Skip to content

Commit fdcd966

Browse files
Claude-harness-botdevonartis
authored andcommitted
docs: tech editor pass on developer-guide
Aligns the dev guide with the README and getting-started polish, promotes a real SDK limitation from a buried sub-clause to a proper callout, and tightens informal headings. - Frontmatter cross-links to README Prerequisites - Basic Pattern uses agent.bearer_header accessor - Long-Running Tasks: hedge note on broker lifetime cap - Single-Hop Delegation: document delegate(ttl=N) keyword - Multi-Hop: promote registration-token constraint to blockquote - Rename "What We Learned About Delegation" → "Delegation Behavior" - Rename "Garbage Tokens" → "Invalid Tokens" - Fix result.claims.iss comment — broker-configured, not fixed - Next Steps: add Testing Guide and MedAssist Demo rows Refs devonartis/agentwrit#31 Generated with Claude Code
1 parent eed295b commit fdcd966

1 file changed

Lines changed: 18 additions & 9 deletions

File tree

docs/developer-guide.md

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Developer Guide
22

3-
Patterns for building real applications with the AgentWrit SDK. This guide assumes you've read [Getting Started](getting-started.md) and [Concepts](concepts.md).
3+
Patterns for building real applications with the AgentWrit SDK. This guide assumes you've read [Getting Started](getting-started.md) and [Concepts](concepts.md), and that you've completed [Prerequisites](../README.md#prerequisites) — broker reachable, app credentials provisioned, env vars set.
44

55
---
66

@@ -28,8 +28,9 @@ agent = app.create_agent(
2828
)
2929

3030
try:
31-
# Do work with the agent's token
32-
process_order(agent.access_token)
31+
# Do work with the agent's token. For HTTP calls, agent.bearer_header
32+
# gives you {"Authorization": "Bearer <token>"} in one shot:
33+
httpx.post("https://orders/api/process", headers=agent.bearer_header, json=payload)
3334
finally:
3435
# Always release — even if the work failed
3536
agent.release()
@@ -64,6 +65,8 @@ After `renew()`:
6465
- The old token is revoked at the broker
6566
- `agent.expires_in` is reset
6667

68+
> The broker may enforce a maximum total agent lifetime independent of per-token TTL. If `renew()` starts failing on long-running agents, check your broker's session policy.
69+
6770
### Short-Lived Tasks with Custom TTL
6871

6972
For quick tasks, set a short TTL to minimize exposure:
@@ -132,6 +135,8 @@ delegated = agent_a.delegate(
132135
# delegated.delegation_chain records the hop
133136
```
134137

138+
Pass `ttl=N` to override the delegation lifetime: `agent_a.delegate(delegate_to=..., scope=..., ttl=300)`. Omit it to take the broker's default (60s).
139+
135140
Always validate the delegated token to confirm the broker actually narrowed it:
136141

137142
```python
@@ -145,7 +150,9 @@ assert result.claims.scope == ["read:data:partition-7"]
145150

146151
### Multi-Hop Delegation (A → B → C)
147152

148-
To build a real chain where each hop narrows further, the second hop must use the delegated token directly. The SDK's `agent.delegate()` always uses the agent's registration token, not a received delegated token:
153+
> **SDK limitation:** `agent.delegate()` only signs with the agent's own *registration* token. To extend a chain — i.e., delegate from a token you *received* — you currently have to call `POST /v1/delegate` directly, as shown below. A future release may add `DelegatedToken.delegate()` to remove this escape hatch.
154+
155+
To build a real chain where each hop narrows further, the second hop has to bypass the SDK and hit the broker endpoint with the delegated token:
149156

150157
```python
151158
import httpx
@@ -209,9 +216,9 @@ except AuthorizationError as e:
209216
print(e.problem.detail) # delegated scope exceeds delegator scope
210217
```
211218

212-
### What We Learned About Delegation
219+
### Delegation Behavior
213220

214-
From acceptance testing against a live broker:
221+
Verified against a live broker via the acceptance suite:
215222

216223
1. **Same-scope delegation is allowed.** The broker treats equal as a valid subset. If A has `["read:data:partition-7"]` and delegates `["read:data:partition-7"]` to B, the broker accepts it.
217224

@@ -344,9 +351,9 @@ except AgentWritError as e:
344351
print(e) # "agent has been released and cannot delegate"
345352
```
346353

347-
### Garbage Tokens
354+
### Invalid Tokens
348355

349-
If someone sends a fake token to your app, `validate()` handles it gracefully:
356+
If someone sends a fake, malformed, or expired token to your app, `validate()` handles it gracefully — it returns a result instead of raising:
350357

351358
```python
352359
from agentwrit import validate
@@ -409,7 +416,7 @@ Same behavior, but uses the app's broker URL and timeout.
409416
result = validate(app.broker_url, agent.access_token)
410417

411418
if result.valid:
412-
print(result.claims.iss) # "agentwrit"
419+
print(result.claims.iss) # broker-configured issuer (e.g., "agentwrit")
413420
print(result.claims.sub) # SPIFFE ID
414421
print(result.claims.scope) # granted scope list
415422
print(result.claims.orch_id) # orchestrator ID
@@ -430,3 +437,5 @@ else:
430437
| [Getting Started](getting-started.md) | Install and create your first agent |
431438
| [Concepts](concepts.md) | Trust model, roles, scopes, and standards |
432439
| [API Reference](api-reference.md) | Every class, method, parameter, and exception |
440+
| [Testing Guide](testing-guide.md) | Unit tests, integration tests, running the test suite |
441+
| [MedAssist Demo](../demo/) | See every capability in a working healthcare app |

0 commit comments

Comments
 (0)