Skip to content

Bug: witness of delegatee does not store delegator event seal #1317

Open
Open
Bug: witness of delegatee does not store delegator event seal#1317
@lenkan

Description

@lenkan
lenkan
opened on Mar 11, 2026

TLDR

The witness of delegatee never does db.setAes() to store the authorizer event seal (delegator/issuer) for the dip event. Symptoms are

  • OOBI response for delegate does not include the SealSourceCouple attachment.
  • kli kevers shows delegate as Not Anchored

Background

I ran into this while working with a multisig delegated identifier after a rotation. Newly rotated-in members were seeing the group (delegate) identifier as "Not anchored". When I dug into the witness responses, I found that witnesses were returning data without the SealSourceCouple attachment that identifies the delegator’s anchor seal. So the delegate’s witness(es) had the receipt/threshold info but were missing the seal that links the delegate to its delegator, which likely drives the incorrect "Not anchored" status. I have created gist as a minimal reproduction of that behaviour (single delegator, single delegate, each with one witness, no multisig/rotation).

Description

When inspecting delegate kevers via kli kevers, the delegate’s witness reports the delegator as "Not Anchored", while the delegator and delegate (controller) both correctly report "Anchored" for the same delegated identifier. Witness count, receipts, and threshold are the same in all three places; only the delegate witness’s “anchored” status is wrong.

So the bug is: delegate witness state (or response) is missing or not using the delegator’s anchor seal (e.g. SealSourceCouple), leading to a false "Not Anchored".

Minimal reproduction

  1. Clone the gist and run the script:

    git clone https://gist.github.com/c03db9084631695fe8ab522c25a2d431.git delegation-problem
cd delegation-problem
./delegation-problem.sh

  2. At the end, the script runs kli kevers for the delegate AID from three contexts: delegator, delegate, and delegate witness.

Expected vs actual

  • Expected: All three (delegator, delegate, delegate witness) show the delegator as ✔ Anchored for the delegated identifier.
  • Actual: Delegator and delegate show ✔ Anchored; the delegate witness shows ✘ Not Anchored for the same delegator/delegate pair and receipt data.

Example output

--------------------------------
Delegate kevers from delegator → Delegator:  EAhA4... ✔ Anchored
--------------------------------
--------------------------------
Delegate kevers from delegate  → Delegator:  EAhA4... ✔ Anchored
--------------------------------
--------------------------------
Delegate kevers from delegate witness → Delegator:  EAhA4... ✘ Not Anchored
--------------------------------

Full output and run instructions: https://gist.github.com/c03db9084631695fe8ab522c25a2d431

Environment

  • keri: Reproduced with 1.2.12 (gist’s requirements.txt), 1.3.4, and main (2.0.0-dev5).
  • Reproduced with: the gist script (bash, Python 3.14, kli from pip or local keripy).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions