Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

awesome-agent-runtime-security

Learning something new about runtime security for agents
https://github.com/bureado/awesome-agent-runtime-security

Last synced: 1 day ago
JSON representation

  • Secrets Management & Isolation

    • sops
    • agent-creds - interception, Docker, credential-injection | Network-isolated Docker sandbox with iptables-enforced traffic routing through an Envoy TLS-intercepting proxy, where a vault service validates Macaroon tokens (scoped by host, method, path, and expiry) and injects real API credentials server-side. |
    • wardgate - injection, SSH, IMAP, SMTP, containers, approval-workflow | Security gateway isolating credentials; agents authenticate to the gateway with their own key while real credentials are injected server-side — combined with "conclaves" (isolated containers with per-command policy, pipeline parsing, and tool/data/network isolation) |
    • latchkey - injection, curl, browser-login, agent-skills | TypeScript CLI that injects stored credentials into `curl` requests to known third-party APIs (Slack, GitHub, Discord, Linear, Google Workspace, AWS, Stripe, and ~25 more). Credentials are encrypted under `~/.latchkey` using the OS keyring. |
    • clawshell - keys, DLP, Unix-permissions | Drop-in sidecar proxy for OpenClaw that maps virtual API keys to real provider credentials (stored in a Unix-permission-protected config), with regex-based DLP scanning that can block or redact PII in request/response bodies before they reach upstream LLM APIs. |
    • secretless-ai - injection, keychain | Keeps credentials out of AI context windows, esp. for Claude Code it installs a `PreToolUse` hook that intercepts every file read, grep, glob, bash, write, and edit before execution. Supports multiple secret backends (local AES-256-GCM, OS keychain, 1Password). |
    • enject - isolation, CLI, subprocess-injection | Rust CLI (formerly enveil) that replaces `.env` plaintext values with `en://` placeholder references while real values are stored in an Argon2id-derived AES-256-GCM encrypted local store. Decrypts, resolves references, injects real values into the subprocess environment, then zeroizes key material. Deliberately omits `get`/`export` commands to prevent AI-readable secret leakage. |
    • nono secrets management - secure-store, Landlock | nono's secrets management layer using OS-native secure stores (e.g., keyring) to isolate credentials from the agent runtime entirely. The [credential injection proxy](https://nono.sh/blog/blog-credential-injection) implements a phantom token pattern where the agent only sees a per-session token and real credentials are swapped in by a host-side proxy. |
    • Riptides on-the-wire credential injection - injection | Kernel-space interception of outbound agent requests with on-the-wire injection of Vault/OpenBao-sourced credentials via SPIFFE workload identity, ensuring secrets never materialize in agent user space. |
    • prxlocal - injection | Simple proxy-based technique for separating secrets from agent execution by intercepting requests and injecting credentials externally. |
    • airut masked secrets - secrets, network-allowlist, AWS-SigV4 | mitmproxy transparently intercepts all HTTPS traffic, generates format-preserving surrogate tokens, injects them into the container's environment, and the proxy swaps surrogate → real value in outgoing request headers only for scoped hosts. |
    • Tailscale Aperture - injection, Tailscale, observability | Alpha LLM API gateway running on a tailnet, extracts the model name from each request body, routes to the correct provider and injects provider authentication headers server-side. |

  • Sandboxing & Isolation

    • gVisor - containers/kata-containers) provide lightweight virtual machines with a standard container interface. [libkrun](https://github.com/containers/libkrun) is a library for running lightweight KVM-backed VMs that serves as the hypervisor isolation layer for boxlite, brood-box, krunai, and several other agent sandboxes in this list. [go-microvm](https://github.com/stacklok/go-microvm) is a Go framework for running OCI images as microVMs via libkrun. [styrolite](https://github.com/edera-dev/styrolite) is Edera's container runtime engine that runs containers inside VM guests via a type 1 paravirtualized hypervisor (see the [Edera hypervisor paper](https://arxiv.org/abs/2501.04580)). [microvm.nix](https://github.com/microvm-nix/microvm.nix) is a Nix Flake for declaratively building and running NixOS MicroVMs across hypervisors (cloud-hypervisor, Firecracker, QEMU, crosvm, etc.) The [OpenClaw MicroVM walkthrough](https://buduroiu.com/blog/openclaw-microvm/) is a practical blog post demonstrating MicroVM-based agent sandboxing using cloud-hypervisor, with network egress logging via nftables/unbound and secret injection through virtiofs mounts.
    • e2b - based agent sandbox infrastructure using [Firecracker](https://github.com/firecracker-microvm/firecracker) MicroVMs for strong hardware-level isolation between agent workloads. |
    • bubblewrap - better-way-to-limit-claude-code-and-other-coding-agents-access-to-secrets/) or [OpenCode](https://blog.gpkb.org/posts/ai-agent-sandbox/), with [nixwrap](https://github.com/rti/nixwrap) providing a Nix-declarative wrapper, [sandbox-run](https://github.com/sandbox-utils/sandbox-run) a minimal CLI around it, and [Grauwolf's sandbox-run](https://codeberg.org/Grauwolf/sandbox-run) a per-project wrapper that isolates file writes, tmp, and tool state.
    • secimport - based module-level Python sandbox that uses USDT probes to track which Python module is executing at each syscall boundary and nsjail seccomp profile generation. |
    • Hyperlight - nanvix-bringing-multi-language-support-for-extremely-fast-hardware-isolated-micro-vms) | MicroVM, syscall interposition | Hardware-isolated VMs via KVM or Hyper-V with millisecond cold starts and no guest OS — combined with host-side syscall interposition for 150+ syscalls via the Nanvix Rust microkernel. See also [hyperlight-sandbox](https://github.com/hyperlight-dev/hyperlight-sandbox), the Python SDK (v0.1) for running sandboxed code in Hyperlight VMs (KVM/MSHV) or WASM backends. |
    • dyana - based sandbox for loading, running, and profiling untrusted files (ML models, Pickle, ELF, JS) with hardened containers (cap-drop ALL, no-new-privileges, network disabled, ipc-none, mem/pid limits, tmpfs noexec) monitored by an Aqua Tracee eBPF sidecar that traces 40+ security events (fileless execution, ld_preload, code injection, syscall hooking) scoped to the target container. |
    • langchain-sandbox - based library sandboxing for isolating untrusted components within a process; [wassette](https://microsoft.github.io/wassette/latest/concepts.html) applies WASM at fine-grained component boundaries. [V8 Isolates](https://blog.cloudflare.com/safe-in-the-sandbox-security-hardening-for-cloudflare-workers/) offer a lightweight per-request isolation model as an alternative to containers or VMs — see also Cloudflare's [Dynamic Worker Loader](https://blog.cloudflare.com/dynamic-workers/) for on-demand per-agent V8 sandboxes with capability-scoped env bindings and optional network blocking. [Deno Deploy Sandbox](https://deno.com/deploy/sandbox) is a managed sandbox API that gives each execution a dedicated Firecracker microVM.
    • k7 - containers/kata-containers) to add MicroVM-backed security boundaries to agent execution. |
    • Leash
    • sandbox-runtime - level isolation. |
    • boxlite - based sandbox for coding agents using KVM virtualization via [libkrun](https://github.com/containers/libkrun), providing strong hardware-enforced isolation. |
    • shai - development/) model for controlled agent-driven code changes, scoping changes to discrete units. |
    • agentsh - bpf with user-notify for signal interception and syscall blocking. |
    • yolo-cage - branch isolation, a fail-closed mitmproxy egress proxy with LLM-Guard secret scanning and GitHub API operation blocking, TruffleHog pre-push hooks, and Kubernetes NetworkPolicy. |
    • OpenSandbox - purpose sandbox platform for AI agents with multi-language SDKs, per-sandbox egress controls, ingress gateway, and secure container runtimes ([gVisor](https://github.com/google/gvisor), [Kata](https://github.com/kata-containers/kata-containers), Firecracker). |
    • smolVM - binary VMs. |
    • amla-sandbox - based agent sandbox using wasmtime with a capability-based security model that enforces per-tool method constraints, call limits, and parameter validation before any tool invocation leaves the sandbox. |
    • fence - platform agent sandbox using bubblewrap with Landlock, seccomp, and eBPF monitoring on Linux. |
    • monty - generated code with no host access by default — filesystem, network, and env are only available via explicitly provided external functions, with sub-microsecond startup and serializable execution state. |
    • matchlock - language SDK for running agents in ephemeral Firecracker microVMs with host-boundary secret injection through a MITM proxy. |
    • ironclaw - injection | WASM-sandboxed tools (capability-based permissions, endpoint allowlisting), host-boundary credential injection where secrets never enter WASM memory. |
    • krunai - built agent sandbox running AI agents inside [libkrun](https://github.com/containers/libkrun) KVM microVMs, transparent user-space networking via [gVisor](https://github.com/google/gvisor) netstack. |
    • IronCurtain - layer agent sandbox: Code Mode runs TypeScript in a V8 isolate with zero host access, Docker Mode runs external agents (Claude Code, Goose) in network-disabled containers. Plain-English [constitution](https://www.provos.org/p/ironcurtain-secure-personal-assistant/) compiled into deterministic policy rules enforced on every MCP tool call, plus bubblewrap-sandboxed MCP servers. |
    • Cleanroom - hosted agent sandbox using Firecracker with host-side [gateway](https://github.com/buildkite/cleanroom/blob/main/docs/gateway.md) credential injection and digest-pinned OCI images. |
    • OpenFang - tracking | Uses a WASM dual-metered sandbox: wasmtime with both fuel metering and epoch interruption, backed by a watchdog thread that force-kills runaway code. Seeks to implement information flow taint tracking (secrets labelled from source to sink), Ed25519-signed agent manifests, and other techniques. |
    • ai-jail - layer agent sandbox: bubblewrap namespaces (PID/UTS/IPC/net) + Landlock V3/V4 (filesystem + network) + seccomp-bpf (~30 blocked syscalls) + resource limits. Lockdown mode mounts project read-only with no network and clearenv. Sensitive dirs (`.gnupg`, `.aws`, `.ssh`) never mounted; per-project `.ai-jail` TOML config. macOS via `sandbox-exec`. |
    • stereOS - built NixOS for AI agents, support for QEMU/KVM with sub-3s boot, gVisor included for in-VM sandboxing, and vsock-based secret injection via tmpfs. See also [agentd](https://github.com/papercomputeco/agentd). |
    • capsem - kernel, air-gapped | macOS-native sandbox running agents in Linux VMs via Apple Virtualization.framework. Custom kernel compiled with `CONFIG_INET=n` (no IP stack) and `CONFIG_MODULES=n` (no loadable modules), read-only rootfs, BLAKE3 boot asset integrity, no systemd. |
    • The Agent Sandbox Taxonomy
    • brood-box - isolation, egress-control, MCP-authz | CLI for running AI coding agents (Claude Code, Codex, OpenCode) inside [libkrun](https://github.com/containers/libkrun) KVM microVMs with COW snapshot isolation, DNS-aware egress policies, and Cedar-based MCP authorization. Built on [go-microvm](https://github.com/stacklok/go-microvm). |
    • Zeroboot - fork | Sub-millisecond VM sandboxes (0.8ms spawn) via Firecracker snapshot copy-on-write forking — each fork is a real KVM VM with hardware-enforced memory isolation at ~265KB per sandbox. No networking inside forks (serial I/O only). |
    • OpenShell - injection | NVIDIA's agent sandbox runtime using K3s (Kubernetes inside Docker) with four policy domains: filesystem, L7 network policy (HTTP method + path enforcement, hot-reloadable), process constraints, and a privacy router that strips agent credentials and injects backend credentials for LLM API calls. |
    • clampdown - capability agent (cap-drop=ALL), Landlock V3 filesystem isolation, ~115 blocked syscalls via seccomp, mandatory OCI hooks enforcing security policy on every tool container the agent spawns and SELinux/AppArmor confinement. |
    • sandlock - notif | Process sandbox combining Landlock (filesystem + network + IPC), seccomp-bpf (syscall filtering), and seccomp user notification (resource limits, IP enforcement, /proc virtualization, port virtualization). No root, no cgroups, no containers. COW fork enables O(1) memory scaling — parent loads model once, children share via copy-on-write. See also the [architecture blog post](https://multikernel.io/2026/03/14/introducing-sandlock/). |
    • nono - protected configuration and OS-native secrets management, making it one of the most holistic agent sandboxing solutions. See also [kubefence](https://github.com/bpradipt/kubefence), an NRI plugin that transparently injects nono sandboxing into Kubernetes containers and Kata VMs. |
    • Beams - identity, zero-secrets | Teleport's agent runtime using Firecracker VMs (200ms startup) with delegated short-lived identity certificates, zero secrets in the sandbox, policy-controlled egress proxy, and inference endpoint routing that injects backend credentials without exposing API keys to the agent. |
    • Docker Sandboxes - built sandbox for coding agents. See also [NanoClaw on Docker Sandboxes](https://nanoclaw.dev/blog/nanoclaw-docker-sandboxes/) for micro VM-based per-agent isolation. |
    • Agent Sandbox (k8s) - containers/kata-containers) for sandboxing AI agents in cloud-native environments. |
    • Gondolin - VMs. See also the [security design](https://earendil-works.github.io/gondolin/security/) and [repo](https://github.com/earendil-works/gondolin). |
    • Authority Nanos - based agent execution environment built on Nanos with 14 custom syscalls for agent communication and a secondary WASM sandbox for capability-gated tool execution. |
    • cua - use agent SDK using Linux containers and QEMU-inside-Docker for full desktop environment isolation. See also the [qemu-docker library](https://github.com/trycua/cua/tree/699350bfba66ba8a0186ed9c98c8b084b32462be/libs/qemu-docker). |
    • goose + boxlite discussion - based sandboxing into Block's goose agent framework. |
    • Rover Sandbox - focused agent framework. See also the [sandbox implementation code](https://github.com/endorhq/rover/tree/171a5b0eb277f2f1029062167a762a7f14a9b184/packages/cli/src/lib/sandbox). |
    • Veto (Ona) - addressable | Content-addressable kernel enforcement using BPF LSM: blocks executables by SHA-256 hash of binary content (not path), pre-execution with no TOCTOU gap. The [deep dive on agent evasion of path-based controls](https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox) is a good read for anyone working with `bubblewrap`. |
    • ExitBox - sandboxes](https://github.com/datalayer/code-sandboxes), [Kilntainers](https://github.com/Kiln-AI/Kilntainers) (MCP server routing agent tool calls to Docker/Podman, E2B, Modal, or WASM sandboxes — the agent communicates with the sandbox over MCP so credentials never enter it), [nanoclaw](https://github.com/qwibitai/nanoclaw), [yolobox](https://github.com/finbarr/yolobox), [agentbox](https://github.com/rcarmo/agentbox), [construct-cli](https://github.com/EstebanForge/construct-cli), and [ctenv](https://github.com/osks/ctenv) all rely on standard Linux container isolation. [try](https://github.com/binpash/try) and [usand](https://github.com/richfelker/usand) use Linux namespaces via `unshare` to let commands run in a contained environment. [nsjail](https://nsjail.dev/) is Google's lightweight process isolation tool combining Linux namespaces, cgroups, and seccomp-bpf. [sandbox (Cloudflare)](https://github.com/cloudflare/sandbox) provides a seccomp library for syscall filtering. [systemd's exec security settings](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html) and [setpriv](https://github.com/util-linux/util-linux/blob/master/sys-utils/setpriv.1.adoc) serve as convenient declarative frontends for composing namespaces, seccomp, and capabilities.
    • Landlock - lsm/island) is the go-to sandbox tool. [landrun](https://github.com/Zouuup/landrun) and [rstrict](https://github.com/creslinux/rstrict) are CLI tools for restricting process access. [Litterbox](https://litterbox.work/) combines Landlock with Linux namespaces, and [Cursor Agent Sandboxing](https://cursor.com/blog/agent-sandboxing) uses Landlock, noting 40% fewer approval interruptions after teaching agents about their sandbox constraints.

  • Provenance, Instrumentation & Observability

    • AgentSight (eBPF) - based observability tool providing kernel-level tracing of agent runtime behavior without modifying the agent code. |
    • gryph - trail | Local-first audit trail for AI coding agents that hooks into tool calls and logs every file read/write and command execution. |
    • tapes - addressable | Transparent agentic telemetry proxy (same author as stereOS): intercepts agent↔inference API traffic, stores every session as content-addressable turns in SQLite with vector embeddings, OpenTelemetry instrumentation, deterministic replay via session checkout, and semantic search across conversation history. |
    • Agent Governance Toolkit - language (Python, TypeScript, .NET). |
    • sage - based reputation APIs, local YAML threat heuristics, and supply-chain package analysis. |
    • aflock - toto, provenance, policy | Signed policy files that constrain agent behavior and produce verifiable attestations derived from model, environment, tools, policy, and parent. Facilitates key separation, SPIFFE-modeled workload attestation, and in-toto-inspired sublayouts for delegated sub-agent constraints. |
    • SentinelGate - platform userspace firewall for AI agents that intercepts MCP tool calls (as an aggregating proxy), shell commands, file access, and HTTP requests, enforcing RBAC and CEL-powered policies (same engine as Kubernetes/Envoy) |
    • cupcake
    • mandible - agent coordination framework with built-in cryptographic provenance: bridge attestations create linked chains of custody across environments. Seeks to implement output-level provenance and causal lineage tracking as first-class primitives. |
    • AgentSentinel - time defense framework for monitoring and constraining agent behavior using eBPF instrumentation. See also the [research paper](https://arxiv.org/abs/2509.07764). |
    • membrane - filtering | Agent-agnostic sandbox with eBPF tracing (via Tracee sidecar) logging all file, network, and process activity as structured JSONL, hostname-allowlisted egress filtering with continuous DNS refresh, filesystem masking/read-only patterns, and unprivileged Docker-in-Docker via Sysbox. |
    • agentgateway
    • rover (instrumentation) - focused agent framework with built-in tracing, policy enforcement, and sandboxed tool execution. |
    • ClawShield - in-depth security proxy for AI agents with optional eBPF syscall monitoring, note the cross-layer event bus that helps tighten policies across layers. |
    • carapace - proxy, MCP | Cedar policy enforcement for AI agents with an LLM proxy that intercepts model responses and strips denied tool calls before the agent sees them — the agent never holds the real API key. Gates MCP tools, shell commands, and API domains via Cedarling WASM (<6ms). See also [OVID-ME](https://github.com/clawdreyhepburn/ovid-me), the mandate evaluation layer for delegated agent authority: Cedar policies in JWT `authorization_details` (RFC 9396 RAR), SPIFFE-style Ed25519 signature chains with stepwise scope narrowing enforced via SMT subset proofs, and an AuthZEN-compliant PDP. |
    • ibac - parsing, policy | Intent-Based Access Control: derives per-request FGA tuples from the user's stated intent (one extra LLM call), then checks them against OpenFGA before every tool invocation (~9ms). Default-deny, no framework changes. 100% injection blocking on AgentDojo (strict mode). |
    • Arize Phoenix Tracing
    • agentry - to-agent interactions. |
    • dapr-a2a - to-Agent protocol providing service mesh-style observability and policy for inter-agent communication. |
    • toolhive provenance
    • Virtual MCP Server (Stacklok)

  • Agent Identity & Credentials

    • DIF Trusted Agents WG
    • Progressive Authentication - SQL Safety Envelopes](https://openreview.net/forum?id=7c1S9NWmq5), [Permission Protocol](https://github.com/permission-protocol/docs) — fail-closed authority receipts for agent actions with SHA-256 input hashing, human-in-the-loop escalation, and CI gate templates
    • FAPI / RAR (RFC 9396) - JWT (RFC 9901)](https://datatracker.ietf.org/doc/rfc9901/), [AAuth](https://github.com/dickhardt/AAuth) — IETF Internet-Draft from Dick Hardt (author of OAuth 2.0) defining an agent-native auth protocol with three token types (agent/resource/auth), proof-of-possession, deferred authorization responses, and cross-domain federation between auth servers ([full implementation demo](https://blog.christianposta.com/aauth-full-demo/) with Keycloak + Agentgateway), [Verifiable Intent](https://github.com/agent-intent/verifiable-intent) — Mastercard/Google open spec using three-layer SD-JWT delegation chains (issuer → user → agent) with 8 machine-enforceable constraint types for agent commerce authorization ([blog post](https://shanedeconinck.be/posts/mastercard-verifiable-intent-agents-can-prove-what-you-approved/), [site](https://verifiableintent.dev/)), [AI Agent Auth and Authz (IETF)](https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/) — Internet-Draft composing WIMSE, OAuth 2.0, Transaction Tokens, and HTTP Message Signatures into a coherent agent auth framework, [CAAM (IETF)](https://datatracker.ietf.org/doc/html/draft-barney-caam-00) — sidecar-based Contextual Agent Authorization Mesh defining a Session Context Object (JWT/CWT with `ctx` claim) that bridges SPIFFE workload identity and IPSIE human identity with ReBAC, RATS attestation, and purpose-bound delegation, [Transaction Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/), [CAEP and SSF](https://sgnl.ai/whitepaper/caep-best-practices/), [JWT Authorization Grants in MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/1947), [Token Exchange in MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/214)
    • WIMSE - computing/twi), [CoSAI Remote Attestation](https://github.com/cosai-oasis/ws4-secure-design-agentic-systems/blob/mcp/model-context-protocol-security.md#324-cryptographic-integrity-and-remote-attestation)
    • AuthZEN - started/automated-least-privilege)
    • Trust over IP - labs.github.io/verifiable-trust-spec/), [TRQP](https://www.lfdecentralizedtrust.org/blog/toip-announces-public-review-02-of-the-trust-registry-query-protocol-trqp-specification-v2.0), [Anonymous Credentials (ARC)](https://datatracker.ietf.org/doc/draft-yun-cfrg-arc/)
    • Inter-Agent Trust Models - model/blob/main/draft/0.1/pic-model.md) ([edge simulation](https://somethingsubtle.com/projects/vdabbling-edge-identity-pic-protocol/)), [Agent Identity Protocol (AIP)](https://github.com/openagentidentityprotocol/agentidentityprotocol) — open standard proposed to IETF with cryptographic agent identity, AAT tokens, revocation, and policy enforcement ([Go SDK](https://github.com/openagentidentityprotocol/aip-go)), [opena2a agent-identity-management](https://github.com/opena2a-org/agent-identity-management), [Specification Compendium (naftiko)](https://github.com/naftiko-capabilities/interfaces), [CSA Agentic AI IAM Whitepaper](https://cloudsecurityalliance.org/artifacts/agentic-ai-identity-and-access-management-a-new-approach), [AGBAC](https://github.com/kahalewai/agbac) with [reference implementation](https://github.com/kahalewai/dual-auth).
    • Andrew Green's overview of agent auth solutions
    • DCR for MCP - mcp-oauth-clients-with-spiffe/), [Verifiable Credentials for AI](https://blog.identity.foundation/building-ai-trust-at-scale/), [Continuous Authorization](https://www.linkedin.com/pulse/identity-security-mcp-agents-four-layer-continuous-model-poreddy-mpnvc/), [Delegated Authorization](https://glama.ai/blog/2025-11-27-securing-enterprise-ai-agents-with-unique-identities-in-the-model-context-protocol-mcp), [Delegation patterns](https://blog.christianposta.com/agent-identity-impersonation-or-delegation/), [Cedar delegation for OpenClaw subagents](https://www.windley.com/archives/2026/03/delegation_as_data_applying_cedar_policies_to_openclaw_subagents.shtml), [Riptides](https://riptides.io/blog-post/introducing-riptides-conditional-access-fine-grained-time-aware-security-policies), [Encoding User Intent](https://www.linkedin.com/pulse/complexity-encoding-user-intent-agentic-ai-systems-george-fletcher-xuape/), [ID-JAG](https://www.linkedin.com/pulse/mcp-focus-providing-flexibility-cross-application-atul-tulshibagwale-xvekc/), [OAuth Limitations for Agents](https://kontext.dev/blog/oauth-for-mcp-agents), [Qualified VDRs](https://medium.com/spherity/qualified-verifiable-data-registries-qvdr-as-the-foundational-component-of-digital-public-7a698acfd020), [Agents and Payments Identity](https://sphericalcowconsulting.com/2025/12/23/web-payments-and-digital-identity/), [Ambient Mesh](https://www.linkedin.com/pulse/trust-model-ambient-mesh-microsegmentation-async-flows-nicola-gallo-uplef/), [Token-Based Access Control](https://www.linkedin.com/pulse/mobile-multi-token-challenge-mike-schwartz-nlxtc/), [Applicability of Standards](https://www.authlete.com/developers/api_protection/), [Chaining and Nesting for Lineage](https://www.youtube.com/watch?v=EiemfsbUtgs), and [FGA for Agent Authorization](https://workos.com/blog/agents-need-authorization-not-just-authentication).

  • References

    • Risks & mitigations frameworks

      • SAFE-MCP - oasis/ws4-secure-design-agentic-systems/blob/mcp/model-context-protocol-security.md), [SoK: MCP Ecosystem Security](https://arxiv.org/abs/2512.08290), [Enterprise MCP Security Frameworks](https://arxiv.org/abs/2504.08623), [Securing MCP: Risks, Controls, Governance](https://arxiv.org/abs/2511.20920), [MCP Server Security Standard](https://github.com/mcp-security-standard/mcp-server-security-standard), [SEP-1933: Workload Identity Federation for MCP](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/1933) — open PR proposing SPIFFE-style workload identity as an optional MCP extension
      • OWASP Top 10 Agentic - ai-agent-security/), [AWS Agentic AI Security Matrix](https://aws.amazon.com/blogs/security/the-agentic-ai-security-scoping-matrix-a-framework-for-securing-autonomous-ai-systems/), [AARTS](https://github.com/gendigitalinc/aarts/blob/main/standard.md) — open standard (v0.1 draft) defining lifecycle hook points, a common data model, and behavioral requirements so security vendors can provide consistent, feature-parity protection across all compliant agent host platforms (IDEs, frameworks, orchestrators), [Attack and Defense Landscape of Agentic AI](https://arxiv.org/abs/2603.11088) — comprehensive survey (USENIX Security 2026) cataloging 51 attack methods and 60 defenses from 128 papers, with 7 design dimensions that determine attack surface and a cascading risk model from entry points through model failures to real-world consequences (see also the [Weather Report analysis](https://theweatherreport.ai/posts/agentic-ai-attack-defense/)), [AARM: Autonomous Action Runtime Management](https://arxiv.org/abs/2602.09433) — open specification formalizing runtime interception of agent actions with threat models for prompt injection, confused deputy, and intent drift, plus four implementation architectures (protocol gateway, SDK instrumentation, kernel eBPF, vendor integration)
      • Security of AI Agent Communication Protocols - driven case study on wrong-provider tool execution
      • CoSAI Crypto Verification of Resources - oasis/ws1-supply-chain/blob/main/signing-ml-artifacts.md), [SAFE-M-2 Tool Description Integrity](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-2/README.md), [SAFE-M-30 Data Source Integrity](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-30/README.md), [SAFE-M-34 Model Integrity](https://github.com/SAFE-MCP/safe-mcp/blob/main/mitigations/SAFE-M-34/README.md)
      • Atlas ML Provenance - cli)), [OpenSSF GPU Model Integrity](https://github.com/ossf/ai-ml-security/issues/41), [OpenSSF Model Lifecycle Provenance](https://github.com/ossf/ai-ml-security/issues/40)

    • Linux security technologies

Programming Languages
Go 12 Rust 10 Python 4 TypeScript 2 C 2
Categories
Sandboxing & Isolation 46 Provenance, Instrumentation & Observability 21 Secrets Management & Isolation 12 Agent Identity & Credentials 9 References 7
Sub Categories
Risks & mitigations frameworks 5 Linux security technologies 2
Keywords
sandbox 7 ai-agents 6 security 5 ai 4 rust 4 seccomp 3 claude-code 3 microvm 3 llm 3 linux 3 firecracker 2 credentials 2 ebpf 2 kvm 2 openclaw 2 agentic-ai 2 containers 2 vm 2 gcp 2 landlock 2 vmm 1 linux-containers 1 user-namespaces 1 terraform 1 3rd-party 1 bpftrace 1 dtrace 1 import 1 profiling 1 python 1 rce 1 security-tools 1 aws 1 azure 1 devops 1 pgp 1 secret-distribution 1 secret-management 1 sops 1 docker 1 kernel 1 kubernetes 1 oci 1 code-interpreter 1 consul 1 devtools 1 go 1 golang 1 gpt 1 nomad 1