The Capability-Container Pattern: Infrastructure-Level Security for Autonomous AI Agents
Description
Autonomous AI agents that invoke external tools via protocols like MCP (Model Context Protocol) present a novel attack surface: the agent-tool boundary. Existing frameworks rely on prompt-level safeguards or protocol-level trust, both of which are insufficient against adversarial inputs, tool poisoning, and credential leakage. We present the Capability-Container Pattern, an infrastructure-level security architecture where agents never directly access tools. All tool invocations flow through a mediation gateway into isolated containers, each provisioned with only the capabilities it requires. We describe the threat model, detail six defense-in-depth layers (container isolation, network egress filtering, credential vaults, audit logging, secret scanning, and human-in-the-loop gates), and provide benchmark results from a reference implementation (Harombe). Our evaluation uses a 1,534-sample corpus with Clopper-Pearson confidence intervals. Gateway logic overhead is ~0.025 ms (0.005% of LLM inference latency), with 100% secret detection rate (CI: [0.996, 1.000]), F1 = 0.991 vs. 0.779 for detect-secrets, and 0.19% false positive rate. The pattern provides defense coverage for 6/7 reconstructed 2025 MCP breach scenarios. All benchmarks use synthetic test data; no external red team evaluation was conducted.
Files
capability-container-pattern-2026.pdf
Files
(522.3 kB)
| Name | Size | Download all |
|---|---|---|
|
md5:cde0421a55ea404ee4d62f7e1d7a3069
|
522.3 kB | Preview Download |
Additional details
Software
- Repository URL
- https://github.com/smallthinkingmachines/harombe
- Programming language
- Python
- Development Status
- Active