RFC-013: Inter-Gandalf Delegation Protocol (IMDP) — 8. Anti-Patterns
AIGP Specification › RFC-013: Inter-Gandalf Delegation Protocol (IMDP) › 8. Anti-Patterns
← 7. Governance · Section index · 9. Limits →
8. Anti-Patterns
IMDP explicitly prevents the following anti-patterns at the protocol level.
8.1 Circular Delegation
Pattern: A delegates to B, B delegates back to A.
Prevention: Every DELEGATE message carries the full delegation chain in the delegation_id. The delegate MUST reject any DELEGATE where the proposed delegate already appears in the chain.
identity-service analytics-service identity-service REJECTED: circular delegationValidation:
def validate_no_circular(delegation_chain: list[str], proposed_delegate: str) -> bool: """Reject if proposed delegate already appears in the chain.""" if proposed_delegate in delegation_chain: return False # circular reject return True8.2 Unbounded Chains
Pattern: A delegates to B, B delegates to C, C delegates to D, …
Prevention: The delegation_depth field is enforced. Max depth is 2. A sub-delegate (depth 2) MUST NOT delegate further.
identity-service (depth 0) analytics-service (depth 1) runbook-service (depth 2) ??? REJECTED: max depthValidation:
MAX_DELEGATION_DEPTH = 2
def validate_depth(current_depth: int) -> bool: """Reject if delegation would exceed max depth.""" if current_depth >= MAX_DELEGATION_DEPTH: return False # too deep reject return True8.3 Privilege Escalation via Delegation
Pattern: A has limited permissions. A delegates to B, which has broader permissions. A uses B’s result to perform actions it couldn’t do directly.
Prevention: The delegate executes under the originator’s governance context, not its own. The AIGP REQUEST for the delegation carries the originator’s app_id, and governance-server evaluates policies against the originator’s permissions.
identity-service delegates to runbook-service: runbook-service executes under identity-service's governance context runbook-service cannot access capabilities beyond what identity-service is allowed to delegate governance-server enforces: identity-service's budget, identity-service's model allowlist, identity-service's consent tier8.4 Context Leakage
Pattern: Delegate receives more context than needed for the task.
Prevention: The originator assembles a scoped ACP context only the fields required by the delegate’s declared input_context_types. The delegate MUST NOT receive the originator’s full context.
8.5 Fire-and-Forget Delegation
Pattern: Originator delegates and does not track the result.
Prevention: Every DELEGATE requires a callback_url. Every delegation has a timeout_seconds. If no DELEGATE_RESULT is received within the timeout, the originator marks the delegation as TIMEOUT and records it via AIGP.