The Google DeepMind delegation paper (arxiv.org/abs/2602.11865, Feb 2026) calls this out explicitly. MCP handles tool access, A2A handles agent communication, but nobody handles the trust and accountability layer between them. DelegateOS fills that gap with Ed25519-signed delegation tokens that enforce monotonic attenuation (sub-agents can only get narrower scope), budget caps across delegation chains, contract-based task verification, and cryptographic attestation chains for auditing.
It's a TypeScript library, MIT licensed, 374 tests passing. Ships with an MCP middleware plugin so you can drop it into existing MCP setups. The token format is inspired by Biscuit/Macaroons but purpose-built for agent delegation.