User Story

Agent X wants to delegate capability A on resource B to agent Y, but they wish to prevent agent Y from redelegating to Agent Z (ideally a-priori rather than by later revoking Agent Y's delegation, or by keeping the expiry so short that the damage of a re-share is trivial)

Use Cases

• god I hate to say this but, DRM
• there are many cases where there are security concerns with sharing access that can be reshared

Questions

1. Has this been considered already? Is there a reason it's not possible? Is this possible already and I'm just not smart enough to see it?
2. Could it be baked in as a policy on the delegation itself, especially if the invoker were somehow a field in the caveats?