Capframe – capability tokens for AI agent tool calls
Macaroon-style tokens for AI agents solve the excessive agency problem better than prompt engineering.

Per-action tokens replace static session permissions—blocks agents mid-task if behavior drifts.
Teams deploying AI agents with sensitive permissions
Pomerium · Open Policy Agent · HashiCorp Boundary
We've developed an architecture that does two things: 1) instead of setting a sandbox for a session and leaving it in place, dynamically scoping the sandbox to cover the minimum subset of capabilities and file accesses that are needed for solving a particular problem set by the user, and continuously moving that sandbox to be in line with what the user wants. Think of this as, instead of a large stationary box, being a smaller, faster, moving container around the agent; 2) monitoring strictly speaking benign behavior (accepted tool calls, accepted file access) for suspicious behavior, borrowing techniques my partner and I developed in AML research. Together, those components have been able to mitigate almost every common attack class against models that we've evaluated so far.
Our system has performed very well on open benchmarks and data we've been able to evaluate it on, but our goal is to evaluate it on production data. We hope to release a paper/open-source project as an output of this, but really need production data to verify that our method works as well on real production data as it does on open benchmarks.
If you're interested in testing it, we'd love it if you signed up for our waitlist.
Thank you, and hope to hear from you!
Macaroon-style tokens for AI agents solve the excessive agency problem better than prompt engineering.
Deterministic agent governance with capability tokens beats probabilistic guardrails.
IFC + capabilities block prompt injection at execution sinks, not input filters—40yr research applied.
Sandbox agents via natural-language policy, not ambient authority—genuinely novel approach.
Eight-layer governance pipeline for agents when LangChain just executes blindly.
Natural language policies block risky agent actions before they execute.