Prompt injection or context drift causes a treasury agent to transfer funds to an unknown account.
payments.transfer amount=50000 destination=unknown_accountdeny unknown destinations; require approval above threshold
capfence replay audit.jsonl --policy policies/payments.yamlactor, amount, destination, policy hash, approval state, decision
A treasury-style agent prepares payment requests while high-value transfers stay behind explicit policy and approval checks.
CapFence runs between the agent workflow and the payment gateway, evaluating amount, destination, environment, risk, and approval state before the API call is released.
Low-risk transfers keep moving, threshold breaches route to human approval, and clear exfiltration attempts are denied with an audit record.
Operational Pattern 01: Payment Threshold Authorization
Payment agents can create real financial side effects. CapFence sits before the payment API and evaluates the requested transfer before money moves.
Threat
A treasury agent receives adversarial instructions and attempts to transfer corporate funds to an unknown account.
payments.transfer amount=50000 destination=unknown_accountRequest
actor: treasury-agent
capability: payments.transfer.production
payload: {"amount": 50000, "destination": "unknown_account"}
environment: productionPolicy
deny:
- capability: payments.transfer.production
destination: unknown_account
require_approval:
- capability: payments.transfer.production
amount_gt: 1000
allow:
- capability: payments.transfer.production
amount_lte: 1000Decision
decision: REQUIRE_APPROVAL
reason: amount_threshold_exceeded
tool_invoked: falseThe payment API does not receive the transfer until a scoped approval exists.
Replay
capfence replay audit.jsonl --policy policies/payments.yamlUse replay to test whether a stricter policy would have denied previous transfers to unknown destinations.
Audit
Record the actor, amount, destination, policy hash, approval state, decision, and replay identifier.
What CapFence does not solve
CapFence does not replace bank-side controls, payment provider risk scoring, credential scoping, or fraud review. It controls the agent execution path before the payment API is called.