Abstract

A production AI agent runtime routinely serves several audiences at once: authenticated engineers with broad tool access, authenticated business users with narrower app-action tools, and — increasingly — completely anonymous website visitors. Building a separate runtime per audience duplicates safety-critical code and invites drift; building one runtime with audience checks scattered through the request path produces a surface no reviewer can bound. This publication discloses a third design: a single runtime whose every security-relevant decision is derived from one declarative scope contract object. The contract binds authentication mode, identity source, tool-resolution policy, model set, system-prompt source, per-tier budgets (rate, iteration cap, timeout), and a bot-challenge gate. Two mechanisms make the anonymous tier safe. First, identity synthesis: for an unauthenticated scope the runtime fabricates a principal from a browser-issued UUID and marks it synthetic, so downstream RBAC and audit code paths run unchanged while every user-store lookup short-circuits. Second, a registry-fail-closed tool surface: when a scope's tool policy is gatekeeper-scope, tools are resolvable only through a central registry keyed by scope id, and resolution returns the empty set if the registry is absent — code drift can never widen the surface. The runtime also selects one of two provider wire-shapes (Anthropic content-blocks vs. OpenAI/vLLM toolcalls) from the contract, applies tier-differentiated loop caps and timeouts, and resolves virtual model ids at the edge. This document is enabling and dated; it is intended to bar patents on the disclosed mechanism.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS