missionsPhase 11

Out-of-Bounds Access (Mission Governance at the PS)

Missions are immutable (§1279) and the resource never evaluates mission content — only the PS has the mission description, tool list, and log (§1193). Mission-level enforcement happens at the PS's token endpoint (§781, §1283, §1748). When an agent requests a scope that is inside its resource's policy but outside the approved mission, the resource still issues a resource token; the PS is the party that detects the mismatch, and per §797 responds with `202 + requirement=interaction` asking the user for consent. If the user declines, the agent must propose a new mission with a new s256.

§ PS Token Endpoint / § Mission Log

POST https://api.example/authorize200

Agent asks the resource for a resource token with scope="analytics:read", still referencing its original mission M1 (s256=R9kNpXeErMQ1Jvk_…).

The RESOURCE does not have the mission description or tool list — only the PS has those (§1193).

The resource evaluates against ITS OWN scope policy, decides analytics:read is a valid scope for analytics endpoints, and issues the resource token (§652).

The mission object {approver, s256} is stamped into the resource token as OPAQUE metadata — the resource does not judge whether the scope aligns with the mission's intent. That is the PS's job.

1 / 7

speed

Step 1: POST /authorize (scope=analytics:read) + M1 → 200 resource token

Request / response

Out-of-Bounds → Supersession Timeline

→

New Mission (M2) issued after user declined the out-of-scope consent

Description (Markdown)

# Analyze Q2 Customer Feedback (Analytics Extension)

Read customer feedback records and detailed analytics data to produce a comprehensive report.

Structured Fields

approverhttps://ps.example

agentaauth:local@agent.example

approved_at2026-04-14T17:18:22Z

s256X7fE9mPqJ2aKvN3tWbY5cRdLhU8sG1oZ4iA6nM0jQwT

Approved Tools

FeedbackReader

Read customer feedback records

AnalyticsReader

Read detailed analytics data

PS Capabilities

interactionclarification

POSThttps://api.example/authorize

Content-Type?

application/json

AAuth-MissionAAuth?

approver="https://ps.example"; s256="R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0…

AAuth-CapabilitiesAAuth?

interaction, clarification

Signature-KeyAAuth?

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQ…

Signature-InputAAuth?

sig=("@method" "@authority" "@path" "signature-key" "aauth-mission");created=170…

SignatureAAuth?

sig=:AQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQIDAQI…

Body

{
  "scope": "analytics:read"
}

HTTP Signaturescheme=jwt

Covered Components

@method

@authority

@path

signature-key

aauth-mission

Signature Base

"@method": POST

"@authority": api.example

"@path": /authorize

"signature-key": sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

"aauth-mission": approver="https://ps.example"; s256="R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0"

"@signature-params": sig=("@method" "@authority" "@path" "signature-key" "aauth-mission");created=1700000000;alg="ed25519"

Signature-Key Header

sig=jwt;jwt="eyJhbGciOiJFZERTQSIsImtpZCI6ImFnZW50LWtleS0xIiwidHlwIjoiYWEtYWdlbnQrand0In0…"

Signature-Input Header

sig=("@method" "@authority" "@path" "signature-key" "aauth-mission");created=1700000000;alg="ed25519"

Resource Token (carries M1 mission + broader scope)aa-resource+jwt

Header

{"alg":"EdDSA",
"kid":"resource-key-1",
"typ"?Token type identifier. aa-agent+jwt = Agent Token, aa-resource+jwt = Resource Token, aa-auth+jwt = Auth Token:"aa-resource+jwt"
}

Payload

{"iss"?Issuer — who created and signed this token:"https://api.example",
"aud"?Audience — which party should accept this token:"https://as.example",
"dwk"?Discovery Well-Known — the metadata document path for key discovery (e.g. aauth-agent.json):"aauth-resource.json",
"jti"?JWT ID — unique identifier for this token (prevents replay):"6cf12ea2-4a19-4b0d-9d91-1e7d4e0b3c15",
"agent"?Agent identifier in aauth: URI format (e.g. aauth:local@domain):"aauth:local@agent.example",
"agent_jkt"?JWK Thumbprint of the agent's signing key — used for key binding:"5j5WMuITu8-cV1RdClUeNgnSg3aLJpCYiFvzcwDgYhI",
"scope"?Authorized scope/permissions granted by this token:"analytics:read",
"iat"?Issued At — Unix timestamp when the token was created:1776222894,
"exp"?Expiration — Unix timestamp after which the token is invalid:1776223494,
"mission"?Mission reference — approver URL and s256 hash of the mission blob:{"approver"?Person Server URL that approved this mission:"https://ps.example",
"s256"?SHA-256 hash of the mission blob — immutable mission fingerprint:"R9kNpXeErMQ1Jvk_vxYUp3YEdggmvUhksWtjXtcmnh0"
}
}

sig: fN4sPcP23KTjyHuvJ9S2_vR3V_ucaaxm…