LLM06: clarify delegated authorization context

[xmuruaga]

Summary

Clarifies delegated and multi-agent authorization context in LLM06.

This PR makes three small changes:

1. Adds a Common Example of Risk for excessive permissions in delegated or multi-agent workflows.
2. Adds one sentence to Mitigation 5 explaining that delegated or multi-agent workflows should preserve the original user context and authorization scope across chained extension or agent calls.
3. Adds a short attack scenario showing how a trusted internal agent or extension can become a confused deputy when a downstream action is authorized only from the immediate caller or service identity.

Why

The current entry already covers excessive permissions, user-context execution, and complete mediation. This change clarifies how those principles apply to chained workflows, where each individual step may look legitimate but the overall chain can exceed the original user's authority.

Review checklist

• Common Example added under Excessive Permissions.
• Mitigation 5 updated with delegated / multi-agent authorization context.
• Scenario 2 added under Example Attack Scenarios.
• Heading levels and section structure unchanged.
• No new references or framework mappings added.

[KeystoneSmartQuotes]

+1 from me. Clean PR, and the confused-deputy scenario in Scenario #2 is exactly the gap that's hard to close with static permission minimization alone.
This connects directly to Mitigation #7 (complete mediation) already in the entry, the principle that every request to a downstream system gets validated against security policy, whether it comes from a user, an extension, or a chained agent. Xabier's addition makes explicit what complete mediation looks like when the call chain crosses agent boundaries: the original user's authorization scope has to travel with the request, not get replaced by the calling agent's service identity.
On Andy's scope question, I think this belongs here in LLM06 rather than only in the Agentic Top 10. The confused-deputy pattern doesn't require a multi-agent framework to appear. Any LLM system that delegates to an extension running with a different identity can hit this. The Agentic list should absolutely cover the multi-agent version in depth, but the core principle (preserve user context across delegation) is fundamental enough for the core list.
One small suggestion: the new sentence in Mitigation #5 could cross-reference Mitigation #7 to tie the two together. Something like: "See also Mitigation 7 (complete mediation) for enforcement of security policies across chained calls." Optional, but it would help readers connect the dots.
— Boone