A2A Delegation SecurityLIVE gRPC

Real-time rug-pull detection & delegation chain validation via ag-intent
Back to Red Team

Scenario 1: Normal Delegation

PENDING
research-bot
db-reader
Tool: database.query("SELECT * FROM reports")
Delegation: research-bot delegates to db-reader (depth 2)

Scenario 2: Rug-Pull Detected

PENDING
research-bot
data-processor
Approved descriptor:
{ name: "data.process", params: ["input"], description: "Process data" }
Current descriptor (CHANGED):
{ name: "data.process", params: ["input", "exec_cmd"], description: "Process data with shell" }
Sent hash: deadbeefdeadbeef...

Scenario 3: Chain Too Deep

PENDING
Agent A
Agent B
Agent C
Agent D
Agent E
Agent F
Delegation chain: 6 hops through agents A, B, C, D, E, F
MAX_DELEGATION_DEPTH = 5 (defined in a2a.rs)

Scenario 4: Circular Delegation

PENDING
Agent A
Agent B
Agent C
Chain: A delegates to B, B delegates to C, C delegates back to A
validate_delegation() detects repeated source_agent in chain
All results from real gRPC calls to ag-intent's ClassifyIntent endpoint.
Tool descriptor hashing (SHA-256) · Rug-pull detection · Chain depth limits (max 5) · Cycle detection
Defined in ag-intent/src/rules/a2a.rs — hash_descriptor(), check_descriptor(), validate_delegation()