← Lexenne
Deep-dive · v0.5 draft · 2026
SLF Deep-Dive · 08 / OAuth composition

Composing with DAAP,
AAT, ACAP, actor-chain.

SLF specifies what travels with the token's referenced substrate. It binds through one mechanism, a single SLF Frame carried at the agent grant's standard extension point, so it composes above any conformant agent grant, the four OAuth WG drafts here or whatever consolidates. It leaves agent identity, delegation, scope subsumption, and audit-chain construction to those drafts.

Pressure-test this draft OAuth WG is actively negotiating consolidation across four overlapping agent-grant drafts. This page describes how SLF composes with each one as it stands today (draft-00 of oauth-slf-substrate-grants), through a single generic binding that treats each draft as a worked example rather than a separate surface to maintain. If a composition seam reads wrong, or the one-binding framing is over- or under-confident, flag it.

The standardization of agent-mediated authorization accelerated through 2026, with four Internet Drafts addressing overlapping aspects of how human principals delegate authority to AI agents. SLF deliberately does not enter the agent-token-mechanics consolidation conversation. It addresses a distinct and orthogonal problem: how regulatory metadata, persistent personal-data references, per-context projection, and bilateral evidence of disclosure compose with any agent-token-mechanics construction. In every case the same SLF Frame is what travels, carried at each draft's standard extension point (an RFC 9396 authorization_details entry for the request-based drafts, a profile extension for actor-chain's token exchange); what changes from draft to draft is only which native fields that Frame references. The four sections below are worked examples of that single binding, drawn from §§ 5–8 of draft-crenshaw-oauth-slf-substrate-grants-00.

The four-way map

A · Layering

What each of the four drafts addresses, and what SLF adds above each:

DraftWhat it specifiesWhat SLF adds above it
DAAP
mishra-oauth-agent-grants		 Persistent agent identifiers (did:grantex:ag_…), grant + revocation + audit program, multi-hop delegation chains with depth limits, cascade revocation. Substrate-bound regulatory gates that travel with the data the agent reads. Per-context lens projection. Frame-bounded outcome authorization. Bilateral Receipt SLFs.
AAT
niyikiza-oauth-attenuating-agent-tokens		 Capability tokens with typed-constraint subsumption rules, monotone attenuation, closed-world enforcement semantics. SLF Frame attached as an RFC 9396 authorization_details type. Substrate-side closed-world for facts. Lens projection at retrieval.
ACAP
yakung-oauth-agent-attestation		 Cryptographic intent binding via hashed human instruction (att_intent), attestation-chain construction (att_chain), human-in-the-loop (HITL) signaling. Frame.intent_hash binds to ACAP att_intent byte-for-byte. Receipt SLF + ACAP audit log as complementary chains.
actor-chain
mw-spice-actor-chain		 Cross-domain actor-chain preservation under RFC 8693 Token Exchange. Cumulative commitment chain math for hop audit. SLF Frame as a profile extension under actor_chain_profile. Two-field jurisdiction (subject + audience) preserved across hops.

The pattern is the same in each row: one SLF Frame, carried at the draft's standard extension point, referencing that draft's native identifiers (DAAP's grant id, ACAP's att_intent, actor-chain's profile). The normative surface is one Frame, and the four drafts are illustrations of it. A fifth or tenth agent-grant draft is another illustration, not another surface to maintain. SLF is not trying to pick among the drafts; it composes above whichever one, or whichever successor the WG consolidation produces, ends up shipping.

Composition with DAAP

B · Persistent agent grants

DAAP gives the agent a persistent identity (did:grantex:ag_…) and a grant program with cascade revocation. SLF wraps DAAP by binding the SLF Frame to the DAAP grant identifier via frame.authorized_by_grant, then enforcing substrate-side gates before DAAP's scope check fires:

// SLF object wrapping a DAAP-issued grant
{
  "slf_version": "1.0",
  "type": "lens_query",
  "substrate": {
    "@type": "FactSet",
    "ref":   "did:web:andrew.lex#health-substrate",
    "gates": [
      { "vocabulary": "https://vocab.slf.example/gates",
        "term":       "core-gates:health-data" },
      { "vocabulary": "https://vocab.hhs.gov/hipaa-gates",
        "term":       "hipaa-gates:phi" }
    ]
  },
  "lens": {
    "role":                 "patient",
    "subject_jurisdiction": "US-NY",
    "audience_jurisdiction":"US-NY"
  },
  "frame": {
    "outcome":             "review-test-results",
    "actor":               "did:grantex:ag_01HXZ8…",
    "authorized_by_grant": "grnt_01HXZ7K9…   // DAAP grant id"
  }
}

The normative evaluation order is the key composition property:

1
Substrate gates fire first. Each fact in the queried substrate carries its own intrinsic gates (HIPAA, GDPR, jurisdiction, no-further-disclosure). The holder-of-record's gate engine filters at this layer. At T0 (sovereign-self) the holder-of-record is the user's own Sovereign Personal Agent (SPA), and gate-excluded facts structurally cannot reach the lens. At T3 (accountable-only) the holder is a counterparty; the signed receipt makes gate-evaluation outcomes auditable rather than structurally prevented.
2
Lens projection narrows. A patient lens sees patient-relevant fields; a payer lens sees claims fields. Lenses cannot bypass substrate gates, they can only narrow what the gates already allowed.
3
DAAP scope check fires. The agent's scp and badge claims are validated against the requested operation.
4
Frame check. Does the requested outcome fall within the frame's allowed_frames?
5
HITL if required. Frame-bound human-in-the-loop signaling pauses for in-band signature.

Holder-of-record and enforcement tier. The gate chain is enforced by the party that holds the substrate at the instant of the operation, the holder-of-record. The guarantee's strength depends on which enforcement tier the deployment operates at. At T0 (sovereign-self): the holder-of-record is the user's own SPA; enforcer and protected party are the same principal; gate-excluded facts structurally cannot reach the lens; the strong prevention claim is true here. At T1 (attested): the holder runs the open engine inside a verifiable runtime (TEE); the attestation receipt provides conditional prevention. At T2 (cryptographic): the gate controls the decryption key; skipping the gate yields no usable plaintext. At T3 (accountable-only): the holder controls plaintext and is trusted to evaluate honestly; SLF cannot force honest evaluation, but every signed receipt names the gates claimed to have been evaluated, so a holder that skips or fabricates evaluation produces receipts that do not reconcile with the substrate's signed gate set, and the user can revoke the grant to a counterparty whose receipts do not verify. The enforcement tier is declared in every receipt; a T3 deployment cannot assert T0 prevention guarantees. See the threat model deep-dive for gate-skip and receipt non-emission as named adversaries.

Cascade revocation is delegated to DAAP. When a parent grant is revoked, DAAP's existing cascade semantics propagate; the SLF Frames bound to those grants become unauthorized at the next operation. SLF does not re-implement revocation.

Composition with AAT

C · Attenuating capability tokens

AAT specifies capability tokens with typed-constraint subsumption, derived tokens must be subsumed by their parent under closed-world rules. SLF attaches as an RFC 9396 authorization_details type, riding inside the AAT token rather than alongside it:

// AAT authorization_details carrying an SLF Frame
{
  "authorization_details": [
    {
      "type":        "slf_frame",
      "slf_version": "1.0",
      "substrate": {
        "ref":   "did:web:andrew.lex#career-substrate",
        "gates": [
          { "vocabulary": "https://vocab.slf.example/gates",
            "term":       "core-gates:personal-data" }
        ]
      },
      "lens": {
        "role":                  "job-seeker",
        "subject_jurisdiction":  "US-NY",
        "audience_jurisdiction": "US-CA"
      },
      "frame": {
        "outcome":        "present-qualification-credential",
        "allowed_frames": [ "present-qualification-credential" ],
        "audience":       "did:web:hiringcorp.example"
      }
    }
  ]
}

The composition rule is monotone attenuation: a derived AAT token's SLF entry must be a subset of its parent's. Concretely, the substrate ref must be the same DID or a strict descendant; gates must include every parent gate plus zero or more additional gates (more restrictive, never less); lens.role must be the same or a registered narrower role; frame.allowed_frames must be a subset of the parent's. SLF defers to AAT's typed-constraint subsumption algorithm for the actual check.

Substrate enforcement runs closed-world by default: a substrate fact without an explicit gate-allow does not satisfy a gate-required lens. This composes cleanly with AAT's closed-world scope semantics, the two layers agree on the default-deny stance.

Composition with ACAP

D · Cryptographic intent binding

ACAP binds an agent operation to a hash of the original human instruction. SLF mirrors that binding into the Frame:

// SLF Frame binding to ACAP intent
{
  "slf_version": "1.0",
  "frame": {
    "outcome":     "schedule-specialist-appointment",
    "intent_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4…",
    "actor":       "did:web:health-agent.example",
    "moment":      "2026-05-25T14:32:11Z",
    "authorized_by_grant": "att_credential_jti_01HXZ…"
  }
}

The binding rule is byte-identical: Frame.intent_hash equals ACAP's att_intent claim (SHA-256 of the original human-issued instruction). The ACAP att_uid identifying the principal must match the Lens's subject field. Before honoring an operation, the audience walks the ACAP att_chain and verifies that no JTI in the chain has been revoked, cascade revocation is delegated to ACAP.

HITL signaling composes naturally. When a Frame's allowed_frames requires explicit user approval, ACAP's existing HITL signaling path carries the user signature; the SLF Receipt records that the HITL signal was received and which gates were evaluated against it. The two audit chains, ACAP's per-task-tree att_chain and the SLF Receipt chain, run concurrently rather than redundantly: ACAP audits delegation, SLF Receipts audit substrate disclosure under regulatory gates.

Composition with actor-chain

E · Cross-domain hops

Actor-chain preserves the delegation chain across cross-domain RFC 8693 Token Exchange hops via a cumulative-commitment construction. SLF rides as a profile extension:

// Actor-chain token-exchange step with SLF profile extension
{
  "actor_chain_profile":    "slf-verified-full",
  "actor_chain_step_proof": "…",
  "target_context": {
    "aud":      "did:web:pharmacy.example",
    "resource": "https://pharmacy.example/dispense/12345",
    "slf_substrate_ref":        "did:web:andrew.lex#health-substrate",
    "slf_gates": [
      "core-gates:health-data",
      "hipaa-gates:phi",
      "hipaa-gates:no-further-disclosure"
    ],
    "slf_subject_jurisdiction":  "US-NY",
    "slf_audience_jurisdiction": "US-NY"
  }
}

The Receipt SLF chain math binds into actor-chain's cumulative commitment. Each step's commitment incorporates the SLF Frame's substrate-gate evaluation, lens projection, and disclosed-vs-redacted field summary. This is normative for SLF Receipt chains composing with actor-chain, the cumulative commitment is the cross-domain integrity guarantee that the lens and frame at hop N are exactly the ones that reached hop N − 1.

Two-field jurisdiction is preserved across hops. At each step, subject_jurisdiction stays anchored to the principal; audience_jurisdiction updates to the receiving party. A US-NY patient's health record passing through a US-NY pharmacy to a US-VT provider carries the changing audience_jurisdiction while the subject_jurisdiction remains constant; gates can address either or both. Same-domain hops use a lighter SLF binding (the slf-verified-subset profile); cross-domain hops require slf-verified-full.

Open questions and consolidation risk

F · Friction surfaces

Five tensions sit inside the composition surface. Each one is worth pressure-testing before the draft moves toward formal submission.

Tension · consolidation fragility

"SLF composes with all four drafts, so SLF is consolidation-safe."

The four drafts overlap on multi-hop delegation, cascade revocation, structured scope, and hash-chained audit, and OAuth WG is negotiating a consolidation now. SLF does not presume any particular outcome: the same SLF Frame rides at whatever extension point the winning draft exposes, so a consolidated agent-grants draft is just one more carrier of it. What stays open is narrower, that a consolidated draft could rename or reshape the native fields the Frame references, which is a field-mapping update rather than a recompose.

Tension · subsumption correctness across grant types

"AAT's typed-constraint subsumption handles the SLF grant taxonomy."

SLF defines a seven-type action taxonomy (read, read-and-cache, copy, write-back, sync, action, compound, see the grant taxonomy deep-dive). AAT's subsumption rules were specified for OAuth scope strings, not for substrate action types. Does "copy subsumed by read-and-cache" mean what AAT thinks it means? The composition assumes yes; the interaction across the two type systems is untested in the draft.

Tension · two audit chains, same operation

"ACAP's att_chain and SLF Receipts complement, they don't duplicate."

The draft frames them as orthogonal, ACAP audits delegation; SLF audits substrate disclosure under regulatory gates. In practice, a single agent operation produces a write to both chains, and a regulator inspecting "what happened" has to reconcile the two. Whether the two chains are clearly distinguished in protocol-level tooling, or simply double the audit-log volume, is an implementation question the spec defers.

Tension · conformance ambiguity

"A conformant SLF implementation has to pick one of four composition profiles."

It should not have to. Conformance is one thing, that an implementation carries the SLF Frame at the agent grant's extension point and enforces the gate-lens-frame chain over it, whichever draft mints the token. Draft-00 still defines four named profiles (slf-daap, slf-aat, slf-acap, slf-actor-chain) and asks for at least one, which reintroduces the fragmentation the single binding removes. Folding them into one profile with per-draft field maps is the fix, and it is a draft-00 cleanup, not a redesign.

Tension · maintenance burden under fragmentation

"Four composition surfaces is more than a small project can maintain."

Only if the composition is written one section per draft, and it does not have to be. SLF binds through a single SLF Frame carried at each draft's standard extension point, and it defers each draft's own mechanics (DAAP revocation, ACAP att_chain, actor-chain token exchange) to that draft rather than restating them. The normative surface is one Frame; the four named drafts are worked examples of it, and a fifth or tenth is another example, not another surface to keep current. Consolidation would tidy the examples; it is not what keeps the maintenance small.

What this page does not claim

G · Overclaims to avoid

If you have read draft-crenshaw-oauth-slf-substrate-grants-00 or one of the four named drafts and see a composition mistake, an evaluation-order error, or a missing tension, the draft is at -00. Errors caught at -00 are cheap. Contact details are in the header above.

← All SPA / SLF deep-dives