A recursive multi-agent workflow escalates from low-risk planning into privileged execution.
billing.adjust_credit actor=worker-agent source=unverified_plannerdeny privileged actions when handoff metadata includes unverified upstream nodes
capfence replay handoff.jsonl --policy policies/handoffs.yamlactor chain, handoff metadata, capability, policy hash, decision
A multi-agent workflow passes context between nodes before a privileged tool is requested.
CapFence evaluates adapter-provided handoff metadata before allowing a privileged capability.
Teams can experiment with separating planning from authority while recording the metadata used for each decision.
Operational Pattern 05: Experimental Agent Handoff Checks
Multi-agent systems can pass untrusted context into privileged execution. CapFence can evaluate adapter-provided handoff metadata before allowing a privileged tool call.
Threat
A recursive workflow escalates from low-risk planning into privileged billing execution.
billing.adjust_credit actor=worker-agent source=unverified_plannerRequest
actor: worker-agent
capability: billing.adjust_credit.production
payload: {"customer_id": "cus_123", "amount": 500}
metadata: {"upstream_node": "public-planner", "verified_handoff": false}Policy
deny:
- capability: billing.adjust_credit.production
verified_handoff: false
require_approval:
- capability: billing.adjust_credit.production
allow:
- capability: billing.readDecision
decision: DENY
reason: unverified_agent_handoff
tool_invoked: falseThe privileged billing tool does not run for unverified handoff paths.
Replay
capfence replay handoff.jsonl --policy policies/handoffs.yamlUse replay to compare policy changes against historical multi-agent handoff metadata.
Audit
Record actor chain, handoff metadata, capability, policy hash, decision, and replay identifier.
What CapFence does not solve
This is an experimental pattern. CapFence does not provide a complete distributed identity or provenance system for multi-agent runtimes.