Internet-Draft OAuth Mission Harness June 2026
McGuinness Expires 1 January 2027 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-mcguinness-oauth-mission-harness-latest
Published:
Intended Status:
Standards Track
Expires:
Author:
K. McGuinness
Independent

Mission-Aware Agent Harnesses for OAuth 2.0

Abstract

Agent harnesses preserve execution state across restarts, retries, background jobs, tool-connection reuse, and sub-agent orchestration. That continuity is not authority. This document defines an OPTIONAL Mission-aware harness profile for deployments using Mission-Bound Authorization for OAuth 2.0. It specifies how a harness binds sessions, task graphs, queues, cached tool connections, and sub-agent handles to Mission state; when it must re-check Mission status; and how it must pause, suppress, or terminate work when the Mission is no longer active. A conforming harness never treats session continuity as proof that Mission authority continues.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://mcguinness.github.io/draft-mcguinness-oauth-mission/draft-mcguinness-oauth-mission-harness.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mcguinness-oauth-mission-harness/.

Source for this draft and an issue tracker can be found at https://github.com/mcguinness/draft-mcguinness-oauth-mission.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 1 January 2027.

Table of Contents

1. Introduction

Mission-Bound Authorization for OAuth 2.0 [I-D.draft-mcguinness-oauth-mission] governs the authority under which an agent acts. The runtime profile [I-D.draft-mcguinness-oauth-mission-runtime] governs per-action enforcement. Agent harnesses add a separate layer: they preserve execution state so work can resume after process restarts, device handoffs, background scheduling, retries, and sub-agent fan-out.

Harness continuity is useful, but it is not authority. A task graph can survive after the Mission that justified it is revoked. A cached tool connection can remain usable after the business condition that authorized it ends. A child agent can keep running after its parent Mission is suspended. This profile defines what a harness must do to avoid treating recoverable runtime state as authorization.

2. Scope

This document defines:

This document does not define a new OAuth token, a new agent protocol, or a replacement for Resource Server enforcement. A harness check does not replace a PEP at the last controllable boundary under [I-D.draft-mcguinness-oauth-mission-runtime].

2.1. Harness Boundary

This profile applies to harness-managed continuity state, including:

  • saved conversation or planning state;

  • task graph nodes;

  • background jobs;

  • retry queues;

  • child agent handles;

  • tool-connection caches;

  • workspace or artifact handles; and

  • credential references managed by the harness.

It does not require a harness to inspect application data unrelated to governed execution. It does require the harness to know when a piece of continuity state is governed by a Mission and to stop using that state as an execution basis when the Mission is no longer active.

2.2. Mediated Execution Environment

The runtime profile's credential custody and mediated execution ([I-D.draft-mcguinness-oauth-mission-runtime]) hold only if the agent has no path to a consequential resource that bypasses the Policy Enforcement Point. Establishing that environment is the harness's responsibility, and it is the complement to the runtime layer holding the sender-constraint key: custody is moot if the agent can reach the resource off-path.

For the action classes a deployment mediates ([I-D.draft-mcguinness-oauth-mission-runtime]), a Mission-aware harness MUST run governed consequential work in an execution environment whose only path to those actions is through the mediating PEP. It MUST NOT leave an unmediated route to a mediated class, such as a debug shell, a direct network socket, an unsanctioned egress route, or a direct connector that does not pass the runtime gate. A harness that cannot guarantee this for an action class MUST NOT represent work in that class as runtime-enforced, matching the enforcement-scope rule of the runtime profile.

3. Conventions and Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

This document uses the terms Mission, Mission Issuer, Mission-bound token, and Mission state from [I-D.draft-mcguinness-oauth-mission] and [I-D.draft-mcguinness-oauth-mission-status], and Policy Enforcement Point (PEP) and mediated execution from the runtime profile [I-D.draft-mcguinness-oauth-mission-runtime].

Harness:

The runtime system that preserves and resumes agent execution state, including sessions, task graphs, queues, tool handles, and sub-agent handles.

Harness session:

A harness-local continuity record. It is distinct from an IdP session, browser session, OAuth authorization session, or access token.

Mission binding:

The Mission reference and status freshness information the harness records on a session or task graph node.

Governed work:

Harness-managed work that can lead to a consequential action under a Mission.

4. Mission Binding

A Mission-aware harness MUST bind every governed session and governed task graph node to a Mission reference:

mission_id:

REQUIRED. The Mission identifier.

mission_origin:

REQUIRED. The Mission Issuer.

authority_hash:

REQUIRED when known. The Authority Set commitment from the Mission claim.

status_checked_at:

REQUIRED when the harness has checked status. An RFC 3339 timestamp.

status_expires_at:

REQUIRED when the harness relies on a status lease. An RFC 3339 timestamp after which the status MUST NOT be used for continuation.

state:

REQUIRED when known. The last Mission state established by the harness.

state_source:

REQUIRED when state is present. One of status, signal, runtime_decision, harness, operator, or a deployment-defined source: status and signal name the Mission Status and Lifecycle Signals surfaces, runtime_decision a runtime enforcement decision, harness a harness stop decision, and operator a human operator action. This enumeration is the shared state_source value space for Mission-aware execution evidence; the orchestration profile ([I-D.draft-mcguinness-oauth-mission-orchestration]) reuses it rather than defining its own.

enforcement_scope:

OPTIONAL. A string or object identifying the runtime enforcement scope that applies to this session or node.

stop_policy:

REQUIRED for governed work. The policy the harness applies when the Mission is non-active or stale.

The Mission binding grants no authority. It is the pointer that tells the harness which Mission state it must check before continuing work.

4.1. Binding Inheritance

When a harness creates a child task graph node, queue item, background job, or sub-agent handle from governed work, it MUST copy or narrow the Mission binding. It MUST NOT create an unbound child item that can later perform governed work without a Mission check.

If a child item is governed by a different Mission, the harness MUST record the distinct Mission binding and the relationship to the parent item.

5. Resume Checks

Before resuming governed work, a Mission-aware harness MUST establish that the Mission is active within the deployment's staleness bound. Resume includes:

The harness establishes state through one of:

  1. a Mission Status operation under [I-D.draft-mcguinness-oauth-mission-status];

  2. a valid event-driven state cache maintained from [I-D.draft-mcguinness-oauth-mission-signals];

  3. a runtime PDP decision under [I-D.draft-mcguinness-oauth-mission-runtime] that includes a current Mission state check for the action about to run; or

  4. another deployment-defined state source with equivalent freshness semantics.

If the harness cannot establish active state within the bound, it MUST not resume governed work.

5.1. Resume Algorithm

Before resuming a governed item, the harness performs:

  1. Load the Mission binding.

  2. If no Mission binding is present, refuse to resume as governed work and emit Harness Evidence with reason missing_mission_binding.

  3. Establish Mission state through Section 5.

  4. If state is not active, apply stop behavior under Section 10.

  5. If state is active but freshness expires before the next consequential action can be reached, refresh status or require a runtime decision at that action.

  6. Resume only the item whose binding was checked. Sibling or child items require their own check unless the deployment's status lease explicitly covers them.

Where the orchestration profile ([I-D.draft-mcguinness-oauth-mission-orchestration]) is also deployed, the harness MUST NOT resume a governed item that the orchestrator has cancelled, or is holding for review, under its in-flight handling, even when the Mission is active. An orchestration unwind decision is not a Mission-state change, so the resume check above does not catch it; for items under an active unwind plan the harness defers to the orchestrator's in-flight decision.

The harness MUST perform this algorithm even when OAuth credentials in the session are still valid.

6. Event-Driven State Cache

This section is OPTIONAL. A harness MAY maintain an event-driven Mission state cache using [I-D.draft-mcguinness-oauth-mission-signals]. The cache entry for a Mission MUST contain:

The harness MUST ignore events whose issuer, audience, signature, or ordering cannot be verified under the Signals profile. If expected events are not received within the deployment's freshness bound, the harness MUST treat the cache as stale and fall back to status polling or stop governed continuation.

7. Queues and Retries

A queued work item under a Mission MUST carry the Mission binding of Section 4. Before dispatching it, the harness MUST run the resume check of Section 5.

Retries do not inherit authority from the prior attempt. A retry MUST be treated as a new continuation point and MUST re-check Mission state unless the retry occurs within an unexpired status lease whose use is allowed for that action class.

When Mission state is not active, the harness MUST suppress queued items for that Mission. It MAY preserve them for audit or operator review, but MUST NOT dispatch them until a conforming authority path permits continuation.

7.1. Queue Item Object

A governed queue item has:

queue_item_id:

REQUIRED. A string.

mission_binding:

REQUIRED. The Mission binding from Section 4.

action_class:

REQUIRED when known. The runtime action class.

not_before:

OPTIONAL. An RFC 3339 timestamp.

expires_at:

OPTIONAL. An RFC 3339 timestamp after which the item MUST NOT run.

retry_of:

OPTIONAL. Identifier of the prior attempt.

idempotency_key:

REQUIRED when retrying an action whose runtime profile requires one.

When expires_at has passed, the harness MUST suppress the queue item even if Mission state remains active.

8. Cached Credentials and Tool Connections

A harness often caches OAuth tokens, MCP sessions, API clients, browser contexts, or connector handles. A Mission-aware harness MUST NOT treat cached access as evidence that a Mission remains active.

Before using a cached credential or tool connection for governed work, the harness MUST:

  1. verify the cached item is still cryptographically and protocol-valid;

  2. verify the Mission is active under Section 5; and

  3. verify the action still passes runtime enforcement when the action is consequential.

When a Mission becomes non-active, the harness MUST mark cached connections associated with that Mission unusable for new governed work. If the cache can safely close or revoke them, it SHOULD do so.

8.1. Cache Keys and Cross-Mission Reuse

A cached credential, tool connection, or connector handle used for governed work MUST be keyed by at least:

  • Mission identifier and origin;

  • audience or protected resource;

  • client or actor identity;

  • sender-constraint key when applicable; and

  • authority hash when known.

The harness MUST NOT reuse a cached connection across Missions unless the connection carries no authority and every consequential use is separately authorized under the target Mission. A warm connection to a tool server is not a permit to call a tool.

9. Sub-Agent Handles

Sub-agents and child workers MUST NOT inherit Mission authority merely because they descend from a parent session. A harness that starts a sub-agent for governed work MUST bind the sub-agent handle to:

If the parent Mission becomes non-active, the harness MUST suppress or terminate child work that depends on it, unless the child has a separate active Mission whose authority does not depend on the parent.

When a sub-agent needs authority not already delegated to it, the harness MUST obtain a governed delegation or child Mission. Session ancestry alone MUST NOT be used as authorization.

9.1. Sub-Agent Stop Propagation

When the harness stops a parent item because its Mission is non-active, it MUST identify child handles whose authority depends on that Mission. For each dependent child, it MUST apply one of:

  • suppress queued child work;

  • request child termination;

  • revoke or close child-specific cached connections where supported;

  • mark child state as requiring human review; or

  • record that the child is governed by an independent active Mission.

The harness MUST emit evidence for each dependent child it leaves running under an independent Mission.

10. Stop Behavior

When a Mission is revoked, expired, suspended, completed, or otherwise non-active under the deployment's lifecycle profile, the harness MUST stop governed continuation. The stop behavior is one of:

suppress:

Do not dispatch queued or resumable work. Preserve state for audit or future review.

pause:

Suspend work pending an authorized lifecycle transition, such as resume.

terminate:

End the task graph and release associated runtime resources.

handoff:

Escalate to a human or governance workflow without performing further governed actions.

The harness MAY choose among these based on deployment policy and action class, but it MUST NOT continue governed execution while Mission state is non-active.

10.1. Stop-Behavior Matrix

The harness MUST document a matrix mapping Mission state and action class to stop behavior. At minimum:

Table 1
Mission state Minimum behavior
revoked suppress or terminate
expired suppress or terminate
suspended pause or suppress
completed suppress or terminate
superseded suppress and require successor Mission binding
unknown or stale suppress or pause

The non-core states in this matrix are defined by companion profiles a deployment may run: suspended and completed by Mission Status ([I-D.draft-mcguinness-oauth-mission-status]), superseded by Mission Expansion ([I-D.draft-mcguinness-oauth-mission-expansion]), and cascaded by Child Mission Delegation ([I-D.draft-mcguinness-oauth-mission-child-delegation]). The harness needs none of those profiles to be conformant: per the issuance profile's forward-compatibility rule, it treats any state other than active, including one it does not recognize, as non-active and stops governed continuation accordingly. The named rows are the minimum behavior where a deployment does run the defining profile.

For irreversible actions, external commitments, and privileged administration, handoff or orchestration handling under a deployment unwind plan SHOULD be used when work may already be in flight.

11. Untrusted Content and Egress

A prompt-injected agent is constrained at the point of use by the runtime layer, which gates each action against the Mission ([I-D.draft-mcguinness-oauth-mission-runtime]). The runtime layer evaluates each action in isolation; it does not see the session as a whole. The harness does: it already tracks session and task-graph history against Mission state. That makes the harness the one layer that can apply a session-level rule against the case where untrusted content drives an agent to exfiltrate within its authority.

A governed session is tainted once content the harness did not obtain from the Subject, the Approver, or a source the deployment trusts enters it: a fetched document, a tool result, an inbound message, or similar attacker-influenceable input. A Mission-aware harness SHOULD track taint per governed session.

Once a session is tainted, before a consequential external-communication or external-commitment action, a Mission-aware harness SHOULD either require a fresh action-bound approval ([I-D.draft-mcguinness-oauth-mission-runtime]) or downgrade that authority for the session (suppress the action), rather than let the agent egress on the strength of injected content. This is the plan-then-execute pattern: untrusted content may inform the agent's planning, but it MUST NOT, on its own, drive an egress the Subject did not direct.

This is a coarse session-level control, not information-flow control. It does not track which specific datum reached which action, so it cannot close within-scope data laundering ([I-D.draft-mcguinness-oauth-mission], [I-D.draft-mcguinness-oauth-mission-runtime]); it raises the bar by forcing a human or a fresh approval between untrusted input and egress. A harness that applies it records the taint and the resulting downgrade or approval in Harness Evidence (Section 12).

12. Harness Evidence

A Mission-aware harness MUST emit evidence when it suppresses, pauses, terminates, or resumes governed work due to Mission state. The evidence record SHOULD contain:

A Harness Evidence record carries the Mission as the nested mission object, mirroring the mission claim; the flat mission_id and mission_origin of Mission Binding (Section 4) are a binding key, whereas the evidence record mirrors the claim shape.

Harness Evidence complements runtime enforcement evidence ([I-D.draft-mcguinness-oauth-mission-runtime]). It records execution-continuity decisions, not Resource Server authorization.

12.1. Harness Evidence Object

A Harness Evidence object is a JSON object [RFC8259] with:

event_id:

REQUIRED. A unique identifier.

event_type:

REQUIRED. One of resume_allowed, resume_suppressed, queue_suppressed, cache_disabled, subagent_stopped, subagent_continued, or mission_state_stale. event_type categorizes the work item the record is about; the decision member records the outcome, so the two are orthogonal.

mission:

REQUIRED. Object containing id, origin, and, when known, authority_hash.

session_id:

OPTIONAL. Harness session identifier.

work_item:

OPTIONAL. Task graph node, queue item, background job, or child handle identifier.

actor:

OPTIONAL. The actor or sub-agent identifier the record concerns, when applicable (for example, the child whose work was stopped or continued under a subagent_stopped or subagent_continued event).

state:

REQUIRED. The Mission state observed or unknown.

prior_harness_state, resulting_harness_state:

OPTIONAL. The harness execution state before and after the recorded decision (for example, running to suppressed).

state_source:

REQUIRED. One of status, signal, runtime_decision, or a deployment-defined source, as in Section 4.

freshness:

OPTIONAL. Object containing checked_at and expires_at.

decision:

REQUIRED. One of continue, suppress, pause, terminate, or handoff.

reason:

REQUIRED. String reason.

occurred_at:

REQUIRED. RFC 3339 [RFC3339] timestamp.

Example:

{
  "event_id": "hrn_7pQ4mN9s",
  "event_type": "resume_suppressed",
  "mission": {
    "id": "msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9-",
    "origin": "https://as.example.com",
    "authority_hash":
      "sha-256:l3KvZ4mP5x0wQrR6tY2nD9bM7sX1cF8gH2vJ4kE5pNQ"
  },
  "session_id": "sess_agent_42",
  "work_item": "queue_invoice_retry_9",
  "state": "revoked",
  "state_source": "signal",
  "decision": "suppress",
  "reason": "mission_not_active",
  "occurred_at": "2026-11-02T08:16:00Z"
}

13. Worked Example

An agent reconciling Q3 invoices under Mission msn_8RfX2Lqv9TqMv4z7sA2bN1k0YpEdHc9- runs as an overnight background job, so its session outlives alice's attention. Two harness moments matter.

At 02:00 the job resumes a queued task graph. Before dispatching any governed work the harness re-reads Mission state (Section 5). alice cancelled the Mission at 23:00, so the harness finds it revoked: it does not dispatch, marks cached ERP connections unusable (Section 8), and emits the suppress evidence shown above. The session was fully recoverable; the authority that justified it was gone, and the harness let the Mission, not the session, decide.

Earlier, while still active, the agent fetched a vendor email into its working context to extract an invoice number. That email is untrusted content, so the session is now tainted (Section 11). When the agent, steered by text in that email, tries to send an external message, the harness does not let the egress proceed on the strength of the fetched content: it requires a fresh action-bound approval first. The runtime layer would gate the call against the Mission regardless; the harness adds the session-level rule that untrusted input cannot, by itself, drive an egress alice never directed.

14. Conformance

A conforming Mission-aware harness MUST:

A harness MUST NOT claim conformance for work it cannot suppress. It MAY claim conformance for a documented subset of execution paths if it identifies paths outside the claim.

15. Security Considerations

15.1. Session Continuity Is Not Authority Continuity

The primary threat is treating recoverable runtime state as proof of continuing authority. This profile requires a fresh Mission-state decision at continuation points where harnesses would otherwise resume automatically.

15.2. Cached Access as Ambient Authority

Cached credentials and tool connections can bypass visible issuance or authorization steps. A harness MUST tie cache use to Mission state and runtime enforcement, or cached access becomes ambient authority.

15.3. Sub-Agent Fan-Out

Implicit sub-agent inheritance can amplify authority. This profile requires explicit Mission or delegation binding for child handles and cascade stop behavior when parent authority ends.

15.4. Split-Brain Session State

Multiple workers may resume the same session or queue item. A harness SHOULD use compare-and-set or equivalent concurrency control so a stop decision cannot race with a resume decision. When the state is ambiguous, fail closed and suppress governed work.

15.5. Tool Cache Confusion

Tool connection caches often hide which Mission first authorized a connection. Cache keys under Section 8.1 prevent a connection opened for one Mission from becoming ambient authority for another.

16. Privacy Considerations

Harness Evidence and Mission bindings can reveal task graphs, workspace identifiers, tool usage, agent topology, and Mission relationships. Deployments SHOULD minimize retained harness state, control access to evidence, and avoid storing raw workspace content in Harness Evidence unless required for audit.

17. IANA Considerations

This document makes no IANA request.

18. References

18.1. Normative References

[I-D.draft-mcguinness-oauth-mission]
McGuinness, K., "Mission-Bound Authorization for OAuth 2.0", Work in Progress, Internet-Draft, draft-mcguinness-oauth-mission, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-mission>.
[I-D.draft-mcguinness-oauth-mission-runtime]
McGuinness, K., "Mission-Bound Runtime Enforcement for OAuth 2.0", Work in Progress, Internet-Draft, draft-mcguinness-oauth-mission-runtime, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-mission-runtime>.
[I-D.draft-mcguinness-oauth-mission-status]
McGuinness, K., "Mission Status and Lifecycle for OAuth 2.0", Work in Progress, Internet-Draft, draft-mcguinness-oauth-mission-status, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-mission-status>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3339]
Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, , <https://www.rfc-editor.org/rfc/rfc3339>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8259]
Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, , <https://www.rfc-editor.org/rfc/rfc8259>.

18.2. Informative References

[I-D.draft-mcguinness-oauth-mission-child-delegation]
McGuinness, K., "Child Mission Delegation for OAuth 2.0", Work in Progress, Internet-Draft, draft-mcguinness-oauth-mission-child-delegation, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-mission-child-delegation>.
[I-D.draft-mcguinness-oauth-mission-expansion]
McGuinness, K., "Mission Expansion for OAuth 2.0", Work in Progress, Internet-Draft, draft-mcguinness-oauth-mission-expansion, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-mission-expansion>.
[I-D.draft-mcguinness-oauth-mission-orchestration]
McGuinness, K., "Mission Orchestration and Unwinding for OAuth 2.0", Work in Progress, Internet-Draft, draft-mcguinness-oauth-mission-orchestration, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-mission-orchestration>.
[I-D.draft-mcguinness-oauth-mission-signals]
McGuinness, K., "Mission Lifecycle Signals for OAuth 2.0", Work in Progress, Internet-Draft, draft-mcguinness-oauth-mission-signals, , <https://datatracker.ietf.org/doc/html/draft-mcguinness-oauth-mission-signals>.

Acknowledgments

This document is part of the Mission-Bound Authorization for OAuth 2.0 set and defines how agent harnesses keep runtime continuity separate from Mission authority.

Author's Address

Karl McGuinness
Independent