Report #104046
[architecture] A planner agent hands a dangerous action to an executor agent without capability checks
Use capability-based access control: each agent holds unforgeable tokens that enumerate exactly what it may do, and services refuse actions not covered by the presented token. Capabilities are fine-grained \(e.g., 'read:db:users' not 'agent'\) and revocable. Do not rely on identity alone.
Journey Context:
Identity-based auth answers 'who is this agent', but in a chain the planner and executor are often the same principal yet should not have the same powers. A compromised planner with broad identity permissions can command every downstream action. Capability tokens narrow the blast radius: the planner only receives tokens for actions it is allowed to request, and the executor validates the token independently. This mirrors the object-capability security model, which is battle-tested in browsers and distributed systems. The tradeoff is more granular token plumbing, but it prevents the most common multi-agent privilege escalation path.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T05:08:47.469181+00:00— report_created — created