Skip to content

Datascifer/capability-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
examples
examples
 
 
src/capproxy
src/capproxy
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

capability-proxy

Minimal capability-enforcing execution proxy with a hybrid intent firewall.

What it does

Every tool call passes through:

  1. Normalization (canonical paths, basic input shaping)
  2. Deterministic rules (hard gate)
  3. Optional risk assessor (advisory only; may only tighten outcomes)
  4. Conservative combiner (monotone tightening)
  5. Execution (prototype local executor)
  6. JSONL audit logging

Motivation

Modern autonomous systems often mix:

  • Planning logic

  • External tool execution

  • Filesystem access

  • Stateful decision-making

When authority and planning are not separated, the system effectively grants a probabilistic planner direct access to the operating system.

This project exists to enforce a structural boundary:

  • | Planning is not authority. Execution is not implicit.

Every action must pass through explicit capability validation before it reaches the system boundary.

Typical Agent Architecture (Without a Proxy)

Many agent systems follow this pattern:

LLM
   ↓
Tool selection
   ↓
Execute tool
   ↓
Return result
   ↓
Repeat

If execution is directly wired to tool selection, then:

  • The planner effectively has ambient authority.

  • All safety depends on prompt conditioning.

  • Injection risk propagates into execution.

With a Capability Proxy

The architecture becomes:

Agent (OpenClaw / Moltbot)
   ↓
Structured ToolCall
   ↓
Capability Proxy (this repo)
   ↓
Decision (ALLOW / DENY / ESCALATE)
   ↓
Executor

Design Goals

  • Least privilege by construction

  • Deterministic enforcement first

  • Monotone decision tightening (never loosen constraints)

  • Structured tool calls only (no raw shell execution)

  • Append-only audit trail

  • Small, readable codebase

This is a reference implementation — not a full sandbox runtime.

Architectural Model

All actions flow through the following pipeline:

ToolCall
   ↓
Normalization
   ↓
Deterministic Rule Engine (hard gate)
   ↓
Optional Assessor (advisory only)
   ↓
Conservative Combiner
   ↓
Execution
   ↓
Audit Log

Key Invariants

  • Unknown tools are denied.

  • Paths are canonicalized before evaluation.

  • All decisions are explicit (ALLOW, ALLOW_WITH_GUARDRAILS, ESCALATE, DENY).

  • Advisory components may only tighten decisions.

  • No component may override a hard denial.

  • Delete operations are soft-delete only in v0.1.

Quickstart

python -m venv .venv
source .venv/bin/activate
pip install -e .

# create a sample workspace
mkdir -p /tmp/workspace/tmp
echo "hi" > /tmp/workspace/hello.txt

# run example calls
capproxy --token examples/token.json --call examples/calls/read_file.json
capproxy --token examples/token.json --call examples/calls/write_file.json
capproxy --token examples/token.json --call examples/calls/list_dir.json

About

A minimal capability-enforcing execution proxy concept with a hybrid intent firewall.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages