Another week, another agent "allowlist" bypass.
Been prototyping a "prepared statement" pattern for agents: signed capability warrants that deterministically constrain tool calls regardless of what the prompt says. Prompt injection corrupts intent, but the warrant doesn't change.
Interesting. Are you focused on the delegation chain (how capabilities flow between agents) or the execution boundary (verifying at tool call time)? I've been mostly on the delegation side.
Working on this at github.com/tenuo-ai/tenuo. Would love to compare approaches. Email in profile?
Curious if anyone else is going down this path.