Sim Studio lets people build agent workflows visually. When those workflows hit production, the agents inside them execute real actions — API calls, database operations, message sends. The gap: there's no enforcement layer that constrains what a running workflow can do based on who deployed it and what they authorized.
For teams sharing a Sim instance, this means every workflow has the same permissions. A workflow built for internal data analysis has the same access as one built for customer-facing interactions. The only isolation is at the application layer, which means a prompt injection in one workflow can potentially reach tools intended for another.
Delegation scoping at the workflow level:
import { createDelegation, governMCPToolCall } from 'agent-passport-system'
// Admin creates workflow-specific delegation
const workflowDelegation = createDelegation({
delegatedTo: workflowAgentKey,
delegatedBy: adminKey,
scope: ['api:get:weather', 'api:get:news'], // read-only, specific APIs
spendLimit: 0, // no purchases
expiresAt: new Date(Date.now() + 30 * 86400_000),
maxDepth: 0
})
// Every tool call in the workflow goes through governance
const result = await governMCPToolCall(
{ name: 'database_delete', arguments: { table: 'users' } },
async (args) => tool.execute(args),
{ passport: workflowPassport, delegation: workflowDelegation, privateKey: workflowKey }
)
// Blocked: database_delete not in scope. Signed denial receipt generated.Each deployed workflow gets its own identity and delegation. Different workflows, different permissions. The receipt trail shows exactly what each workflow did and under what authority.
npm install agent-passport-system (v1.36.2, Apache-2.0). Self-service at aeoess.com/portal.html — free tier for getting started.
Sim Studio lets people build agent workflows visually. When those workflows hit production, the agents inside them execute real actions — API calls, database operations, message sends. The gap: there's no enforcement layer that constrains what a running workflow can do based on who deployed it and what they authorized.
For teams sharing a Sim instance, this means every workflow has the same permissions. A workflow built for internal data analysis has the same access as one built for customer-facing interactions. The only isolation is at the application layer, which means a prompt injection in one workflow can potentially reach tools intended for another.
Delegation scoping at the workflow level:
Each deployed workflow gets its own identity and delegation. Different workflows, different permissions. The receipt trail shows exactly what each workflow did and under what authority.
npm install agent-passport-system(v1.36.2, Apache-2.0). Self-service at aeoess.com/portal.html — free tier for getting started.