initial trust
• Four decision types: allow, allow_narrowed, deny, audit

References #140.

Based on the working implementation in Agent Passport System (Apache 2.0, 534 tests).

[aeoess]

@microsoft-github-policy-service agree

[imran-siddique]

Thanks for this @aeoess — really strong proposal. The 6 invariants are well-formulated, the component-wise narrowing model is the right abstraction, and the trust feedback isolation rule (denials don't spiral scores) is exactly the kind of edge case that matters in production. This is clearly informed by real implementation experience.

We'd like to merge the proposal as-is into docs/proposals/ — it's a valuable design document for the community.

On the implementation path

Looking at the integration table at the bottom of the proposal, most of the changes touch core AgentMesh internals (identity/delegation.py, trust/scoring.py, TrustManager, PolicyEngine). We want to be careful about the architecture here.

Our preferred direction: integration interfaces, not core modifications.

Rather than embedding resolve_effective_authority() directly into the PolicyEngine pipeline, we'd like to:

1. Define an AuthorityResolver protocol/interface in AgentMesh that the PolicyEngine calls at the right point in the evaluation pipeline. This is the hook your proposal needs.

2. You own the implementation — publish it as a package (e.g., agentmesh-reputation-gate or as part of Agent Passport System) that implements the AuthorityResolver protocol. This means:

   • You control the release cadence
   • Your 534-test suite covers your code
   • Users pip install your package and register it with the toolkit

3. We expose the minimal interface changes in AgentMesh core:

   • AuthorityResolver protocol with resolve(identity, delegation, action) -> AuthorityDecision
   • TrustScoreChanged event emission from TrustManager (for your cache invalidation)
   • CapabilityModel.check() accepting an effective_scope override
   • Lineage-bound initial trust in identity.delegate() (Invariant 6 — this one likely belongs in core)

This way, the core toolkit stays focused on the enforcement boundary and trust primitives, and the reputation-gated authority composition logic lives in your package where you can iterate on it independently.

Concretely, next steps we'd suggest:

1. We merge this proposal now ✅
2. We open an issue for the AuthorityResolver protocol interface design (we'll draft the interface based on your proposal's data model)
3. You implement against that interface in Agent Passport System
4. We add an integration example in docs/proposals/ or examples/ showing how to wire it up

Does this direction work for you? The goal is to get the right extension points into AgentMesh so you (and others) can build authority composition models without forking core.

[aeoess]

@imran-siddique Makes sense. Integration interfaces over core modifications keeps both projects independently releasable, which is what we'd want anyway.

The AuthorityResolver protocol in #275 is the right hook. I'll implement it as part of the Agent Passport System SDK - resolve() maps directly to our existing resolve_authority() in the ProxyGateway, so the implementation path is straightforward.

On the four steps:

1. Merge proposal - done, thank you
2. AuthorityResolver interface in feat: AuthorityResolver protocol interface for reputation-gated authority #275 — I'll follow and comment on the design there
3. Implementation - I'll publish it as a standalone package (likely agentmesh-reputation-gate or similar) that implements the AuthorityResolver protocol. This way your 534-test suite stays ours to maintain and users pip install to opt in
4. Integration example - happy to contribute one to docs/proposals/ or examples/ once the interface is stable

The trust feedback isolation rule came from a real production bug where a new agent got stuck in a death spiral — blocked by low trust, penalized for being blocked, repeat. Glad that resonated.

Will start tracking #275 for the interface spec.