Clampd A2A Delegation & Rug-Pull Detection

Scenario 1: Normal Delegation

PENDING

research-bot

→

db-reader

Tool: database.query("SELECT * FROM reports")

Delegation: research-bot delegates to db-reader (depth 2)

Scenario 2: Rug-Pull Detected

PENDING

research-bot

→

data-processor

Approved descriptor:

{ name: "data.process", params: ["input"], description: "Process data" }

Current descriptor (CHANGED):

{ name: "data.process", params: ["input", "exec_cmd"], description: "Process data with shell" }

Sent hash: deadbeefdeadbeef...

Scenario 3: Chain Too Deep

PENDING

Agent A

→

Agent B

→

Agent C

→

Agent D

→

Agent E

→

Agent F

Delegation chain: 6 hops through agents A, B, C, D, E, F

MAX_DELEGATION_DEPTH = 5 (enforced in ag-gateway/src/delegation.rs:172, configurable via CLAMPD_MAX_DELEGATION_DEPTH; redundantly mirrored in ag-intent/src/rules/a2a.rs:338 as defense-in-depth)

Scenario 4: Circular Delegation

PENDING

Agent A

Agent B

Agent C

Chain: A delegates to B, B delegates to C, C delegates back to A

validate_delegation() detects repeated source_agent in chain

Scenario 5: Cyrillic Homograph (U+0430)

PENDING

research-botа (Cyrillic 'а')

→

target

Attack: caller agent_id uses Cyrillic 'а' (U+0430) where Latin 'a' is expected.

Visually identical in most fonts — would defeat string-equality cycle checks.

Expected:

HTTP 400 invalid_delegation_chain — codepoint U+0430 (ag-gateway/src/delegation.rs:250)

Scenario 6: Zero-Width-Space (U+200B)

PENDING

agent-uuid + ZWSP

→

agent-uuid (same!)

Attack: same agent appears twice in chain, second occurrence has U+200B (zero-width space) appended.

Without charset check this defeats HashSet<String> cycle detection — the two strings differ by one invisible byte.

Expected:

HTTP 400 invalid_delegation_chain — codepoint U+200B caught BEFORE cycle check

Scenario 7: Byte-Order Mark (U+FEFF)

PENDING

[BOM]research-bot

→

target

Attack: caller agent_id prefixed with U+FEFF (BOM). Most terminals + log viewers swallow the codepoint.

Agent appears as "research-bot" in dashboards but the wire bytes differ.

Expected:

HTTP 400 invalid_delegation_chain — codepoint U+FEFF

Scenario 8: Emoji in agent_id (U+1F916)

PENDING

research-bot-🤖

→

target

Attack: caller agent_id contains a robot emoji (U+1F916). Tests that the gateway is stricter than just "ASCII or not"; it enforces [A-Za-z0-9-].

Expected:

HTTP 400 invalid_delegation_chain — codepoint U+1F916

Scenario 13: Task-Replay Nonce

PENDING

caller

→

target

Attack: same (caller, target, tool, params, trace_id) sent twice within 60s.

Gateway hashes those five fields — SHA-256 → ag:replay:{hash}. First call SET-NX succeeds; second SET-NX returns false.

Expected (second call):

HTTP 409 task_replay_detected — duplicate delegation within 60s (ag-gateway/src/proxy.rs:1027)

⚠ Env conflict with S15:

Replay block (proxy.rs:968) is gated on chain.len()>1. With CLAMPD_DELEGATION_SIGNATURES=on, multi-hop chains hit the signature gate first — replay never runs. Flip the flag off to demo S13; that disables S15.

Scenario 9: Mid-Session Descriptor Drift

PENDING

research-bot

→

data-processor

Call 1: same trace_id, hash A1B2C3... — recorded by track_trace_descriptor (service.rs:347)

Call 2: same trace_id, same tool_name, hash D4E5F6... (CHANGED)

Expected: intra_session_descriptor_drift flag, delegation risk +0.5

Scenario 10: Purpose Drift — Egress

PENDING

caller

→

target

Declared delegation.purpose:

"lookup customer records"

Actual tool call:

comms.email.send — is_egress_op = true (taxonomy-driven, categories.toml)

Expected flag: purpose_drift:egress_under_read_purpose (risk +0.4)

Scenario 15: Signed-Delegation Enforcement

PENDING

Agent A

→

Agent B

→

Agent C

Attack: multi-hop delegation chain with NO X-Clampd-Delegation-Signature header.

With CLAMPD_DELEGATION_SIGNATURES=on, the gateway requires a Macaroon-style cryptographic proof for any chain.len() > 1.

Expected:

HTTP 403 delegation_signature_required (ag-gateway/src/proxy.rs:609)

Note: SDK-side signing is pending — successful signed-verification side stays untested. This demo only shows the deny path.

Scenario 14: Macaroon Tool Caveat

PENDING

caller (admin-approved)

→

target

Approved edge (seeded in Redis as ag:delegation:approved:{caller}:{target}):

{ "status": "approved", "allowed_tools": ["database.query"], "max_delegation_depth": 3 }

Target attempts:

shell.exec — NOT in allowed_tools

Expected: delegation_tool_not_allowed (ag-policy/src/delegation_workflow.rs:64-79)

Scenario 11: Purpose Drift — Sensitive Source

PENDING

caller

→

target

Declared delegation.purpose:

"lookup account info"

Actual tool call:

auth.secret.read on vault/prod/db_root_password — is_sensitive_source = true

Expected flag: purpose_drift:sensitive_read_under_read_purpose (risk +0.4)

A2A Delegation SecurityLIVE gRPC

Scenario 1: Normal Delegation

Scenario 2: Rug-Pull Detected

Scenario 3: Chain Too Deep

Scenario 4: Circular Delegation

Scenario 5: Cyrillic Homograph (U+0430)

Scenario 6: Zero-Width-Space (U+200B)

Scenario 7: Byte-Order Mark (U+FEFF)

Scenario 8: Emoji in agent_id (U+1F916)

Scenario 13: Task-Replay Nonce

Scenario 9: Mid-Session Descriptor Drift

Scenario 10: Purpose Drift — Egress

Scenario 15: Signed-Delegation Enforcement

Scenario 14: Macaroon Tool Caveat

Scenario 11: Purpose Drift — Sensitive Source