forge docs

Lineage

Lineage is the accountability chain that connects an agent or tool action back to the root authority that created it.

HMR Alice
  -> Agent research-analyst
    -> Sub-agent sql-helper
      -> Tool query-database

What Forge records

A Forge identity contains:

  • did:oas identifier
  • signed OAS identity document
  • Ed25519 signing key
  • lineage proof chain
  • generation depth

Lineage verification should require public data only. Private keys are used to sign, not to verify the chain.

Derivation

An agent can be derived from an HMR or from another agent. Derivation extends the lineage chain and increments generation depth.

For deterministic production identities, Forge derives key material from a seed and the (kind, namespace, identifier) tuple. The same tuple and seed produce the same DID.

Delegation

When an agent delegates to a sub-agent, the child should receive no more authority than the parent. The identity chain tracks origin; Arsenal ACTs track the scoped capability boundary.

Verification points

Verify lineage when:

  • loading a persisted identity
  • accepting delegated work from another agent
  • emitting a signed audit entry
  • authorizing tool access from a derived agent
  • replaying a run during release or incident review

See Capabilities for the authority side of the model.