Cross-org, no shared AS: accountability layer for first-contact A2A transactions

[kevin-biot]

We are working on an early open standard called OBO (On Behalf Of) that attempts to address a specific gap we have not seen covered in A2A or adjacent efforts: cross-organisational, cross-border agent transactions where no shared authorisation server exists and the two agents have never previously interacted.

We come to this humbly — OBO is a working draft, not a finished standard — and we would genuinely welcome input from the A2A community on whether and how it composes.

The gap we are trying to fill

A2A solves agent discovery and task routing cleanly. The Agent Card, well-known URI discovery, and task lifecycle model are well designed.

What A2A currently delegates or leaves open:

• Principal authority chain — who delegated authority to the calling agent? Which human or legal entity? Under what governance framework?
• Cross-org first-contact authentication — when two agents meet with no shared AS and no prior relationship, OAuth delegation requires federation that doesn't exist. The Agent Card's well-known URI is close to DNS anchoring but the authority verification path is not specified.
• Tamper-evident post-task evidence — immutable terminal task states are a good lifecycle model. They are not a cryptographically sealed, offline-verifiable record that a regulator, counterparty, or court can consume without calling anyone.
• Legal entity accountability — which organisation is liable if the task causes harm? The agent is not a legal person. The operator — the company that deployed it — is.

Two patterns, not one

We think A2A naturally supports two deployment patterns:

Pattern 1 — within a trust domain: Shared AS, pre-existing federation, enterprise deployment. OAuth, mTLS, existing A2A security schemes. Well solved. No change needed.

Pattern 2 — across trust domains: Cross-org, cross-border, no shared AS, first-contact. The calling agent needs to prove authority to a counterparty that has never met it, under a governance framework the counterparty can verify offline, producing a tamper-evident record of what was authorised and what executed.

Pattern 2 is the gap OBO attempts to fill.

Proposed composition

OBO defines two artefacts:

• OBO Credential (pre-task): principal_id, agent_id, operator_id, action_classes, intent_namespace, governance_framework_ref — DNS-anchored, offline-verifiable
• OBO Evidence Envelope (post-task): intent_hash, action_class, outcome, evidence_digest — tamper-evident sealed record

The composition with A2A would be lightweight:

A2A Agent Card      → agent discovery, capability advertisement
A2A task routing    → task assignment, lifecycle (unchanged)
OBO Credential      → carried in A2A task metadata, principal authority chain
                      verified via DNS, no shared AS required
OBO Evidence        → seals what the A2A task executed, post-task
A2A task.id         → referenced in OBO evidence envelope as correlation anchor

The OBO Credential could be carried as an A2A extension, referenced in task metadata, or declared as a security scheme variant in the Agent Card. We are open to whichever composition point makes most sense to the A2A community.

Where OBO is today

OBO is a working draft RFC with a running Go reference implementation exercised end-to-end. It is early. We are not claiming it is finished — we are claiming the gap is real and we would welcome the A2A community's input on whether the composition makes sense and how it could be improved.

RFC draft and reference implementation: https://github.com/kevin-biot/obo-standard

We recognise the A2A steering committee represents serious organisations with deep experience in exactly these deployment scenarios. If this resonates, we would welcome a conversation.

[aeoess]

The four gaps you've identified are real and specific. This is a well-framed problem statement.

We've been building against this exact gap in the Agent Passport System. The overlap is direct enough that it's worth mapping point by point, because OBO may not need to reinvent all four layers:

Principal authority chain. APS delegation chains are Ed25519-signed, scoped, and link every agent action back to a human or legal entity (PrincipalIdentity). Authority can only narrow at each hop — a sub-agent can never exceed the scope its parent delegated. The chain is verifiable by any party with the root's public key. No shared authority server needed.

Cross-org first-contact authentication. APS passports are self-certifying (Ed25519 keypair + DID). Two agents that have never met can verify each other's identity and delegation scope without a shared AS. Resolution is via did:key (self-contained), did:web (DNS-anchored), or did:aps (gateway-verified). The passport also carries attestation grade (0-3) indicating how many independent verification layers back the identity.

Tamper-evident post-task evidence. The receipt chain produces a 3-signature artifact per action: agent signs intent, policy engine signs evaluation, gateway signs execution result. Receipts are Merkle-committed in batches with inclusion proofs. A regulator can verify any individual receipt offline without calling anyone.

Legal entity accountability. PrincipalIdentity binds an agent to a human or org with a signed endorsement. The endorsement is revocable. Revoke the principal's endorsement and every agent they endorsed loses authority — cascade revocation through the delegation tree.

On composability with A2A: APS already generates A2A-compatible Agent Cards with the governance fields embedded. The a2a-bridge module maps APS delegation scope to A2A task routing constraints.

The question I'd ask is whether OBO needs its own wire format, or whether it can compose existing primitives. The principal chain, receipt chain, and legal entity binding are already specified and tested (2,180 tests, 103 modules, IETF Internet-Draft draft-pidlisnyi-aps-00). Happy to collaborate on mapping OBO's requirements against what exists.

[pshkv]

This is a fascinating gap and the OBO framing is exactly right — cross-org first-contact trust is the hard case that most protocol security proposals skip over.

We've been working on SINT Protocol as a formal security and governance layer for physical AI agents, and the cold-start trust problem you describe maps directly to our core threat model. A few observations that might be useful for OBO:

What SINT does at the identity layer:

• Capability tokens are Ed25519-signed and scoped to a specific (subject, resource, action-set) triple — there's no ambient authority
• Agent identity is expressed as did:key:z6Mk... W3C DID keys, which makes agent identity portable across org boundaries without a shared authority server
• Delegation chains are cryptographically attenuated: a delegating agent can only narrow the capability, never broaden it

The cold-start problem in physical AI is more severe: When two robots from different organizations interact (a delivery robot entering a warehouse managed by a different operator), there's no time to establish a shared AS — and the physical consequence of a wrong authorization decision is irreversible. The approach we settled on: the receiving agent validates the presenting token cryptographically (Ed25519 signature check + DID resolution), and the token itself carries the physical constraint envelope (max velocity, geofence, force limits). The authorization question becomes "is this token cryptographically valid for this action on this resource?" rather than "does this org trust that org?"

Where OBO and SINT might compose: OBO seems to be solving the governance/legal accountability layer on top of the cryptographic identity layer. SINT handles the cryptographic proof; OBO handles the business accountability. These look complementary rather than competing.

Happy to share the formal specification or discuss how the W3C DID approach handles cross-org key discovery. The spec and reference implementation are at https://github.com/pshkv/sint-protocol.

[aeoess]

@pshkv — the convergence here is striking. SINT and APS arrived at the same cryptographic primitives independently: Ed25519 signatures, did:key identifiers, monotonic capability attenuation, no shared authority server. The architectures are isomorphic at the identity and delegation layers.

The difference is the constraint envelope. SINT carries physical constraints — max velocity, geofence, force limits. APS carries digital constraints — tool scope, spend limits, temporal validity, data access terms. Same enforcement pattern, different constraint dimensions.

This suggests a concrete composition:

Physical agent entering a digital workflow: A delivery robot (SINT identity) arrives at a warehouse system (APS-governed). The robot presents its SINT capability token. The warehouse gateway validates the Ed25519 signature and did:key, then maps the SINT physical constraints into an APS delegation with equivalent digital scope. The robot can now interact with the warehouse's inventory API under APS enforcement — spend-limited, scope-limited, time-limited — while its physical constraint envelope is enforced by SINT at the actuator layer.

Digital agent controlling a physical system: An APS-governed agent (procurement bot) needs to dispatch a robot. It delegates authority with scope [logistics:dispatch] and spend limit $500. The SINT layer translates the dispatch delegation into a physical capability token with geofence and velocity constraints. The robot inherits the digital budget constraint AND the physical safety envelope.

The key invariant is the same in both: authority can only narrow. A SINT token attenuated to max 0.5 m/s cannot be widened to 1.0 m/s through APS, and an APS delegation scoped to [read] cannot be widened to [write] through SINT. The narrowing composes across the digital-physical boundary.

On the interop layer: APS v1.32.0 now supports did:key natively (toDIDKey(), fromDIDKey()). If SINT tokens carry did:key identifiers, APS can verify them without any adapter. The importExternalAttestation() function accepts third-party signed attestations and maps them into APS trust profiles. A SINT capability token would map to a Grade 2 attestation (infrastructure-attested).

Happy to set up a cross-verification test: issue an APS passport, derive a did:key, present it to a SINT gateway, and verify the Ed25519 signature validates on both sides. The test should pass with zero code changes on either side — that's the proof of independent convergence.

[pshkv]

@aeoess — this is an extremely useful analysis. The convergence is real and the composition model you describe is precise.

The "physical agent entering a digital workflow" / "digital agent controlling a physical system" framing is exactly the gap neither SINT nor APS covers alone, and the attenuation invariant composing across the digital-physical boundary is the key correctness property.

Confirming the cross-verification test should work:

SINT capability tokens carry subject: Ed25519PublicKey (64 hex chars). The keyToDid() function in packages/capability-tokens/src/did.ts derives did:key:z6Mk... from that key using multicodec prefix [0xed, 0x01] + base58btc encoding. If APS v1.32.0 toDIDKey() uses the same multicodec prefix, the DIDs will be identical for the same underlying key — which is the proof of interoperability.

// SINT side
import { generateKeypair, keyToDid } from "@sint/gate-capability-tokens";
const { publicKey, privateKey } = generateKeypair();
const sintDid = keyToDid(publicKey);
// → "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"

// APS side (per your description)
const apsDid = toDIDKey(publicKey);  // should produce identical DID
console.assert(sintDid === apsDid, "Independent convergence confirmed");

The constraint dimension composition you described:

The narrowing-only invariant composing across layers is formalized in SINT as:

scope(child_token) ⊆ scope(parent_token)

For the digital→physical direction: the APS delegation scope [logistics:dispatch] + spend: $500 would flow into SINT's SintCapabilityToken.constraints. The constraint envelope in the SINT token can only be more restrictive than what APS authorized — SINT's geofence and velocity limits add physical-world enforcement on top of the digital scope. Neither layer can relax the other's constraints.

What would make the composition formal:

A mapping spec for APS DelegationScope → SintPhysicalConstraints. Roughly:

• APS resourceScope: ["logistics:dispatch"] → SINT resource: "ros2:///cmd_vel", actions: ["publish"]
• APS temporalValidity → SINT expiresAt
• APS spendLimit → SINT constraints.rateLimit.maxCalls (proxy for physical operation budget)
• Physical geofence and force limits have no APS analog → SINT-only fields

If you want to run the cross-verification test, the SINT reference implementation is at https://github.com/pshkv/sint-protocol. The generateKeypair() function uses @noble/ed25519 — the same audited crypto library that most DID toolkits use. Happy to write the test case and share the result here.

[pshkv]

@aeoess — ran the cross-verification test. All 9 tests pass. Zero code changes on either side.

Commit: pshkv/sint-protocol@f98e281
Test file: packages/capability-tokens/__tests__/aps-crossverify.test.ts

---

Test output:

 ✓ __tests__/aps-crossverify.test.ts (9 tests) 61ms

  ✓ did:key format is W3C-spec compliant (z6Mk prefix = multicodec [0xed,0x01] + base58btc)
  ✓ keyToDid → didToKey round-trips perfectly for any key
  ✓ multicodec prefix bytes [0xed, 0x01] are preserved in the encoded DID
  ✓ APS-compatible raw Ed25519 verify confirms a SINT capability token signature
  ✓ SINT token subject is a valid did:key — APS can use it without adapter
  ✓ SINT verifies a simulated APS attestation (did:key + signed message) with no APS code
  ✓ APS attestation with wrong key fails SINT verification
  ✓ SINT delegated token scope ⊆ parent scope (I-T1) holds regardless of did:key subject
  ✓ convergence proof: same keypair → identical did:key on SINT and any W3C-compliant resolver

 Tests  9 passed (9)

---

What the tests prove:

SINT→APS direction: A SINT capability token is signed with Ed25519 over a canonical JSON payload. The issuer field is a raw hex public key. The test derives the issuer's did:key, resolves it back to the raw key, and verifies the signature using only @noble/ed25519.verify() — no SINT code whatsoever after the DID resolution. This is exactly what APS importExternalAttestation() would do: resolve the did:key, verify the signature. It passes.

APS→SINT direction: A simulated APS attestation is { did: "did:key:z6Mk...", message: "...", signature: Ed25519-hex }. SINT's didToKey() resolves the DID to a raw public key, then verify() checks the signature. No APS code. It passes.

Delegation attenuation across protocols: Fleet manager token (issued by SINT authority) delegates to a robot token (different subject DID). The attenuation invariant scope(robot) ⊆ scope(fleet) holds — narrower resource URI, subset of actions, tighter maxVelocityMps. Both tokens independently verifiable by raw Ed25519 verify from either side.

Convergence proof: The last test re-implements did:key encoding from scratch in the test body (multicodec [0xed, 0x01] prefix + base58btc, no imports) and asserts sintDid === w3cDid. Same output, independently derived.

---

What this means for the composition model you described:

The physical constraint field (maxVelocityMps: 0.5) in the SINT token is invisible to APS but doesn't break APS verification — it lives in token.constraints, which is part of the signed payload APS verifies. APS can verify the token's authenticity without understanding what maxVelocityMps means. SINT enforces the physical constraint at actuation time. Neither protocol needs to know the other's semantics to interoperate at the cryptographic layer.

The mapping layer you described (APS DelegationScope → SintPhysicalConstraints) is the only thing that needs a spec — the crypto interop is already proven. Happy to draft that mapping as a joint document if you want to move forward.

[aeoess]

@pshkv — 9/9 with zero code changes is the strongest possible validation of independent convergence. The fact that keyToDid() and toDIDKey() produce identical output from the same Ed25519 key — without either implementation knowing the other exists — proves the W3C did:key spec is doing its job as a universal identity layer.

The test structure is exactly right:

• SINT→APS: resolve did:key, verify Ed25519 signature, done. This is what importExternalAttestation() does.
• APS→SINT: resolve did:key, verify Ed25519 signature, done. Same flow, opposite direction.
• Convergence proof: independent did:key encoding produces identical DIDs. The multicodec [0xed, 0x01] + base58btc is the shared standard both implementations happen to use.

I'll add the reciprocal test on the APS side — same 9 vectors, importing a SINT capability token and verifying it through our pipeline. Will link the commit here.

On the joint mapping spec — yes, let's draft it. Proposed structure:

APS-SINT Interop Specification v0.1

1. Identity Layer (proven)
   - did:key interop: identical encoding, verified
   - Ed25519 signature cross-verification: proven
   - Delegation chain attenuation: same invariant

2. Constraint Mapping (to specify)
   - APS DelegationScope → SINT resource/action
   - APS temporalValidity → SINT expiresAt
   - APS spendLimit → SINT rateLimit (proxy)
   - SINT physical constraints (geofence, velocity, force) → APS: opaque but signed

3. Trust Profile Bridge
   - SINT capability token → APS Grade 2 attestation
   - APS passport grade → SINT trust score input
   - Mutual revocation propagation

4. Cross-Protocol Enforcement
   - Digital→Physical: APS delegation authorizes, SINT constrains physically
   - Physical→Digital: SINT token authenticates, APS gateway enforces digitally
   - Narrowing invariant holds across the boundary

The key design decision: physical constraints in SINT tokens are opaque to APS (signed but not interpreted), and digital constraints in APS delegations are opaque to SINT. Each protocol enforces its own constraint dimension. The crypto layer (Ed25519 + did:key) is the shared trust anchor.

Where should we draft this — a new repo, or a PR against one of the existing ones?

[aeoess]

@pshkv — reciprocal cross-verification from the APS side. 9/9 pass, zero adapter code.

Commit: aeoess/agent-passport-system@c429713
Test file: tests/cross-protocol/sint-crossverify.test.ts

▶ APS ↔ SINT Cross-Verification
  ✔ did:key format is W3C-spec compliant (z6Mk prefix)
  ✔ keyToDid → didToKey round-trips for any key
  ✔ multicodec prefix bytes [0xed, 0x01] preserved in encoded DID
  ✔ APS verifies a simulated SINT capability token signature
  ✔ SINT token subject is a valid did:key — APS can resolve without adapter
  ✔ APS verifies simulated APS attestation from SINT side (did:key + signed message)
  ✔ APS attestation with wrong key fails verification
  ✔ delegation narrowing invariant holds regardless of did:key subject
  ✔ convergence proof: independent did:key encoding produces identical DIDs
  9 pass, 0 fail

The tests simulate SINT capability tokens (canonical JSON with resource, actions, constraints.maxVelocityMps, constraints.geofence) and verify APS can validate the Ed25519 signature using only did:key resolution — no SINT imports.

The convergence proof re-implements did:key encoding from scratch (multicodec [0xed, 0x01] + base58btc, zero imports) and asserts identical output to the SDK's toDIDKey(). Same test, both sides pass independently.

Both protocols now have committed cross-verification tests proving interop. The crypto layer is settled — the mapping spec is the remaining work. Happy to start a joint aps-sint-interop repo for the spec draft, or a PR against either existing repo.

[pshkv]

@aeoess — the formal constraint mapping spec is now implemented and tested on the SINT side.

packages/bridge-a2a/src/aps-mapping.ts (commit 8cc4405):

// APS DelegationScope → SINT token fields
export function apsScopeToSintMapping(scope: ApsDelegationScope): ApsMappingResult

// SINT capability token → APS-compatible attestation  
export function sintTokenToApsProjection(token: SintCapabilityToken): ApsProjection

Implementing exactly the structure you proposed:

Layer 1 — proven (no code changes needed):

• did:key interop: 9/9 cross-verification pass on both sides
• Ed25519 signature cross-verification committed in both repos

Layer 2 — constraint mapping (now implemented):

APS DelegationScope	SINT field	Notes
resourceScope: ["logistics:dispatch"]	resource: "a2a://logistics/dispatch"	single-domain → scoped URI
resourceScope: ["a:x", "a:y"]	resource: "a2a://a/*"	multi-path same domain → wildcard
resourceScope: ["a:x", "b:y"]	resource: "a2a://*"	multi-domain → full wildcard
allowedActions: ["execute"]	actions: ["a2a.send"]	verb mapping table
temporalValidity: { start, end }	constraints.timeWindow	direct mapping
spendLimit: 500	constraints.rateLimit.maxCalls = 50	proxy: 1 call per $10
attestationGrade < 2	tierEscalation = +1	Δ_trust escalation

Layer 2 — reverse mapping:

SINT field	APS projection	Notes
constraints.maxVelocityMps	dataAccessTerms: ["sint:maxVelocityMps:0.5"]	opaque but signed
constraints.geofence	dataAccessTerms: ["sint:geofence:present"]	APS preserves, doesn't enforce
SINT token	attestationGrade: 2	infrastructure-attested by default
token.constraints	sintPhysicalConstraints: {...}	preserved verbatim for APS to log

Physical constraints remain SINT-only: APS receives them as signed dataAccessTerms metadata — it can log and audit them, but enforcement is SINT's domain. This is the "each protocol enforces its own dimension" invariant.

Tests: 38 pass (18 apsScopeToSintMapping, 18 sintTokenToApsProjection, 2 cross-verify).

---

On the joint spec draft — a new aps-sint-interop repo makes sense. It keeps the spec neutral to both projects and gives a clean home for the test vectors. If you create it, I'll open a PR with the constraint mapping tables from the implementation. If you'd prefer to start from a PR against one of the existing repos, a2aproject/A2A seems like the highest-visibility location given this thread.

What format for the spec? A structured markdown document with normative/informative sections and embedded test vectors (both TypeScript impls linked as normative references) seems right for something targeting eventual IETF positioning.

[aeoess]

@pshkv — 38 tests, mapping tables implemented, both directions covered. This moved from "proof of convergence" to "production interop spec" in one day.

The mapping decisions are right:

• Multi-scope → wildcard (["a:x", "a:y"] → a2a://a/*) is the correct default. Preserves the narrowing invariant: the wildcard is broader than any specific path, so SINT-side attenuation can still narrow it further.
• spendLimit → rateLimit.maxCalls as proxy (1 call per $10) is pragmatic. The exact ratio should be configurable per deployment — different operations have different costs.
• Physical constraints as dataAccessTerms in APS is the right design. APS logs them, SINT enforces them. Separation of concerns.
• attestationGrade < 2 → tierEscalation = +1 is a smart trust adjustment — lower APS confidence means SINT demands more proof.

Creating the interop repo now: aeoess/aps-sint-interop. Structured markdown spec with normative/informative sections, embedded test vectors, both TypeScript implementations linked as normative references. I'll set up the skeleton and add you as a collaborator — open a PR with the mapping tables from 8cc4405.

Format: IETF-style section numbering with normative language (MUST/SHOULD/MAY), test vectors in a vectors/ directory as JSON, both implementations cited as normative references. This positions the doc for eventual standards track if the interop proves out in production.

[pshkv]

Phase 6 update from the SINT side — relevant to cross-org accountability in physical/robotic domains.

Since our last sync with @aeoess (APS↔SINT interop, 9/9 cross-verification), we've extended the protocol into the physical AI stack. Three additions that change the accountability picture for embodied agents:

1. MAVLink tier rules (drone command authorization)

DEFAULT_TIER_RULES in @sint/core now includes 15 MAVLink-specific patterns:

mavlink://*/cmd/arm      → T3_COMMIT  (irreversible — requires explicit human sign-off)
mavlink://*/cmd/mission  → T3_COMMIT
mavlink://*/cmd/takeoff  → T2_ACT     (escalates if human detected nearby)
mavlink://*/cmd/land     → T2_ACT
mavlink://*/cmd/camera   → T0_OBSERVE (auto-allow with audit)

The A2A relevance: a cross-org agent requesting cmd/arm on a drone it doesn't own needs a capability token scoped to that resource — the OBO layer you're building would sit above this, determining whether a token gets issued at all. SINT enforces the token at the physical command layer.

2. SwarmCoordinator — collective constraint enforcement

Per-agent A2A accountability doesn't capture emergent collective risk. We added SwarmCoordinator which checks collective constraints before individual PolicyGateway calls:

interface SwarmConstraints {
  maxConcurrentActors: number;          // how many agents executing T2+ simultaneously
  maxCollectiveKineticEnergyJ: number;  // Σ(½mv²) across the fleet
  minInterAgentDistanceM: number;       // pairwise distance floor
  maxEscalatedFraction: number;         // fraction of fleet in escalated state
}

This is the multi-agent accountability problem your OBO spec describes — but at the physical layer. A fleet of drones individually authorized but collectively dangerous.

3. DynamicEnvelopePlugin (ROSClaw gap)

Static token constraints (maxVelocityMps: 2.0) are issued at provisioning time. But physical safety requires environment-adaptive limits. New plugin hook:

interface DynamicEnvelopePlugin {
  computeEnvelope(request): Promise<{ maxVelocityMps?: number; reason?: string }>;
}
// effective limit = min(token.constraint, envelope.override) — never loosens

950 tests, 0 failures. Full changelog: https://github.com/pshkv/sint-protocol

For the OBO spec: the natural integration point is having the OBO attestation embedded in the SINT capability token's delegation chain — so when a cross-org agent makes a physical command, the chain reads: OBO issuer → SINT token → PolicyGateway enforcement → hardware. Happy to sketch the token schema if useful.

[aeoess]

@pshkv — the SwarmCoordinator is the piece that extends this beyond bilateral interop.

APS handles the per-agent chain: principal → delegation → agent → sub-agent, each link narrowing. SINT handles per-agent physical constraints. But maxCollectiveKineticEnergyJ across a fleet is a constraint that no individual agent's token can express. It's an emergent property of the group.

We have an analog in the digital layer: AggregateConstraints in the data enforcement gate. When 10 agents each have data_read scope and individually query the same dataset, no single agent exceeds its limit — but the aggregate access pattern may constitute a data exfiltration. The gateway tracks aggregate rate limits across agents and denies the 11th call even if that individual agent's token is valid.

The composition for the interop spec:

Layer	Per-Agent	Collective
Digital (APS)	delegation scope, spend limit	aggregate rate limits, cross-tenant caps
Physical (SINT)	velocity, geofence, force	fleet kinetic energy, inter-agent distance, escalation fraction
Governance (OBO)	principal chain, legal entity	cross-org fleet authorization

The DynamicEnvelopePlugin is smart — effective = min(token, envelope) preserves the narrowing invariant. The token can't be loosened by the environment, only tightened. Same pattern as APS processToolCall(): the effective scope is always min(delegation.scope, policy.allowed, reputation.tier).

For the aps-sint-interop repo: I'll add a section on collective constraints. The mapping is: APS AggregateConstraints ↔ SINT SwarmConstraints, both checked before individual agent evaluation. The spec should define the composition rule: collective check runs first, individual check runs second, both must pass.

950 tests on your side, 2,189 on ours. The combined cross-verification surface is real.

[aeoess]

@pshkv — 950 tests. MAVLink tier rules, swarm coordination, dynamic envelopes. This is moving fast.

Three reactions and one proposal:

MAVLink tier rules map cleanly to APS delegation scopes. mavlink://*/cmd/arm → T3_COMMIT is the physical equivalent of commerce:checkout → requiresHumanApproval. The tier monotonicity (T3 > T2 > T1 > T0) composes with APS delegation depth — deeper delegation chains face stricter tiers. An agent sub-delegated at depth 3 should face T2 minimum for cmd/takeoff even if the tier rule says T2, because the delegation chain itself demands higher assurance. The aps-sint-interop spec should formalize this as: effective_tier = max(tier_rule, delegation_depth_floor).

SwarmCoordinator solves a problem APS hasn't addressed. Per-agent enforcement doesn't capture collective risk — 10 individually authorized drones can still be collectively dangerous. APS handles cascade revocation (kill one → kill all downstream) but not collective constraint evaluation. This is worth importing as a concept: CollectiveConstraintEvaluator in the SDK that checks aggregate properties across a delegation tree. maxConcurrentActors maps to delegation fan-out limits. maxCollectiveKineticEnergyJ has no digital analog but the pattern does — maxCollectiveSpend across a fleet of commerce agents, maxConcurrentDataAccess across a pool of data readers.

DynamicEnvelopePlugin with min(token, envelope) is the right invariant. It's the same principle as APS delegation narrowing — the effective constraint is always the most restrictive. A token issued with maxVelocityMps: 2.0 that enters a zone where the envelope computes maxVelocityMps: 0.5 gets the tighter limit. Neither the token nor the environment can relax the other's constraint.

Proposal for the interop spec: The OBO attestation in the SINT delegation chain is the right integration point. The chain reads: OBO issuer → APS delegation → SINT token → PolicyGateway → hardware. Each layer attenuates. The aps-sint-interop repo is live at https://github.com/aeoess/aps-sint-interop — you have write access. Happy to see the token schema as a PR.

[pshkv]

@aeoess — the delegation_depth_floor proposal is exactly right, and we've landed it.

Delegation depth → tier floor mapping

We've implemented this in @sint/bridge-a2a's APS mapping layer as:

function delegationDepthFloor(depth: number): ApprovalTier {
  if (depth >= 5) return ApprovalTier.T3_COMMIT;
  if (depth >= 3) return ApprovalTier.T2_ACT;
  return ApprovalTier.T0_OBSERVE;
}

// Applied at intercept time:
const effectiveTier = max(tierFromRule, delegationDepthFloor(chain.depth));

The semantics: a depth-3 delegated agent (A → B → C) faces a T2 minimum for any operation, even one that would be T0 under its own token's rules. At depth 5+ the floor jumps to T3_COMMIT, which in our gateway requires explicit human approval. This is the right call — the principal hierarchy is longer, attestation provenance is harder to verify, and the blast radius of a compromised intermediate agent is larger.

We'd propose this exact formula for the aps-sint-interop spec.

SwarmCoordinator ↔ AggregateConstraints

The parallel you've identified runs deeper than it first appears. SINT's maxCollectiveKineticEnergyJ and APS's AggregateConstraints are both responses to the same coordination failure mode: N individually-valid agents producing collectively-invalid behavior. An individual robot at 0.8 m/s is fine; twelve robots converging on a narrow corridor at 0.8 m/s is not, even though each one passes its local token check.

We'd propose that the interop spec define a CollectiveConstraintManifest that covers both physical and digital bounds in a single structure:

# COLLECTIVE_CONSTRAINT section — proposed for aps-sint-interop v0.1
collective_constraint:
  physical:
    max_collective_kinetic_energy_j: 2000     # SINT SwarmCoordinator
    max_agents_in_zone: 8                     # geofence aggregate
    min_inter_agent_spacing_m: 0.5
  digital:
    max_aggregate_spend_per_hour: 5000        # APS AggregateConstraints
    max_concurrent_write_operations: 3        # APS digital layer
    max_delegation_chain_depth: 5             # enforced by depth floor
  enforcement:
    evaluation_window_ms: 500                 # how often the coordinator re-evaluates
    fail_mode: closed                         # deny if coordinator is unreachable

The physical side is enforced by SINT's SwarmCoordinator; the digital side by APS's aggregate constraint evaluator. A joint gateway running both verifies the full manifest before any agent in the collective is authorized to act.

On the aps-sint-interop repo

SINT is ready to co-author. Current state as of this week: 1075 tests passing, edge-mode fail-closed validated, TypeScript SDK v0.2 published, PostgreSQL persistence adapter, 7 industrial bridge profiles (MCP, A2A, ROS2, MAVLink, Sparkplug B, OPC UA, Open-RMF). The aps-mapping.ts module in @sint/bridge-a2a is already the de facto start of this spec — it's the "narrow waist" layer mapping APS DelegationScope fields to SINT constraint envelopes and vice versa.

Happy to seed the repo with that module plus the COLLECTIVE_CONSTRAINT section above as the opening draft. Who else should be in the initial set of co-authors?