Skip to content

RFC-013: Inter-Gandalf Delegation Protocol (IMDP) — 8. Anti-Patterns

AIGP SpecificationRFC-013: Inter-Gandalf Delegation Protocol (IMDP) › 8. Anti-Patterns

← 7. Governance · Section index · 9. Limits →

8. Anti-Patterns

IMDP explicitly prevents the following anti-patterns at the protocol level.

8.1 Circular Delegation

Pattern: A delegates to B, B delegates back to A.

Prevention: Every DELEGATE message carries the full delegation chain in the delegation_id. The delegate MUST reject any DELEGATE where the proposed delegate already appears in the chain.

identity-service analytics-service identity-service REJECTED: circular delegation

Validation:

def validate_no_circular(delegation_chain: list[str], proposed_delegate: str) -> bool:
"""Reject if proposed delegate already appears in the chain."""
if proposed_delegate in delegation_chain:
return False # circular reject
return True

8.2 Unbounded Chains

Pattern: A delegates to B, B delegates to C, C delegates to D, …

Prevention: The delegation_depth field is enforced. Max depth is 2. A sub-delegate (depth 2) MUST NOT delegate further.

identity-service (depth 0) analytics-service (depth 1) runbook-service (depth 2) ??? REJECTED: max depth

Validation:

MAX_DELEGATION_DEPTH = 2
def validate_depth(current_depth: int) -> bool:
"""Reject if delegation would exceed max depth."""
if current_depth >= MAX_DELEGATION_DEPTH:
return False # too deep reject
return True

8.3 Privilege Escalation via Delegation

Pattern: A has limited permissions. A delegates to B, which has broader permissions. A uses B’s result to perform actions it couldn’t do directly.

Prevention: The delegate executes under the originator’s governance context, not its own. The AIGP REQUEST for the delegation carries the originator’s app_id, and governance-server evaluates policies against the originator’s permissions.

identity-service delegates to runbook-service:
runbook-service executes under identity-service's governance context
runbook-service cannot access capabilities beyond what identity-service is allowed to delegate
governance-server enforces: identity-service's budget, identity-service's model allowlist, identity-service's consent tier

8.4 Context Leakage

Pattern: Delegate receives more context than needed for the task.

Prevention: The originator assembles a scoped ACP context only the fields required by the delegate’s declared input_context_types. The delegate MUST NOT receive the originator’s full context.

8.5 Fire-and-Forget Delegation

Pattern: Originator delegates and does not track the result.

Prevention: Every DELEGATE requires a callback_url. Every delegation has a timeout_seconds. If no DELEGATE_RESULT is received within the timeout, the originator marks the delegation as TIMEOUT and records it via AIGP.


← 7. Governance · Section index · 9. Limits →