Published February 11, 2026 | Version v1

The Capability-Container Pattern: Infrastructure-Level Security for Autonomous AI Agents

  • 1. studio1804

Description

Autonomous AI agents that invoke external tools via protocols like MCP (Model Context Protocol) present a novel attack surface: the agent-tool boundary. Existing frameworks rely on prompt-level safeguards or protocol-level trust, both of which are insufficient against adversarial inputs, tool poisoning, and credential leakage. We present the Capability-Container Pattern, an infrastructure-level security architecture where agents never directly access tools. All tool invocations flow through a mediation gateway into isolated containers, each provisioned with only the capabilities it requires. We describe the threat model, detail six defense-in-depth layers (container isolation, network egress filtering, credential vaults, audit logging, secret scanning, and human-in-the-loop gates), and provide benchmark results from a reference implementation (Harombe). Our evaluation uses a 1,534-sample corpus with Clopper-Pearson confidence intervals. Gateway logic overhead is ~0.025 ms (0.005% of LLM inference latency), with 100% secret detection rate (CI: [0.996, 1.000]), F1 = 0.991 vs. 0.779 for detect-secrets, and 0.19% false positive rate. The pattern provides defense coverage for 6/7 reconstructed 2025 MCP breach scenarios. All benchmarks use synthetic test data; no external red team evaluation was conducted.

Files

capability-container-pattern-2026.pdf

Files (522.3 kB)

Name Size Download all
md5:cde0421a55ea404ee4d62f7e1d7a3069
522.3 kB Preview Download

Additional details

Software

Repository URL
https://github.com/smallthinkingmachines/harombe
Programming language
Python
Development Status
Active