AP2 Mandate Flow

Mandate/cart/bundle headers bring AP2 proofs into every hop. The mandate (intent) captures what the agent was authorized to do, the cart spells out the exact argument commitments, and the bundle packages both plus issuer metadata for multi-hop forwarding. The sec0 SDK never hides these artifacts in mutable agent state; instead, it passes them as immutable headers so each hop re-verifies the cryptographic payload against its live arguments.

• Intent x-ap2-intent-mandate describes the high-level authorization.

• Cart x-ap2-cart-mandate binds concrete args and serves as an idempotency digest.

• Bundle x-ap2-bundle carries issuer DID, constraints, and redundancy for downstream hops.

• Agent state carries only derived IDs/digests (intent ID, cart SHA-256) so downstream hops can attest to the same mandate without holding the raw payload, and each agent hop re-validates those digests before running, throwing on drift while still letting authors log objectives or deviation metadata via manager.agent.setState for analytics.

Why do we need this?

Because the mandate, cart, and bundle always travel as headers, every hop can independently prove the request is still authorized, while only sharing lightweight digests inside agent state. That means no hop has to “trust” a previous one, sensitive proofs never leak into mutable memory. The pattern keeps security guarantees strong without getting in the way of how agents track their own work.