The Problem
There is no way to correlate multiple invocations that belong to the same session or workflow. There is no way to enforce a cost budget across a delegation chain.
The `drs_consent` record on root delegations has a `session_id`, but the invocation receipt does not reference it. An auditor looking at a set of invocations cannot group them by the human session that authorized them without re-walking the entire chain.
The `policy.max_calls` field exists but is documented as "informational only" — it is not enforced at runtime. A delegation that says "max 10 calls" is enforced by hope.
Where It Breaks
- `drs-verify/pkg/types/types.go` — `InvocationReceipt` has no `correlation_id` field
- `drs-core/src/types.rs` — `DelegationReceipt` has no `budget` field
- `drs-sdk/src/sdk/types.ts` — same omissions in the TypeScript types
- `drs-verify/pkg/policy/evaluate.go` — `max_calls` is parsed but never checked
What Must Change
- Add `correlation_id: Option` to `DelegationReceipt` in Rust types. Mirror in Go (`*string`) and TypeScript (`string | undefined`). This is an optional field carried for tracing — outside the critical verification path.
- Add `budget: Option<serde_json::Value>` to `DelegationReceipt` in Rust. Mirror in Go (`json.RawMessage`) and TypeScript. The budget structure is opaque to the verifier — it is carried for the tool server to enforce.
- Add `correlation_id` to `InvocationReceipt` — set by the invoking agent to link back to the root session.
- Decide whether `max_calls` enforcement belongs in the verifier (stateful, needs a counter) or in the tool server (simpler, but requires trust). Document the decision either way. Do not leave it as "informational."
Severity
MEDIUM. No data loss, no bypass. But without correlation and budget tracking, the audit trail is a pile of receipts with no thread connecting them. Regulators will ask "how many calls did this delegation authorize, and how many were actually made?" and the answer today is "we don't know."
The Problem
There is no way to correlate multiple invocations that belong to the same session or workflow. There is no way to enforce a cost budget across a delegation chain.
The `drs_consent` record on root delegations has a `session_id`, but the invocation receipt does not reference it. An auditor looking at a set of invocations cannot group them by the human session that authorized them without re-walking the entire chain.
The `policy.max_calls` field exists but is documented as "informational only" — it is not enforced at runtime. A delegation that says "max 10 calls" is enforced by hope.
Where It Breaks
What Must Change
Severity
MEDIUM. No data loss, no bypass. But without correlation and budget tracking, the audit trail is a pile of receipts with no thread connecting them. Regulators will ask "how many calls did this delegation authorize, and how many were actually made?" and the answer today is "we don't know."