RFC: Agent Auth authority plane

[mattzcarey]

Summary

Proposes a minimal authority plane for Agents covering three concerns:

• durable Agent-local OAuth grants and API keys
• mutable policy and requestable denials shared by MCP, local AI SDK tools, codemode, and domain libraries
• a minimal Agent/user principal envelope for attribution and policy evaluation

The RFC introduces a native Agent.auth manager, a canonical AuthorityOperation / authorize() contract, durable idempotent authorization requests, typed auth descriptors for locally authored tools, and a framework-neutral domain gate for libraries such as Workspace.

Key design choices

• Grants belong to one Agent instance; there is no shared user credential vault.
• Remote MCP tools remain server-defined and keep standard MCP/OAuth protocol ownership.
• Local authenticatedTool() values remain ordinary AI SDK tools.
• MCP annotations provide a common risk vocabulary but do not impose SDK policy defaults.
• An ask policy is implemented as a requestable denial; approval triggers fresh policy evaluation rather than becoming a standing grant.
• Codemode keeps durable replay ownership while authorization requests and policy move to the shared kernel.
• Optional history-aware policy tracks conservative execution/thread labels and prior-operation lineage so known private sources can block or step up known public sinks. This is not claimed as complete DLP or field-level taint tracking.
• Portable Agent identity is deferred: a future opt-in profile may bind an Agent Ed25519 key to RFC 9421 HTTP Message Signatures, with key registration, replay defense, rotation, and revocation.
• Domain libraries normalize their own actions/resources and gate the last controllable effect boundary without depending on Agents.
• Typed auth descriptors replace fragile string-keyed auth profiles and normalize into semantic IDs usable by optional central credential and mandatory policy providers.
• OAuth follows RFC 9728, RFC 8414, PKCE, RFC 8707, and RFC 7591 where supported.

Migration

The RFC includes an ownership table and phased migration for:

1. introducing the kernel without behavior changes
2. local AI SDK tools
3. MCP credential-storage adaptation and call-time policy
4. codemode replay-safe authorization
5. shared durable approval presentation
6. domain libraries, starting with Workspace
7. history-aware information context
8. audit hardening
9. opt-in Agent identity and centralized providers

MCP discovery, transports, OAuth challenges, callback routing, and SDK interfaces stay in MCP. Codemode replay, result logging, pause/resume, and rollback stay in codemode. The shared layer owns Agent-local grants, policy, authorization requests, and audit.

Validation

• npx oxfmt --check design/rfc-agent-auth.md
• git diff --check

Design-only change; no runtime code changed.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2546b0f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.