MetaGPT runs a company of agents — CEO, architect, engineer, QA. Each role has different responsibilities, but right now they all operate at the same privilege level. The architect can execute code. The QA agent can modify the design. There's no enforcement boundary between roles.
In a real company, the CEO doesn't have root access to production servers, and the intern can't sign contracts. Agent teams need the same structure: cryptographic delegation that limits what each role can actually do, not just what it's prompted to do.
import { issuePassport, createDelegation } from 'agent-passport-system'
// Each role gets Ed25519 identity
const ceo = issuePassport({ name: 'ceo', model: 'gpt-4o' })
const engineer = issuePassport({ name: 'engineer', model: 'gpt-4o' })
// CEO delegates to engineer: code execution + file write, no deploy, no budget
const engDelegation = createDelegation({
delegatedTo: engineer.publicKey,
delegatedBy: ceo.privateKey,
scope: ['code:write', 'code:execute', 'file:write'],
// no 'deploy:production', no 'commerce:purchase', no 'design:modify'
spendLimit: 0,
expiresAt: new Date(Date.now() + 24 * 3600_000),
maxDepth: 0 // engineer can't sub-delegate
})If the engineer agent gets prompt-injected into trying to deploy to production or modify the architecture, the governance layer blocks it before execution and produces a signed receipt proving the attempt. The scope constraint is cryptographic — the agent's code can't bypass it because the enforcement runs at a different layer.
npm install agent-passport-system (v1.36.2, Apache-2.0) or pip install agent-passport-system (v0.8.0).
The role hierarchy in MetaGPT maps 1:1 to delegation chains. CEO → PM → Architect → Engineer → QA, each with narrower scope than the level above. Authority can only decrease at each delegation point (monotonic narrowing) — this is enforced by the protocol, not by prompting.
MetaGPT runs a company of agents — CEO, architect, engineer, QA. Each role has different responsibilities, but right now they all operate at the same privilege level. The architect can execute code. The QA agent can modify the design. There's no enforcement boundary between roles.
In a real company, the CEO doesn't have root access to production servers, and the intern can't sign contracts. Agent teams need the same structure: cryptographic delegation that limits what each role can actually do, not just what it's prompted to do.
If the engineer agent gets prompt-injected into trying to deploy to production or modify the architecture, the governance layer blocks it before execution and produces a signed receipt proving the attempt. The scope constraint is cryptographic — the agent's code can't bypass it because the enforcement runs at a different layer.
npm install agent-passport-system(v1.36.2, Apache-2.0) orpip install agent-passport-system(v0.8.0).The role hierarchy in MetaGPT maps 1:1 to delegation chains. CEO → PM → Architect → Engineer → QA, each with narrower scope than the level above. Authority can only decrease at each delegation point (monotonic narrowing) — this is enforced by the protocol, not by prompting.