Abstract

Modern LLM "agent" runtimes expose a set of powerful tools — shell execution, file writes, edits, notebook mutation, sub-agent spawning — to a model that decides, from natural language, which tools to invoke. When such a runtime is reachable from an untrusted channel (an inbound email address, a public webhook, a chat integration), the tool surface becomes an attack surface: a single misconfiguration that leaves a mutating tool reachable converts a "read-only diagnostics" feature into remote code execution. This publication discloses a concrete, enabling mechanism that makes such a misconfiguration structurally impossible for the restricted channel: a monotone-narrowing multi-layer tool-capability downgrade. The capability set can only ever narrow as a request travels across three trust boundaries — (1) an immutable, frozen read-only floor intersected with operator configuration; (2) a mid-path assertion that fails closed on an empty or forbidden set; and (3) an agent-SDK dual gate that distinguishes the auto-approve list from the real availability gate and simultaneously installs the availability gate, a defensive deny list, a hard programmatic deny closure, and a coerced non-mutating permission mode. A fourth practice pins boundary tests to the actual options object handed to the SDK, catching the specific defect where a restriction expressed only on the approval channel leaves mutating tools live. The novelty claimed is the composed invariant, not any individual allowlist. This document establishes dated, public, enabling prior art.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS