{"id":127762,"url":"https://github.com/bureado/awesome-agent-runtime-security","name":"awesome-agent-runtime-security","description":"Learning something new about runtime security for agents","projects_count":174,"last_synced_at":"2026-05-29T04:00:18.717Z","repository":{"id":340284672,"uuid":"1165096078","full_name":"bureado/awesome-agent-runtime-security","owner":"bureado","description":"Learning something new about runtime security for agents","archived":false,"fork":false,"pushed_at":"2026-05-10T00:45:24.000Z","size":146,"stargazers_count":42,"open_issues_count":1,"forks_count":6,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-10T02:40:54.759Z","etag":null,"topics":["agentic-ai","agentic-identity","awesome-list","microvms","sandboxing"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bureado.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-23T20:24:40.000Z","updated_at":"2026-05-10T00:45:27.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bureado/awesome-agent-runtime-security","commit_stats":null,"previous_names":["bureado/awesome-agent-runtime-security"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bureado/awesome-agent-runtime-security","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bureado%2Fawesome-agent-runtime-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bureado%2Fawesome-agent-runtime-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bureado%2Fawesome-agent-runtime-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bureado%2Fawesome-agent-runtime-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bureado","download_url":"https://codeload.github.com/bureado/awesome-agent-runtime-security/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bureado%2Fawesome-agent-runtime-security/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33635961,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"created_at":"2026-04-10T09:06:26.947Z","updated_at":"2026-05-29T04:00:18.717Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["Secrets Management \u0026 Isolation","Sandboxing \u0026 Isolation","References","Provenance, Instrumentation \u0026 Observability","Agent Identity \u0026 Credentials"],"sub_categories":["Risks \u0026 mitigations frameworks","Linux security technologies"],"readme":"# awesome-agent-runtime-security\n\nAn imperfect, incomplete collection of projects proving the integrity of tools, tool descriptions, models, data sources, and provenance by combining isolation, [sandboxing](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-9/README.md), security observability, and [server-constrained](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-31/README.md) or client-bound tokens. Evolved from [this listicle](https://gist.github.com/bureado/71dfb7380e8a1cd7294c2f8b8136d085).\n\n---\n\n- [Sandboxing \u0026 Isolation](#sandboxing--isolation)\n- [Provenance, Instrumentation \u0026 Observability](#provenance-instrumentation--observability)\n- [Secrets Management \u0026 Isolation](#secrets-management--isolation)\n- [Agent Identity \u0026 Credentials](#agent-identity--credentials)\n- [References](#references)\n\n---\n\n## Sandboxing \u0026 Isolation\n\nProjects using **Linux** security primitives (and a few Mac exceptions) such as bubblewrap, KVM/libkrun, Landlock, Linux namespaces, cgroups, and containers, seccomp, MicroVMs, gVisor or WebAssembly (WASM) for agent runtime sandboxing or isolation.\n\n| Name | Keywords | Description |\n|------|----------|-------------|\n| πŸ”₯ [nono](https://nono.sh/) | Landlock, secret isolation, integrity | Combines Landlock isolation with integrity-protected configuration and OS-native secrets management, making it one of the most holistic agent sandboxing solutions. See also [kubefence](https://github.com/bpradipt/kubefence), an NRI plugin that transparently injects nono sandboxing into Kubernetes containers and Kata VMs. |\n| πŸ”₯ [e2b](https://github.com/e2b-dev/infra) | Firecracker, MicroVM | Cloud-based agent sandbox infrastructure using [Firecracker](https://github.com/firecracker-microvm/firecracker) MicroVMs for strong hardware-level isolation between agent workloads. |\n| πŸ”₯ [Zeroboot](https://github.com/zerobootdev/zeroboot) | Firecracker, KVM, CoW-fork | Sub-millisecond VM sandboxes (0.8ms spawn) via Firecracker snapshot copy-on-write forking β€” each fork is a real KVM VM with hardware-enforced memory isolation at ~265KB per sandbox. No networking inside forks (serial I/O only). |\n| πŸ”₯ [Beams](https://www.beams.run/) | Firecracker, delegated-identity, zero-secrets | Teleport's agent runtime using Firecracker VMs (200ms startup) with delegated short-lived identity certificates, zero secrets in the sandbox, policy-controlled egress proxy, and inference endpoint routing that injects backend credentials without exposing API keys to the agent. |\n| πŸ”₯ [krunai](https://github.com/slp/krunai) | KVM, libkrun, MicroVM, gVisor | Purpose-built agent sandbox running AI agents inside [libkrun](https://github.com/containers/libkrun) KVM microVMs, transparent user-space networking via [gVisor](https://github.com/google/gvisor) netstack. |\n| πŸ”₯ [stereOS](https://github.com/papercomputeco/stereOS) | QEMU, KVM, Nix, gVisor | Purpose-built NixOS for AI agents, support for QEMU/KVM with sub-3s boot, gVisor included for in-VM sandboxing, and vsock-based secret injection via tmpfs. See also [agentd](https://github.com/papercomputeco/agentd). |\n| πŸ”₯ [capsem](https://github.com/google/capsem) | Apple Virtualization, hardened-kernel, air-gapped | macOS-native sandbox running agents in Linux VMs via Apple Virtualization.framework. Custom kernel compiled with `CONFIG_INET=n` (no IP stack) and `CONFIG_MODULES=n` (no loadable modules), read-only rootfs, BLAKE3 boot asset integrity, no systemd. |\n| πŸ”₯ [Docker Sandboxes](https://www.docker.com/blog/docker-sandboxes-run-claude-code-and-other-coding-agents-unsupervised-but-safely/) | Linux namespaces, cgroups, MicroVM | Docker's purpose-built sandbox for coding agents. See also [NanoClaw on Docker Sandboxes](https://nanoclaw.dev/blog/nanoclaw-docker-sandboxes/) for micro VM-based per-agent isolation. |\n| πŸ”₯ Anthropic's [sandbox-runtime](https://github.com/anthropic-experimental/sandbox-runtime) | Linux namespaces, seccomp, bubblewrap | Anthropic's experimental agent sandbox combining Linux namespaces and seccomp filters via bubblewrap for process-level isolation. |\n| πŸ”₯ [matchlock](https://github.com/jingkaihe/matchlock) | Firecracker, MicroVM, gVisor | CLI and multi-language SDK for running agents in ephemeral Firecracker microVMs with host-boundary secret injection through a MITM proxy. |\n| πŸ”₯ [Cleanroom](https://github.com/buildkite/cleanroom) | Firecracker, MicroVM | Buildkite's self-hosted agent sandbox using Firecracker with host-side [gateway](https://github.com/buildkite/cleanroom/blob/main/docs/gateway.md) credential injection and digest-pinned OCI images. |\n| πŸ”₯ [microsandbox](https://github.com/microsandbox/microsandbox) | KVM, libkrun, MicroVM, egress-filtering, secrets | Apache-2.0, YC-backed, open-source microVM sandbox for AI agents using [libkrun](https://github.com/containers/libkrun): deny-all networking with domain allowlisting, secret protection so credentials never enter the VM, Rust/Python/TypeScript SDKs, and a self-contained CLI (`msb run debian`) with no daemon required. Built for running `claude --dangerously-skip-permissions` safely. |\n| πŸ”₯ [boxlite](https://github.com/boxlite-labs/boxlite) | KVM, libkrun | Lightweight VM-based sandbox for coding agents using KVM virtualization via [libkrun](https://github.com/containers/libkrun), providing strong hardware-enforced isolation. |\n| πŸ”₯ [brood-box](https://github.com/stacklok/brood-box) | KVM, libkrun, MicroVM, snapshot-isolation, egress-control, MCP-authz | CLI for running AI coding agents (Claude Code, Codex, OpenCode) inside [libkrun](https://github.com/containers/libkrun) KVM microVMs with COW snapshot isolation, DNS-aware egress policies, and Cedar-based MCP authorization. Built on [go-microvm](https://github.com/stacklok/go-microvm). |\n| πŸ”₯ [Agent Sandbox (k8s)](https://agent-sandbox.sigs.k8s.io/docs/guides/) | gVisor, Kata | Kubernetes SIG project combining [gVisor](https://github.com/google/gvisor) and [Kata Containers](https://github.com/kata-containers/kata-containers) for sandboxing AI agents in cloud-native environments. See also [Agent Substrate](https://github.com/agent-substrate/substrate). |\n| πŸ”₯ [OpenSandbox](https://github.com/alibaba/OpenSandbox) | gVisor, Kata, Firecracker, Docker, Kubernetes | Alibaba's general-purpose sandbox platform for AI agents with multi-language SDKs, per-sandbox egress controls, ingress gateway, and secure container runtimes ([gVisor](https://github.com/google/gvisor), [Kata](https://github.com/kata-containers/kata-containers), Firecracker). |\n| πŸ”₯ [Gondolin](https://earendil-works.github.io/gondolin/) | MicroVM | TypeScript/Node.js agent sandbox using QEMU micro-VMs. See also the [security design](https://earendil-works.github.io/gondolin/security/) and [repo](https://github.com/earendil-works/gondolin). |\n| πŸ”₯ [k7](https://github.com/Katakate/k7) | Kata, MicroVM | Agent isolation platform using [Kata Containers](https://github.com/kata-containers/kata-containers) to add MicroVM-backed security boundaries to agent execution. |\n| πŸ”₯ [Hyperlight](https://github.com/hyperlight-dev/hyperlight) + [Nanvix](https://opensource.microsoft.com/blog/2026/1/28/hyperlight-nanvix-bringing-multi-language-support-for-extremely-fast-hardware-isolated-micro-vms) | MicroVM, syscall interposition | Hardware-isolated VMs via KVM or Hyper-V with millisecond cold starts and no guest OS β€” combined with host-side syscall interposition for 150+ syscalls via the Nanvix Rust microkernel. See also [hyperlight-sandbox](https://github.com/hyperlight-dev/hyperlight-sandbox) (Python SDK, v0.1) and [HyperAgent](https://github.com/hyperlight-dev/hyperagent), an agent runtime that runs LLM-generated JavaScript handlers inside Hyperlight micro-VMs with default-deny capabilities, domain-scoped fetch with SSRF checks, path-jailed filesystem, and MCP server approval gating. |\n| πŸ”₯ [agentOS](https://github.com/jordanhubbard/agentos) | seL4, capability-OS, formally-verified | Real bootable OS on the [seL4 microkernel](https://sel4.systems/) β€” the world's only formally verified, capability-secured microkernel β€” designed ground-up for AI agents. Agents run in hardware-enforced isolated address spaces with unforgeable capability tokens (ToolCap, ModelCap, NetCap, SpawnCap); capabilities are delegatable but never escalatable. Ed25519 identity is badged at the kernel IPC level. seL4 runs at ARM EL2 as the hypervisor. Alpha; boots on QEMU AArch64/x86_64. |\n| πŸ”₯ [Authority Nanos](https://github.com/mbhatt1/authority) | unikernel, WASM, capabilities | Unikernel-based agent execution environment built on Nanos with 14 custom syscalls for agent communication and a secondary WASM sandbox for capability-gated tool execution. |\n| πŸ”₯ [Leash](https://github.com/strongdm/leash) | eBPF, LSM, Linux namespaces | Wraps AI coding agents in containers and enforces Cedar policies via eBPF LSM programs scoped to the agent cgroup plus credential injection via header rewriting. |\n| πŸ”₯ [secimport](https://github.com/avilum/secimport) | eBPF, bpftrace, seccomp, nsjail | eBPF-based module-level Python sandbox that uses USDT probes to track which Python module is executing at each syscall boundary and nsjail seccomp profile generation. |\n| πŸ”₯ [sandlock](https://github.com/multikernel/sandlock) | Landlock, seccomp, seccomp-notif | Process sandbox combining Landlock (filesystem + network + IPC), seccomp-bpf (syscall filtering), and seccomp user notification (resource limits, IP enforcement, /proc virtualization, port virtualization). No root, no cgroups, no containers. COW fork enables O(1) memory scaling β€” parent loads model once, children share via copy-on-write. See also the [architecture blog post](https://multikernel.io/2026/03/14/introducing-sandlock/). |\n| πŸ”₯ [ironclaw](https://github.com/nearai/ironclaw) | WASM, Linux namespaces, credential-injection | WASM-sandboxed tools (capability-based permissions, endpoint allowlisting), host-boundary credential injection where secrets never enter WASM memory. |\n| πŸ”₯ [amla-sandbox](https://github.com/amlalabs/amla-sandbox) | WASM, capabilities | WASM-based agent sandbox using wasmtime with a capability-based security model that enforces per-tool method constraints, call limits, and parameter validation before any tool invocation leaves the sandbox. |\n| πŸ”₯ [OpenFang](https://github.com/RightNow-AI/openfang) | WASM, taint-tracking | Uses a WASM dual-metered sandbox: wasmtime with both fuel metering and epoch interruption, backed by a watchdog thread that force-kills runaway code. Seeks to implement information flow taint tracking (secrets labelled from source to sink), Ed25519-signed agent manifests, and other techniques. |\n| πŸ”₯ [cua](https://cua.ai/docs/computer-sdk/computers) | containers, qemu | Computer-use agent SDK using Linux containers and QEMU-inside-Docker for full desktop environment isolation. See also the [qemu-docker library](https://github.com/trycua/cua/tree/699350bfba66ba8a0186ed9c98c8b084b32462be/libs/qemu-docker). |\n| [goose + boxlite discussion](https://github.com/block/goose/issues/6040) | KVM, libkrun | GitHub issue discussing integration of boxlite KVM-based sandboxing into Block's goose agent framework. |\n| [smolVM](https://github.com/smol-machines/smolvm) | KVM, libkrun, MicroVM | MicroVM sandbox using [libkrun](https://github.com/containers/libkrun) and KVM with \u003c200ms boot, network off by default, and a `pack` command that builds portable single-binary VMs. |\n| [Freestyle](https://www.freestyle.sh/) | KVM, MicroVM, nested-virt | Managed agent-scale sandbox infrastructure: full Linux KVM VMs (not containers) with nested virtualization, real root access, sealed multi-user isolation inside each VM, git repos per agent with bidirectional GitHub sync, scales to 10k+ concurrent agents. |\n| [Sprites](https://sprites.dev/) | Firecracker, MicroVM, checkpoint-restore | Fly.io's managed Firecracker-based persistent Linux VMs for running coding agents or arbitrary code; checkpoint/restore in ~300ms, pre-installed with Claude Code and Codex CLI, API and CLI access. |\n| [InstaVM](https://instavm.io/) | MicroVM, egress-filtering, secrets-injection | Managed microVM sandboxes for AI agents: dedicated kernel per sandbox, default-deny egress with domain/CIDR allowlists, proxy-based secret injection (agents never see API keys), full execution logs and network traces. |\n| [tilde.run](https://tilde.run/) | containers, versioned-filesystem, egress-filtering | SaaS agent sandbox with a versioned POSIX filesystem (mounting code from GitHub, data from S3, documents from Drive as a single ~/sandbox), container-isolated runs with atomic commit-on-clean-exit/rollback-on-failure semantics, network policy with per-outbound-call audit log, and human approval gates. |\n| [clampdown](https://github.com/89luca89/clampdown) | Landlock, seccomp, Linux namespaces, SELinux, AppArmor | Hardened container sandbox with zero-capability agent (cap-drop=ALL), Landlock V3 filesystem isolation, ~115 blocked syscalls via seccomp, mandatory OCI hooks enforcing security policy on every tool container the agent spawns and SELinux/AppArmor confinement. |\n| [IronCurtain](https://github.com/provos/ironcurtain) | V8, Linux namespaces, bubblewrap | Multi-layer agent sandbox: Code Mode runs TypeScript in a V8 isolate with zero host access, Docker Mode runs external agents (Claude Code, Goose) in network-disabled containers. Plain-English [constitution](https://www.provos.org/p/ironcurtain-secure-personal-assistant/) compiled into deterministic policy rules enforced on every MCP tool call, plus bubblewrap-sandboxed MCP servers. |\n| [monty](https://github.com/pydantic/monty) | capabilities | Minimal secure Python interpreter written in Rust for running LLM-generated code with no host access by default β€” filesystem, network, and env are only available via explicitly provided external functions, with sub-microsecond startup and serializable execution state. |\n| [secure-exec](https://github.com/rivet-dev/secure-exec) | V8 isolates | V8 isolate-based Node.js sandboxing. Bridges real Node.js APIs (fs, http, child_process) into the isolate. |\n| [yolo-cage](https://github.com/borenstein/yolo-cage) | Linux containers | Agents run in K8s pods inside a Vagrant VM, with a git dispatcher that classifies commands (LOCAL/BRANCH/MERGE/REMOTE_READ/REMOTE_WRITE/DENIED) and enforces per-branch isolation, a fail-closed mitmproxy egress proxy with LLM-Guard secret scanning and GitHub API operation blocking, TruffleHog pre-push hooks, and Kubernetes NetworkPolicy. |\n| [OpenShell](https://github.com/NVIDIA/OpenShell) | Docker, Podman, Kubernetes, libkrun, MicroVM, credential-injection | NVIDIA's agent sandbox runtime with pluggable compute backends including experimental per-sandbox libkrun MicroVM runtime for stronger isolation. See also [compute runtimes architecture](https://github.com/NVIDIA/OpenShell/blob/main/architecture/compute-runtimes.md). |\n| [agentsh](https://github.com/canyonroad/agentsh) | eBPF, seccomp, Linux namespaces | Shell shim, eBPF cgroup network enforcement (domain allowlisting, DNS interception), and seccomp-bpf with user-notify for signal interception and syscall blocking. |\n| [fence](https://github.com/Use-Tusk/fence) | bubblewrap, Landlock, seccomp, eBPF, Linux namespaces | Cross-platform agent sandbox using bubblewrap with Landlock, seccomp, and eBPF monitoring on Linux. |\n| [ai-jail](https://github.com/akitaonrails/ai-jail) | bubblewrap, Landlock, seccomp, Linux namespaces | Multi-layer agent sandbox: bubblewrap namespaces (PID/UTS/IPC/net) + Landlock V3/V4 (filesystem + network) + seccomp-bpf (~30 blocked syscalls) + resource limits. Lockdown mode mounts project read-only with no network and clearenv. Sensitive dirs (`.gnupg`, `.aws`, `.ssh`) never mounted; per-project `.ai-jail` TOML config. macOS via `sandbox-exec`. |\n| [shuru](https://github.com/superhq-ai/shuru) | Apple Virtualization, MicroVM, secrets-proxy | macOS-primary agent sandbox using Apple Virtualization.framework with ephemeral rootfs (resets on every run), host-allowlisted egress, VirtioFS mounts with overlay (guest writes never touch host by default), and a secrets proxy that injects placeholder tokens into the VM substituting real values only on outbound HTTPS to specified hosts β€” secrets never enter the VM. TypeScript SDK + agent skill. |\n| [Bromure Agentic Coding](https://bromure.io/en/agentic-coding) | MicroVM, secrets-proxy, approval-gating | macOS (Apple Silicon) app running agents in Linux VMs with selective folder sharing. Credential stub-and-swap proxy β€” real tokens substituted at the hypervisor boundary, never written to VM disk/env/memory. ssh-agent forwarded via macOS Keychain socket (no key files in VM). Human-in-the-loop approval popups before sensitive credentials are substituted. Live Trace Inspector. Free and open source. |\n| [dyana](https://github.com/dreadnode/dyana) | containers, eBPF, Tracee, Docker | Docker-based sandbox for loading, running, and profiling untrusted files (ML models, Pickle, ELF, JS) with hardened containers (cap-drop ALL, no-new-privileges, network disabled, ipc-none, mem/pid limits, tmpfs noexec) monitored by an Aqua Tracee eBPF sidecar that traces 40+ security events (fileless execution, ld_preload, code injection, syscall hooking) scoped to the target container. |\n| [shai](https://github.com/colony-2/shai) | containers, Linux namespaces | Agent sandbox using container isolation with a novel [cellular development](https://shai.run/docs/concepts/cellular-development/) model for controlled agent-driven code changes, scoping changes to discrete units. |\n| [Rover Sandbox](https://docs.endor.dev/rover/concepts/sandbox/) | containers | Endor Labs' Rover uses Linux containers to sandbox agent tool execution within its security-focused agent framework. See also the [sandbox implementation code](https://github.com/endorhq/rover/tree/171a5b0eb277f2f1029062167a762a7f14a9b184/packages/cli/src/lib/sandbox). |\n| [bentorun](https://github.com/vladkol/bentorun) | gVisor, MCP, Cloud Run | MCP server exposing a single `execute_python` tool that runs each session in an ephemeral gVisor-sandboxed container on Google Cloud Run β€” Sentry (user-space Go kernel intercepts syscalls) + Gofer (filesystem proxy), per-session isolation, configurable package allowlist. |\n| [syva](https://github.com/false-systems/syva) | eBPF, zones, kernel-enforcement | eBPF programs loaded per node that enforce zone-based boundaries between container groups β€” intercepts and denies cross-zone `open()`, `exec()`, `mmap()`, `ptrace()`, and `kill()` at the kernel level before they happen. Fills the gap namespaces leave: containers share a kernel, and namespaces alone don't stop cross-container ptrace or bind-mount file access. Declarative TOML policy (capabilities, memory/PID limits, network zones, filesystem paths, syscall deny list). No sidecar, no proxy. |\n| [Veto (Ona)](https://ona.com/docs/ona/organizations/policies/executable-deny-list) | BPF LSM, content-addressable | Content-addressable kernel enforcement using BPF LSM: blocks executables by SHA-256 hash of binary content (not path), pre-execution with no TOCTOU gap. The [deep dive on agent evasion of path-based controls](https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox) is a good read for anyone working with `bubblewrap`. |\n| [Hazmat](https://github.com/dredozubov/hazmat) | macOS, Seatbelt, PF firewall, isolated users, rollback | macOS-native runtime containment for AI agents and coding-agent workflows using isolated macOS users, Seatbelt sandboxing (`sandbox_init` via a privileged helper), PF firewall controls, DNS blocklists, backup/rollback, and a TLA+-checked design (44,795+ states across nine specs covering setup/rollback ordering, seatbelt policy, migration, tier policy equivalence, and helper fd isolation) to reduce host and network blast radius. |\n\nFor a structured approach to evaluating and comparing sandboxes, read [The Agent Sandbox Taxonomy](https://github.com/kajogo777/the-agent-sandbox-taxonomy). A few tools of potential interest:\n\n**Containers and Linux namespaces**: [ExitBox](https://github.com/Cloud-Exit/ExitBox), [code-sandboxes](https://github.com/datalayer/code-sandboxes), [Kilntainers](https://github.com/Kiln-AI/Kilntainers) (MCP server routing agent tool calls to Docker/Podman, E2B, Modal, or WASM sandboxes), [nanoclaw](https://github.com/qwibitai/nanoclaw), [yolobox](https://github.com/finbarr/yolobox), [agentbox](https://github.com/rcarmo/agentbox), [construct-cli](https://github.com/EstebanForge/construct-cli), and [ctenv](https://github.com/osks/ctenv) all rely on standard Linux container isolation. [Scion](https://googlecloudplatform.github.io/scion/overview/) runs agents in isolated Docker/Kubernetes containers with per-agent identities, credentials, and workspaces. [try](https://github.com/binpash/try) and [usand](https://github.com/richfelker/usand) use Linux namespaces via `unshare` to let commands run in a contained environment. [nsjail](https://nsjail.dev/) is Google's lightweight process isolation tool combining Linux namespaces, cgroups, and seccomp-bpf. [sandbox (Cloudflare)](https://github.com/cloudflare/sandbox) provides a seccomp library for syscall filtering. [systemd's exec security settings](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html) and [setpriv](https://github.com/util-linux/util-linux/blob/master/sys-utils/setpriv.1.adoc) serve as convenient declarative frontends for composing namespaces, seccomp, and capabilities. [Running AI Agents in Devcontainers](https://markphelps.me/posts/running-ai-agents-in-devcontainers/) is a practical guide to using `.devcontainer` as flexible, fully-custom agent sandboxes.\n\n**Bubblewrap**: [bubblewrap](https://github.com/containers/bubblewrap) is an unprivileged sandboxing tool that backs several projects listed here. It can be applied directly to [Claude Code](https://patrickmccanna.net/a-better-way-to-limit-claude-code-and-other-coding-agents-access-to-secrets/) or [OpenCode](https://blog.gpkb.org/posts/ai-agent-sandbox/), with [nixwrap](https://github.com/rti/nixwrap) providing a Nix-declarative wrapper, [sandbox-run](https://github.com/sandbox-utils/sandbox-run) a minimal CLI around it, and [Grauwolf's sandbox-run](https://codeberg.org/Grauwolf/sandbox-run) a per-project wrapper that isolates file writes, tmp, and tool state.\n\n**Landlock**: [Landlock](https://landlock.io/) is a stackable LSM for unprivileged filesystem and network restriction. [island](https://github.com/landlock-lsm/island) is the go-to sandbox tool. [landrun](https://github.com/Zouuup/landrun) and [rstrict](https://github.com/creslinux/rstrict) are CLI tools for restricting process access. [landdown](https://git.sr.ht/~marcc/landdown) is a shebang-based Landlock sandbox for shell scripts β€” prepend a declarative ro/rw/connect allowlist to any script and it runs confined. [Litterbox](https://litterbox.work/) combines Landlock with Linux namespaces, and [Cursor Agent Sandboxing](https://cursor.com/blog/agent-sandboxing) uses Landlock, noting 40% fewer approval interruptions after teaching agents about their sandbox constraints.\n\n**Sandboxed and virtualized runtimes**: [gVisor](https://github.com/google/gvisor) intercepts Linux syscalls to shrink the attack surface for containerized workloads without full hardware virtualization (see also [MAGI: Multi-Agent gVisor Isolation](https://gvisor.dev/blog/2026/04/15/magi-multi-agent-gvisor-isolation/) β€” a practical walkthrough sandboxing every component of a triple-agent system in gVisor). [Kata Containers](https://github.com/kata-containers/kata-containers) provide lightweight virtual machines with a standard container interface. [libkrun](https://github.com/containers/libkrun) is a library for running lightweight KVM-backed VMs that serves as the hypervisor isolation layer for boxlite, brood-box, krunai, microsandbox, and several other agent sandboxes in this list. [go-microvm](https://github.com/stacklok/go-microvm) is a Go framework for running OCI images as microVMs via libkrun. [styrolite](https://github.com/edera-dev/styrolite) is Edera's container runtime engine that runs containers inside VM guests via a type 1 paravirtualized hypervisor (see the [Edera hypervisor paper](https://arxiv.org/abs/2501.04580)). [microvm.nix](https://github.com/microvm-nix/microvm.nix) is a Nix Flake for declaratively building and running NixOS MicroVMs across hypervisors (cloud-hypervisor, Firecracker, QEMU, crosvm, etc.) [Lima](https://github.com/lima-vm/lima) (CNCF Incubating) wraps QEMU, Apple Virtualization.framework, and krunkit as VM backends and powers Colima and Rancher Desktop; v2.0 added an MCP server so AI agents can operate safely inside VMs. [vmexec](https://gitlab.archlinux.org/archlinux/vmexec) is a zero-setup CLI for running commands in throwaway VMs built on rust-vmm crates. The [OpenClaw MicroVM walkthrough](https://buduroiu.com/blog/openclaw-microvm/) is a practical blog post demonstrating MicroVM-based agent sandboxing using cloud-hypervisor, with network egress logging via nftables/unbound and secret injection through virtiofs mounts.\n\n**WASM and browser-grade isolation**: [langchain-sandbox](https://github.com/langchain-ai/langchain-sandbox) and [Pyodide](https://pyodide.org/en/stable/) bring Python into WASM for sandboxed agent code execution; [RLBox](https://rlbox.dev/) provides WASM-based library sandboxing for isolating untrusted components within a process; [wassette](https://microsoft.github.io/wassette/latest/concepts.html) applies WASM at fine-grained component boundaries. [V8 Isolates](https://blog.cloudflare.com/safe-in-the-sandbox-security-hardening-for-cloudflare-workers/) offer a lightweight per-request isolation model as an alternative to containers or VMs β€” see also Cloudflare's [Dynamic Worker Loader](https://blog.cloudflare.com/dynamic-workers/) for on-demand per-agent V8 sandboxes with capability-scoped env bindings and optional network blocking. [Deno Deploy Sandbox](https://deno.com/deploy/sandbox) is a managed sandbox API that gives each execution a dedicated Firecracker microVM.\n\n## Provenance, Instrumentation \u0026 Observability\n\nProjects that instrument agents for security observability, which could be useful for provenance tracking and to feed policy decision points (PDPs), including gateways, proxies, eBPF-based tools, attestation frameworks, policy engines, and tracing systems.\n\n| Name | Keywords | Description |\n|------|----------|-------------|\n| πŸ”₯ [aflock](https://github.com/aflock-ai/aflock) | SPIFFE, in-toto, provenance, policy | Signed policy files that constrain agent behavior and produce verifiable attestations derived from model, environment, tools, policy, and parent. Facilitates key separation, SPIFFE-modeled workload attestation, and in-toto-inspired sublayouts for delegated sub-agent constraints. |\n| πŸ”₯ [cupcake](https://cupcake.eqtylab.io/) | tracing | EQTY Lab's runtime security framework for agents providing signed execution traces and verifiable agent behavior guarantees. |\n| πŸ”₯ [mandible](https://github.com/mandible-ai/mandible) | provenance | Multi-agent coordination framework with built-in cryptographic provenance: bridge attestations create linked chains of custody across environments. Seeks to implement output-level provenance and causal lineage tracking as first-class primitives. |\n| πŸ”₯ [sage](https://github.com/avast/sage) | observability | Hooks into agent tool calls to validate commands, URLs, file writes, and package installs against cloud-based reputation APIs, local YAML threat heuristics, and supply-chain package analysis. |\n| πŸ”₯ [AgentSentinel](https://github.com/m4p1e/agent-sentinel) | eBPF | Real-time defense framework for monitoring and constraining agent behavior using eBPF instrumentation. See also the [research paper](https://arxiv.org/abs/2509.07764). |\n| πŸ”₯ [AgentSight (eBPF)](https://github.com/eunomia-bpf/agentsight) | eBPF | eBPF-based observability tool providing kernel-level tracing of agent runtime behavior without modifying the agent code. |\n| [MCPSpy](https://github.com/alex-ilgayev/mcpspy) | eBPF, MCP | eBPF-based real-time monitor that intercepts MCP traffic at the kernel level. Includes ML-based prompt injection detection on the wire. |\n| πŸ”₯ [membrane](https://github.com/noperator/membrane) | eBPF, Tracee, egress-filtering | Agent-agnostic sandbox with eBPF tracing (via Tracee sidecar) logging all file, network, and process activity as structured JSONL, hostname-allowlisted egress filtering with continuous DNS refresh, filesystem masking/read-only patterns, and unprivileged Docker-in-Docker via [Sysbox](https://github.com/nestybox/sysbox). |\n| πŸ”₯ [Claw Patrol](https://github.com/denoland/clawpatrol) | credential-separation, policy | Routs agent traffic through WireGuard/Tailscale tunnels: terminates TLS, parses inner protocol, injects credentials the agent never sees and evaluates HCL/CEL rules per request. Approval chains compose LLM judges and human-in-Slack. See [blog post](https://deno.com/blog/clawpatrol). |\n| [tapes](https://github.com/papercomputeco/tapes) | proxy, OpenTelemetry, content-addressable | Transparent agentic telemetry proxy (same author as stereOS): intercepts agent↔inference API traffic, stores every session as content-addressable turns in SQLite with vector embeddings, OpenTelemetry instrumentation, deterministic replay via session checkout, and semantic search across conversation history. |\n| πŸ”₯ [agentgateway](https://agentgateway.dev/docs/) | policy | Dedicated gateway for agent traffic providing centralized observability, policy enforcement, and access control at the agent boundary. |\n| πŸ”₯ [rover (instrumentation)](https://github.com/endorhq/rover) | tracing, policy, sandbox | Endor Labs' security-focused agent framework with built-in tracing, policy enforcement, and sandboxed tool execution. |\n| [ClawShield](https://github.com/SleuthCo/clawshield-public) | eBPF, iptables, proxy, OCSF | Defense-in-depth security proxy for AI agents with optional eBPF syscall monitoring, note the cross-layer event bus that helps tighten policies across layers. |\n| [SentinelGate](https://github.com/Sentinel-Gate/Sentinelgate) | MCP, policy | Cross-platform userspace firewall for AI agents that intercepts MCP tool calls (as an aggregating proxy), shell commands, file access, and HTTP requests, enforcing RBAC and CEL-powered policies (same engine as Kubernetes/Envoy) |\n| [carapace](https://github.com/clawdreyhepburn/carapace) | Cedar, LLM-proxy, MCP | Cedar policy enforcement for AI agents with an LLM proxy so the agent never holds the real API key. Gates MCP tools, shell commands, and API domains via Cedarling WASM (\u003c6ms). See also [OVID-ME](https://github.com/clawdreyhepburn/ovid-me), and [blog post](https://clawdrey.com/blog/from-identity-to-authorization.html) showing end-to-end flow. |\n| [ibac](https://ibac.dev/) | OpenFGA, intent-parsing, policy | Intent-Based Access Control: derives per-request FGA tuples from the user's stated intent (one extra LLM call), then checks them against OpenFGA before every tool invocation (~9ms). Default-deny, no framework changes. 100% injection blocking on AgentDojo (strict mode). |\n| [guardians](https://github.com/metareflection/guardians) | taint-analysis | Implementation of Erik Meijer's [\"Guardians of the Agents\"](https://cacm.acm.org/practice/guardians-of-the-agents/). See also [CaMeL](https://arxiv.org/abs/2503.18813) . |\n| [hooksy](https://github.com/ihavespoons/hooksy) | Claude Code, LLM-analysis | Claude Code hooks inspector with LLM-augmented dynamic analysis. |\n| [AgentTrust](https://github.com/chenglin1112/AgentTrust) | MCP, LLM-judge | Real-time semantic safety interception between agent and tools. 170 YAML policy rules, \u003c1ms rule latency. See [paper](https://arxiv.org/abs/2605.04785). |\n| [gryph](https://github.com/safedep/gryph) | hooks, audit-trail | Local-first audit trail for AI coding agents that hooks into tool calls and logs every file read/write and command execution. |\n| [agent-trace](https://github.com/Siddhant-K-code/agent-trace) | tracing, MCP, replay, policy | `strace` for AI agents: captures every tool call, file op, prompt, and response from Claude Code, Cursor, Gemini CLI, or any MCP client. Session replay, run diffs, and audit exports (Datadog, Honeycomb, New Relic, Splunk). VS Code extension + CLI. |\n| [Infisical Agent Sentinel](https://infisical.com/docs/documentation/platform/agent-sentinel/overview) | MCP, gateway, policy, audit | Infisical's centralized control plane for AI agent tool access: MCP gateway managing which tools agents can reach, how they authenticate, and full audit visibility into every tool invocation. |\n| [Arize Phoenix Tracing](https://arize.com/docs/phoenix/tracing/llm-traces) | tracing, observability | Arize Phoenix's LLM tracing framework providing observability into agent tool calls and execution flows. |\n| [agentry](https://github.com/amtp-protocol/agentry) | tracing | Agent protocol implementation providing structured message tracing and policy hooks for securing agent-to-agent interactions. |\n| [dapr-a2a](https://github.com/diagrid-labs/dapr-a2a) | observability | Dapr integration for Agent-to-Agent protocol providing service mesh-style observability and policy for inter-agent communication. |\n| [toolhive provenance](https://github.com/stacklok/toolhive/blob/e00a4fc8482babc3d28edd289766a4589fde184e/docs/arch/06-registry-system.md) | MCP, provenance, registry | Toolhive's registry architecture documenting how tool provenance and security metadata are tracked for MCP servers. |\n| [Virtual MCP Server (Stacklok)](https://dev.to/stacklok/introducing-virtual-mcp-server-unified-gateway-for-multi-mcp-workflows-17ee) | MCP, provenance | Stacklok's unified gateway multiplexing multiple MCP servers with centralized policy and provenance verification via toolhive. |\n| [Agent Governance Toolkit](https://github.com/microsoft/agent-governance-toolkit) | policy, OPA, Cedar, SPIFFE, SRE | Microsoft's runtime governance framework with deterministic policy enforcement (OPA/Rego + Cedar), Ed25519/SPIFFE agent identity, trust scoring, SRE tooling (SLOs, error budgets, chaos), and full OWASP Agentic Top 10 coverage. Multi-language (Python, TypeScript, .NET). See also [LIMITATIONS.md](https://github.com/microsoft/agent-governance-toolkit/blob/main/docs/LIMITATIONS.md). |\n| [micromize](https://github.com/micromize-dev/micromize) | eBPF, BPF-LSM, IMA, execution-integrity, Kubernetes | BPF-LSM enforcement of container boundaries built on [Inspektor Gadget](https://github.com/inspektor-gadget/inspektor-gadget). Execution integrity via SBOM + runtime binary hash validation using `bpf_ima_file_hash`. |\n\n## Secrets Management \u0026 Isolation\n\nProjects and technologies that credibly separate (isolate) credentials and tokens from the main agent runtime.\n\n| Name | Keywords | Description |\n|------|----------|-------------|\n| πŸ”₯ [nono secrets management](https://nono.sh/docs/cli/features/secrets) | keyring, OS-secure-store, Landlock | nono's secrets management layer using OS-native secure stores (e.g., keyring) to isolate credentials from the agent runtime entirely. The [credential injection proxy](https://nono.sh/blog/blog-credential-injection) implements a phantom token pattern where the agent only sees a per-session token and real credentials are swapped in by a host-side proxy. |\n| πŸ”₯ [iron-proxy](https://github.com/ironsh/iron-proxy) | MITM-proxy, egress, secret-injection, DNS, SSRF | MITM egress proxy with built-in DNS server: default-deny at the network boundary (domain/CIDR allowlist, everything else gets a 403), boundary-level secret injection (workloads use proxy tokens worthless outside the proxy β€” real creds swapped in at egress), upstream IP deny list closing SSRF/DNS-rebinding gaps (IMDS blocked by default), per-request structured JSON audit trail, streaming-aware (WebSocket/SSE). Single binary, single YAML. |\n| πŸ”₯ [agent-creds](https://github.com/dtkav/agent-creds) | Macaroons, Envoy, iptables, TLS-interception, Docker, credential-injection | Network-isolated Docker sandbox with iptables-enforced traffic routing through an Envoy TLS-intercepting proxy, where a vault service validates Macaroon tokens (scoped by host, method, path, and expiry) and injects real API credentials server-side. |\n| πŸ”₯ [wardgate](https://github.com/wardgate/wardgate) | gateway, credential-injection, SSH, IMAP, SMTP, containers, approval-workflow | Security gateway isolating credentials; agents authenticate to the gateway with their own key while real credentials are injected server-side β€” combined with \"conclaves\" (isolated containers with per-command policy, pipeline parsing, and tool/data/network isolation) |\n| πŸ”₯ [Warden](https://github.com/stephnangue/warden) | gateway, SPIFFE, credential-brokering | Broker where agent presents JWT or TLS cert (SPIFFE SVID), Warden injects real credentials per-request β€” agent never holds secrets. Per-call role switching for mid-task least privilege, discovery protocol (agents introspect allowed roles/providers/skills). |\n| πŸ”₯ [Riptides on-the-wire credential injection](https://blog.riptides.io/vault-credentials-on-the-wire-riptides/) | kernel, SPIFFE, Vault, OpenBao, credential-injection | Kernel-space interception of outbound agent requests with on-the-wire injection of Vault/OpenBao-sourced credentials via SPIFFE workload identity, ensuring secrets never materialize in agent user space. |\n| πŸ”₯ [kloak](https://github.com/spinningfactory/kloak) | eBPF, uprobes, TLS-interception, Kubernetes, secret-injection | Kubernetes eBPF secret injector that hooks TLS writes via uprobes (OpenSSL, BoringSSL, Go): applications only see hashed placeholder tokens, real secrets exist solely in eBPF maps and are swapped in-kernel before encryption. |\n| [clawshell](https://github.com/clawshell/clawshell) | proxy, virtual-keys, DLP, Unix-permissions | Drop-in sidecar proxy for OpenClaw that maps virtual API keys to real provider credentials (stored in a Unix-permission-protected config), with regex-based DLP scanning that can block or redact PII in request/response bodies before they reach upstream LLM APIs. |\n| [prxlocal](https://github.com/vladimirkras/prxlocal) | proxy, secret-injection | Simple proxy-based technique for separating secrets from agent execution by intercepting requests and injecting credentials externally. |\n| [onecli](https://github.com/onecli/onecli) | proxy, secret-injection, per-agent-tokens | Rust gateway, agents use placeholder keys, gateway swaps real credentials at request time matched by host/path patterns. AES-256-GCM at rest, per-agent scoped access tokens. |\n| [secretless-ai](https://github.com/opena2a-org/secretless-ai) | hooks, secret-injection, keychain | Keeps credentials out of AI context windows, esp. for Claude Code it installs a `PreToolUse` hook that intercepts every file read, grep, glob, bash, write, and edit before execution. Supports multiple secret backends (local AES-256-GCM, OS keychain, 1Password). |\n| [enject](https://github.com/GreatScott/enject) | secret-isolation, CLI, subprocess-injection | Rust CLI (formerly enveil) that replaces `.env` plaintext values with `en://` placeholder references while real values are stored in an Argon2id-derived AES-256-GCM encrypted local store. Decrypts, resolves references, injects real values into the subprocess environment, then zeroizes key material. Deliberately omits `get`/`export` commands to prevent AI-readable secret leakage. |\n| [airut masked secrets](https://github.com/airutorg/airut/blob/main/doc/network-sandbox.md#masked-secrets-token-replacement) | proxy, masked-secrets, network-allowlist, AWS-SigV4 | mitmproxy transparently intercepts all HTTPS traffic, generates format-preserving surrogate tokens, injects them into the container's environment, and the proxy swaps surrogate β†’ real value in outgoing request headers only for scoped hosts. |\n| [Tailscale Aperture](https://tailscale.com/docs/features/aperture) | gateway, credential-injection, Tailscale, observability | Alpha LLM API gateway running on a tailnet, extracts the model name from each request body, routes to the correct provider and injects provider authentication headers server-side. |\n| [latchkey](https://github.com/imbue-ai/latchkey) | credential-injection, curl, browser-login, agent-skills | TypeScript CLI that injects stored credentials into `curl` requests to known third-party APIs (Slack, GitHub, Discord, Linear, Google Workspace, AWS, Stripe, and ~25 more). Credentials are encrypted under `~/.latchkey` using the OS keyring. |\n| [authsome](https://github.com/manojbajaj95/authsome) | OAuth2, credential-store, token-refresh | Local credential layer for AI agents: log in once via OAuth2 or API key, authsome keeps tokens fresh (auto-refresh, expiry handling) across scripts, cron, CI, and parallel pipelines. Single encrypted store for all providers; agents call it at runtime instead of reading env vars. |\n| [authproxy](https://github.com/rmorlok/authproxy) | proxy, credential-injection, OAuth2, audit | Embeddable open-source iPaaS HTTP proxy: application sends requests without credentials, authproxy injects the appropriate auth (OAuth2 bearer, API key), auto-refreshes expired tokens, logs every request for auditability. Declarative YAML connector definitions, pre-built admin UI, connector marketplace. |\n| [LEASH](https://github.com/vettid/LEASH) | MCP, vault, action-execution, zero-exposure, connection-contracts | Proposed companion standard to MCP for secret handling. Vault executes operations on the agent's behalf using secrets and returns only results. Platform-bound credentials + binary attestation of the connector process. |\n\n**Other secret management tools of potential interest** include: [sops](https://github.com/getsops/sops), [fnox](https://github.com/jdx/fnox), [dotenvx](https://dotenvx.com/), [varlock](https://varlock.dev/), and [envio](https://github.com/humblepenguinn/envio).\n\n## Agent Identity \u0026 Credentials\n\nSpecs, proposals, reference implementations, extensions, and ideas addressing agent identity and credentials that capture provenance, intent, and integrity. For a good birds-eye overview of this space, see [Andrew Green's overview of agent auth solutions](https://www.linkedin.com/posts/andrew-green-tech_are-there-any-good-agent-auth-solutions-yet-share-7431669856372170752-0Xvi).\n\n\n- [AAuth](https://github.com/dickhardt/AAuth) ([IETF draft](https://datatracker.ietf.org/doc/draft-hardt-aauth-protocol/), [full implementation demo](https://blog.christianposta.com/aauth-full-demo/) with Keycloak + Agentgateway; [real world implementation](https://markmhendrickson.com/posts/know-which-of-your-agents-wrote-what/) of AAuth + RFC 9421 HTTP Message Signatures)\n- [Verifiable Intent](https://github.com/agent-intent/verifiable-intent) ([blog post](https://shanedeconinck.be/posts/mastercard-verifiable-intent-agents-can-prove-what-you-approved/), [site](https://verifiableintent.dev/))\n- [AI Agent Auth and Authz (IETF)](https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/) (composing WIMSE, OAuth 2.0, Transaction Tokens, and HTTP Message Signatures)\n- [Agent Native Authorization (IETF)](https://datatracker.ietf.org/doc/draft-embesozzi-oauth-agent-native-authorization/) \n- [CAAM (IETF)](https://datatracker.ietf.org/doc/html/draft-barney-caam-00) (bridges SPIFFE workload identity and IPSIE human identity with ReBAC, RATS attestation, and purpose-bound delegation)\n- [FAPI / RAR (RFC 9396)](https://datatracker.ietf.org/doc/html/rfc9396), [SD-JWT (RFC 9901)](https://datatracker.ietf.org/doc/rfc9901/), [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/) and [agent extension](https://www.ietf.org/archive/id/draft-oauth-transaction-tokens-for-agents-05.html), [Identity and Authorization Chaining Across Domains](https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/), [Txn-Token Chaining Profile](https://datatracker.ietf.org/doc/draft-fletcher-transaction-token-chaining-profile/), [OAuth Actor Profile](https://datatracker.ietf.org/doc/draft-mcguinness-oauth-actor-profile/), [CAEP and SSF](https://sgnl.ai/whitepaper/caep-best-practices/), [JWT Authorization Grants in MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/1947), [Token Exchange in MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/214), [AWS Bedrock AgentCore OBO token exchange](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/on-behalf-of-token-exchange.html) (RFC 8693 / RFC 7523 OBO for agents, also [Microsoft EntraID OBO sample](https://github.com/awslabs/agentcore-samples/tree/main/01-tutorials/02-AgentCore-gateway/18-Outbound_Auth_OBO_Microsoft))\n- Workload identity and attestation: [WIMSE](https://datatracker.ietf.org/group/wimse/documents/), [Waffles](https://github.com/clawdreyhepburn/waffles-draft), [Trustworthy Workload Identity](https://github.com/confidential-computing/twi), [CoSAI Remote Attestation](https://github.com/cosai-oasis/ws4-secure-design-agentic-systems/blob/mcp/model-context-protocol-security.md#324-cryptographic-integrity-and-remote-attestation)\n- Bot/agent authentication to websites: [WebBotAuth WG](https://datatracker.ietf.org/wg/webbotauth/about/), [architecture](https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/) (HTTP Message Signatures for automated traffic), [signatures directory](https://datatracker.ietf.org/doc/draft-meunier-http-message-signatures-directory/), [anonymous bot auth with rate limiting](https://datatracker.ietf.org/doc/draft-rescorla-anonymous-webbotauth/)\n- Agent communication transport governance: [AGTP Composition](https://datatracker.ietf.org/doc/draft-hood-agtp-composition/) \n- Distributed policy engines (PEPs/PDPs): [AuthZEN](https://openid.net/wg/authzen/), [Cedarling](https://docs.jans.io/head/cedarling/), [casbin](https://casbin.org/), [Oso](https://www.osohq.com/docs/get-started/automated-least-privilege), [Keycard](https://www.keycard.ai/)\n- Decentralized trust registries:\n - [Trust over IP](https://trustoverip.github.io/tswg-tsp-specification/) ([explainer](https://shanedeconinck.be/explainers/tsp/))\n - [Verifiable Trust](https://verana-labs.github.io/verifiable-trust-spec/)\n - [TRQP](https://www.lfdecentralizedtrust.org/blog/toip-announces-public-review-02-of-the-trust-registry-query-protocol-trqp-specification-v2.0)\n - [Anonymous Credentials (ARC)](https://datatracker.ietf.org/doc/draft-yun-cfrg-arc/)\n - [Directory (dir)](https://github.com/agntcy/dir), agent records described using [OASF](https://github.com/agntcy/oasf)\n - [DNS-AID](https://github.com/infobloxopen/dns-aid-core) ([IETF draft-dnsaid](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/))\n - [DAWN](https://datatracker.ietf.org/doc/draft-king-dawn-requirements/)\n- Research and frameworks:\n - [Inter-Agent Trust Models](https://arxiv.org/abs/2511.03434)\n - [Identity Management for Agentic AI (OpenID Foundation)](https://arxiv.org/abs/2510.25819)\n - [Delegated Authorization Constrained to Semantic Task-to-Scope Matching](https://arxiv.org/abs/2510.26702)\n - [Authorization Propagation in Multi-Agent AI](https://arxiv.org/abs/2605.05440)\n - [PIC Model](https://github.com/pic-protocol/pic-spec/blob/main/draft/0.1/pic-spec.md) ([edge simulation](https://somethingsubtle.com/projects/vdabbling-edge-identity-pic-protocol/)) \n - [Nanda Unified Architecture](https://arxiv.org/abs/2507.07901), [IAM for Agents](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5785263), [AIS-1](https://github.com/kadikoy1/ais-1)\n - [Agent Identity Protocol (AIP)](https://github.com/openagentidentityprotocol/agentidentityprotocol) with ([Go SDK](https://github.com/openagentidentityprotocol/aip-go)) \n - [opena2a agent-identity-management](https://github.com/opena2a-org/agent-identity-management)\n - [Specification Compendium (naftiko)](https://github.com/naftiko-capabilities/interfaces)\n - [AGBAC](https://github.com/kahalewai/agbac) with [reference implementation](https://github.com/kahalewai/dual-auth)\n - [Intent-Based Access Control for Agentic AI](https://www.itu.int/en/ITU-T/Workshops-and-Seminars/2026/0330/Documents/Ward%20Duchamps.pdf)\n - [ZeroID](https://github.com/highflame-ai/zeroid)\n - [Vega (Microsoft Research)](https://www.microsoft.com/en-us/research/blog/vega-zero-knowledge-proofs-for-digital-identity-in-the-age-of-ai/)\n- Forums and working groups: [DIF Trusted Agents WG](https://identity.foundation/working-groups/trusted-agents.html), [KYA-OS](https://blog.identity.foundation/kya-os/), [DIF TAAWG Mailing List](https://lists.identity.foundation/g/taawg)\n- Also worth noting: [Progressive Authentication](https://github.com/dickhardt/agent-auth), [Capability Negotiation](https://arxiv.org/abs/2506.13590), [EAM-SQL Safety Envelopes](https://openreview.net/forum?id=7c1S9NWmq5), [Permission Protocol](https://github.com/permission-protocol/docs)\n\nSeveral good ideas are also explored in blog posts and articles, including [CSA Agentic AI IAM Whitepaper](https://cloudsecurityalliance.org/artifacts/agentic-ai-identity-and-access-management-a-new-approach), [DCR for MCP](https://blog.modelcontextprotocol.io/posts/client_registration/), [SPIFFE and OAuth](https://blog.christianposta.com/authenticating-mcp-oauth-clients-with-spiffe/), [Verifiable Credentials for AI](https://blog.identity.foundation/building-ai-trust-at-scale/), [Continuous Authorization](https://www.linkedin.com/pulse/identity-security-mcp-agents-four-layer-continuous-model-poreddy-mpnvc/), [Delegated Authorization](https://glama.ai/blog/2025-11-27-securing-enterprise-ai-agents-with-unique-identities-in-the-model-context-protocol-mcp), [Delegation patterns](https://blog.christianposta.com/agent-identity-impersonation-or-delegation/), [Cedar delegation for OpenClaw subagents](https://www.windley.com/archives/2026/03/delegation_as_data_applying_cedar_policies_to_openclaw_subagents.shtml) ([policy-aware agent loop demo](https://github.com/windley/openclaw-cedar-policy-demo)), [Riptides](https://riptides.io/blog-post/introducing-riptides-conditional-access-fine-grained-time-aware-security-policies), [Encoding User Intent](https://www.linkedin.com/pulse/complexity-encoding-user-intent-agentic-ai-systems-george-fletcher-xuape/), [ID-JAG](https://www.linkedin.com/pulse/mcp-focus-providing-flexibility-cross-application-atul-tulshibagwale-xvekc/), [OAuth Limitations for Agents](https://kontext.dev/blog/oauth-for-mcp-agents), [Qualified VDRs](https://medium.com/spherity/qualified-verifiable-data-registries-qvdr-as-the-foundational-component-of-digital-public-7a698acfd020), [Agents and Payments Identity](https://sphericalcowconsulting.com/2025/12/23/web-payments-and-digital-identity/), [Ambient Mesh](https://www.linkedin.com/pulse/trust-model-ambient-mesh-microsegmentation-async-flows-nicola-gallo-uplef/), [Token-Based Access Control](https://www.linkedin.com/pulse/mobile-multi-token-challenge-mike-schwartz-nlxtc/), [Applicability of Standards](https://www.authlete.com/developers/api_protection/), [Chaining and Nesting for Lineage](https://www.youtube.com/watch?v=EiemfsbUtgs), and [FGA for Agent Authorization](https://workos.com/blog/agents-need-authorization-not-just-authentication).\n\n## References\n\n### Risks \u0026 mitigations frameworks\n\nPapers, frameworks, and documents discussing agent runtime security, threat models, and recommended mitigations.\n\n- Threat models and top-10 style frameworks\n - [OWASP Top 10 Agentic](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)\n - [Meta: Practical AI Agent Security](https://ai.meta.com/blog/practical-ai-agent-security/)\n - [AWS Agentic AI Security Matrix](https://aws.amazon.com/blogs/security/the-agentic-ai-security-scoping-matrix-a-framework-for-securing-autonomous-ai-systems/) \n - [AARTS](https://github.com/gendigitalinc/aarts/blob/main/standard.md)\n - [Attack and Defense Landscape of Agentic AI](https://arxiv.org/abs/2603.11088)\n - See also the [Weather Report analysis](https://theweatherreport.ai/posts/agentic-ai-attack-defense/)\n - [AARM: Autonomous Action Runtime Management](https://aarm.dev/) ([paper](https://arxiv.org/abs/2602.09433))\n - [AGCP: Agentic Governance Control Plane](https://github.com/jwillisSFT/agcp-spec)\n - [Distributed Trust Framework (DTF)](https://arxiv.org/abs/2605.15228)\n - [Zones of Distrust (ZoD)](https://github.com/bluvibytes/zone-of-distrust)\n - [Execution Outcome Attestation (IETF)](https://datatracker.ietf.org/doc/html/draft-morrow-sogomonian-exec-outcome-attest-00)\n - MCP-focused security documents:\n - [SAFE-MCP](https://github.com/SAFE-MCP/safe-mcp)\n - [CoSAI MCP Security](https://github.com/cosai-oasis/ws4-secure-design-agentic-systems/blob/mcp/model-context-protocol-security.md)\n - [SoK: MCP Ecosystem Security](https://arxiv.org/abs/2512.08290)\n - [Enterprise MCP Security Frameworks](https://arxiv.org/abs/2504.08623)\n - [Securing MCP: Risks, Controls, Governance](https://arxiv.org/abs/2511.20920)\n - [MCP Server Security Standard](https://github.com/mcp-security-standard/mcp-server-security-standard)\n - [SEP-1933: Workload Identity Federation for MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/1933)\n - [Security of AI Agent Communication Protocols](https://arxiv.org/abs/2602.11327)\n- Cryptographic integrity of tools, models, and data:\n - [CoSAI Crypto Verification of Resources](https://github.com/cosai-oasis/ws4-secure-design-agentic-systems/blob/mcp/model-context-protocol-security.md#326-cryptographic-verification-of-resources)\n - [CoSAI Signing ML Artifacts](https://github.com/cosai-oasis/ws1-supply-chain/blob/main/signing-ml-artifacts.md)\n - [SAFE-M-2 Tool Description Integrity](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-2/README.md), [SAFE-M-30 Data Source Integrity](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-30/README.md), [SAFE-M-34 Model Integrity](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-34/README.md)\n - ML lifecycle provenance: [Atlas ML Provenance](https://arxiv.org/abs/2502.19567) ([CLI](https://github.com/IntelLabs/atlas-cli)), [OpenSSF GPU Model Integrity](https://github.com/ossf/ai-ml-security/issues/41), [OpenSSF Model Lifecycle Provenance](https://github.com/ossf/ai-ml-security/issues/40)\n\n### Linux security technologies\n\nSurveys, guides, and foundational literature on Linux security technologies applicable to agent sandboxing.\n\n- Sandboxing surveys and guides\n - [Survey of Real-World Process Sandboxing](https://fruct.org/publications/volume-35/fruct35/files/Niem.pdf)\n - [awesome-sandbox](https://github.com/restyler/awesome-sandbox)\n - [Ikangai Sandboxing Guide](https://www.ikangai.com/the-complete-guide-to-sandboxing-autonomous-agents/)\n - [The State of MicroVM Isolation in 2026](https://emirb.github.io/blog/microvm-2026/)\n- Landlock\n - [Landlock.io](https://landlock.io/)\n - [Landlock: Idea to Implementation](https://landlock.io/talks/2024-06-06_landlock-article.pdf)\n - [Landlock integrations](https://landlock.io/integrations/)\n- Containers and kernel security:\n - [Leveraging Kernel Security for Containers](https://dl.acm.org/doi/epdf/10.1145/3339252.3340502)\n - [Security Challenges in Container Cloud](https://www.researchgate.net/publication/359967351_Security_Challenges_in_the_Container_Cloud)\n - [SANDBOXESCAPEBENCH](https://arxiv.org/abs/2603.02277) finding that capable models can identify and exploit container escape vulnerabilities\n - [User namespaces are not a security boundary](https://edera.dev/stories/user-namespaces-are-not-a-security-boundary): unprivileged user namespace sandboxes have a long history of kernel exploit vectors; layer additional controls (seccomp, Landlock, AppArmor/SELinux) when relying on them.","projects_url":"https://awesome.ecosyste.ms/api/v1/lists/bureado%2Fawesome-agent-runtime-security/projects"}