Complete Capability Map

This page consolidates the full implemented scope of PRECINCT across runtime enforcement, identity, policy, secrets, observability, compliance, and operational validation. Every item below maps to live code paths and executable proof commands.

Capability Snapshot

13-Layer Runtime Chain

End-to-end request governance from ingress controls through late-binding token substitution.

Runtime Enforcement

5 Governed Planes + RLM

Model, Tool, Context, Loop, and Ingress planes with dedicated policy engines, plus a cross-cutting RLM governance engine for multi-agent lineage tracking.

Policy Architecture

Dual Deployment Modes

Production-intent behavior validated in both Docker Compose and Kubernetes workflows.

Portable Deployment

Live Adapter Coverage

Reference port adapter with HTTP + WebSocket + webhook paths enforced through gateway policy.

App Integration

Extended Capabilities

New defense layers inspired by the Research threat research. These capabilities extend the existing 13-layer chain with targeted mitigations for cross-channel manipulation, data integrity attacks, and gradual escalation patterns.

Communication Channel Mediation

Protocol-aware adapters for Discord and Email that route all agent communication through the gateway enforcement chain, preventing agent-to-agent bypass via unmonitored channels.

  • Discord: /discord/send (outbound), /discord/webhooks (inbound), /discord/commands
  • Email: /email/send (outbound with DLP), /email/read (inbound, auto-classifies sensitive content)
  • Prevents agent-to-agent loops and libelous mass broadcast (Case Studies #4, #11)
Related threat defenses Channel Security

Data Source Integrity Registry

Content-hash verification for external data sources consumed by agents. Detects rug-pull attacks where previously trusted configuration or data sources are silently modified.

  • DataSourceDefinition with SHA-256 content_hash verification
  • MutablePolicy modes: block_on_change, flag_on_change, allow
  • Detects external config corruption (Case Study #10)
Gateway request processing Data Integrity

Escalation Detection

Cross-session tracking of cumulative escalation patterns. Detects gradual privilege creep where individually benign requests combine into a dangerous escalation trajectory.

  • EscalationScore: contribution = Impact x (4 - Reversibility)
  • Thresholds: Warning ≥ 15, Critical ≥ 25, Emergency ≥ 40
  • Detects gradual escalation and gaslighting (Case Studies #1, #7)
Defense mapping Behavioral Analysis

Principal Hierarchy

Six-level trust hierarchy that maps SPIFFE identities to authorization principals, enabling owner-only operations and tiered access control based on agent classification.

  • Levels: System > Operator > Trusted Agent > Standard Agent > Restricted Agent > Unknown
  • SPIFFE-to-role resolution from path patterns
  • Enforces owner-only operations (Case Study #2)
Middleware chain In Development

Irreversibility Gating

Automatic classification of action reversibility with step-up authorization for destructive operations. Prevents irreversible actions from executing without elevated approval.

  • Four tiers: Low (read) / Medium (create) / High (modify) / Critical (delete)
  • Automatic step-up for Critical actions
  • Prevents irreversible destructive actions (Case Studies #6, #16)
Step-up gating In Development

Multi-Agent Governance

PRECINCT includes comprehensive multi-agent governance capabilities: a full loop state machine, a cross-cutting RLM (Recursive Lineage Manager) governance engine, context memory tiering, CLI tool security adapters, ingress connector envelope validation, and an admin API for operator-level loop control.

RLM Governance Engine

Tracks multi-agent lineage across nested subcalls. Enforces three configurable limits per lineage: max depth (default 6), max subcalls (default 64), and max budget units (default 128). Prevents UASGS bypass by denying subcalls that lack mediation markers.

  • Per-lineage state with budget-unit accounting
  • Depth, subcall, and budget enforcement
  • UASGS bypass prevention (unmediated subcalls denied)
  • Reason codes: RLM_ALLOW, RLM_HALT_MAX_DEPTH, RLM_HALT_MAX_SUBCALLS, RLM_HALT_MAX_SUBCALL_BUDGET, RLM_BYPASS_DENIED
Multi-Agent Security

Loop Governor State Machine

Full 8-state governance state machine for agent loop runs with immutable budget limits. Supports operator halt (human kill switch) and provider unavailability handling.

  • States: CREATED, RUNNING, WAITING_APPROVAL, COMPLETED, HALTED_POLICY, HALTED_BUDGET, HALTED_PROVIDER_UNAVAILABLE, HALTED_OPERATOR
  • 8 immutable limit dimensions: steps, tool calls, model calls, wall time, egress bytes, model cost, provider failovers, risk score
  • Immutable limits: once set on first call, cannot be changed (prevents limit-widening attacks)
  • Terminal states are irreversible for deterministic external governance
Loop Governance

Loop Admin API

Admin endpoints for loop run observability and operator control, with audit logging for all admin operations.

  • GET /admin/loop/runs: list all runs (sorted by last update)
  • GET /admin/loop/runs/<id>: per-run detail with full state and usage
  • POST /admin/loop/runs/<id>/halt: operator halt (human kill switch)
  • All operations emit structured audit events
Admin API

Context Memory Tiering

Four-tier memory classification system with tier-specific enforcement rules:

  • ephemeral: no persistence constraints
  • session: session-scoped context
  • long_term: writes require dlp_classification=clean
  • regulated: reads require step-up authorization
Data Governance

CLI Tool Adapter

Shell injection prevention for CLI-protocol tool calls through the tool plane:

  • Command allowlists (only registered commands execute)
  • Max-args enforcement (configurable per capability)
  • Denied-arg-token detection: ; && || | $( ` > <
  • Reason codes: TOOL_CLI_COMMAND_DENIED, TOOL_CLI_ARGS_DENIED
Tool Security

Ingress Connector Envelope

Canonical envelope validation for webhook and queue connectors:

  • SPIFFE source principal matching (source_principal must match actor_spiffe_id)
  • SHA-256 payload content-addressing (ingress://payload/<hex>)
  • Replay detection with composite nonce key and 30-minute TTL
  • 10-minute freshness window (past and future)
  • Quarantine for stale events (not outright denial)
Ingress Security

Control Plane API Endpoints

The gateway exposes per-plane control endpoints that allow external governors (agent frameworks, orchestrators, custom middleware) to enforce limits without requiring invasive changes inside agent framework loops. All endpoints accept the unified PlaneRequestV2 contract with RunEnvelope correlation metadata.

Gateway control plane API endpoints
Endpoint Plane Function
POST /v1/ingress/admit Ingress Canonical envelope validation, source principal matching, replay detection, payload content-addressing
POST /v1/context/admit Context Memory tier enforcement, provenance validation, DLP classification checks, minimum-necessary invariants
POST /v1/model/call Model Model provider authorization, data residency enforcement, prompt safety (HIPAA-aware), budget tracking
POST /v1/tool/execute Tool Capability registry evaluation, CLI adapter shell-injection prevention, step-up token validation
POST /v1/loop/check Loop Boundary checks, budget enforcement (8 dimensions), state machine transitions, operator halt, provider unavailability

All plane endpoints support the execution_mode=rlm modifier for RLM governance. When RLM mode is active, the gateway evaluates lineage depth, subcall budgets, and UASGS mediation before the plane-specific policy.

Core Security Controls

Core PRECINCT security controls and what they enforce
Control Domain Implemented Capabilities Primary Components
Identity SPIFFE IDs, SPIRE issuance and rotation, trust-domain scoped workload identity, mTLS-ready verification. SPIRE Server/Agent, gateway SPIFFE auth layer
Authorization Policy-as-code decisions, risk-aware grants, step-up gating, deterministic deny codes and remediation fields. OPA/Rego engine, policy bundles, step-up middleware
Secrets Late-binding references, SPIFFE-authenticated secret redemption, token scope enforcement, no credential exposure to agents. SPIKE Nexus/Keepers, token substitution layer (step 13)
Content Protection Credential DLP blocking, injection detection, deep scan guard model path, session-aware exfiltration pattern tracking. DLP scanner, deep scan layer, session context engine
Operational Resilience Per-identity rate limiting, per-tool circuit breaker, bounded payload handling, consistent health and retry behavior. Rate limiter, circuit breaker, ingress/request guards
Traceability Structured audit records, decision and trace IDs, hash-chain evidence, OpenTelemetry traces to Phoenix, and indexed forensic search via OpenSearch Dashboards. Audit middleware, OTel collector, Phoenix, OpenSearch extension

Decision Types

Every plane and middleware decision resolves to one of four possible outcomes. These are not HTTP-specific; they are semantic decision types that determine what happens to the request and how the calling agent should respond.

PRECINCT decision types
Decision Semantics Typical HTTP Status
allow Request is authorized and may proceed. 200
deny Request is rejected. The reason code indicates why. 400, 401, 403, 409, 429
step_up Request requires elevated authorization before it can proceed. The agent must obtain an approval token and resubmit. 202, 428
quarantine Request is not denied outright but is held for review or data transformation (e.g., stale ingress events, regulated content requiring tokenization/redaction). 202, 403

Runtime Capability Matrix

Gateway runtime layer matrix
Step Layer What It Enforces
1Request Size LimitEarly rejection of oversized bodies (10MB default guardrail).
2Body CaptureCanonical request parsing for downstream policy and security layers.
3SPIFFE AuthIdentity verification for calling workload/session context.
4Audit LogTamper-evident records with decision metadata.
5Tool Registry VerifyTool authorization and hash integrity verification.
6OPA PolicyFine-grained policy decisions for actions, tools, and risk level.
7DLP ScanningCredential detection, sensitive content handling, injection markers.
8Session ContextCross-request state tracking and exfiltration signal accumulation.
9Step-Up GatingAdditional authorization for elevated-risk operations.
10Deep ScanModel-assisted inspection for adversarial payloads.
11Rate LimitingPer-identity quotas and burst protections.
12Circuit BreakerUpstream-failure isolation and recovery stabilization.
13Token SubstitutionFinal-step secret redemption and substitution at egress only.

An outer observability wrapper (Request Metrics, step 0) captures timing, size, and routing metadata but is not an enforcement layer.

Integration & Platform Coverage

Integrations and platform capabilities
Area Coverage Where to Explore
SDKs Python and Go SDKs with structured errors and SPIFFE identity propagation. SDKs page
CLI Operations agw flows for compliance evidence, operations, status, and governance commands. CLI reference
Reference Port Adapter Adapter-secured application support including WS messaging and webhook ingress enforcement. Case study
Deployment Targets Compose for fast local evaluation; Kubernetes overlays for local/dev/staging/prod workflows. Compose, Kubernetes
Observability Dual backends: Phoenix for trace waterfalls and OpenSearch Dashboards for indexed audit/compliance investigations. Getting started

Operations, Security, and Compliance Workflow

Beyond runtime controls, PRECINCT includes production-readiness gates and evidence workflows for security and compliance reviews.

  • Security scans (strict and non-strict) with artifact validation.
  • Manifest policy checks and control matrix verification gates.
  • Compliance reporting and evidence collection flows for audit packages.
  • Dual observability backends: Phoenix for trace analysis and OpenSearch Dashboards for indexed compliance evidence search.
  • Kubernetes OpenSearch extension wired with Secret-backed certs/credentials, SPIRE identities, and NetworkPolicy isolation.
  • agw evidence export can pull from OpenSearch over HTTPS + mTLS for compliance-proof workflows.
  • GDPR ROPA visibility and right-to-erasure operation support.
  • Conformance and benchmark harnesses for behavioral and performance validation.

Proof Commands (Run Locally)

# Full runtime exercise
make demo

# Reference adapter secure-port campaign (WS + webhook + policy behavior)
make adapter-demo

# Validation suites (compose + k8s)
make validate

# Strict production-readiness security evidence gate
make production-readiness-validate

# Compliance automation and reporting
make compliance-report
make compliance-evidence FRAMEWORK=soc2

# Optional indexed evidence backend (Apache-2 stack)
make opensearch-up
make opensearch-seed
make opensearch-validate

# Optional K8s OpenSearch extension
make k8s-opensearch-up

# Compliance evidence from OpenSearch (HTTPS + mTLS)
export AGW_OPENSEARCH_PASSWORD=''
go run ./cmd/agw compliance collect \
  --framework soc2 \
  --audit-source opensearch \
  --opensearch-url https://opensearch.observability.svc.cluster.local:9200 \
  --opensearch-ca-cert /certs/ca.crt \
  --opensearch-client-cert /certs/client.crt \
  --opensearch-client-key /certs/client.key

# Security scans
make security-scan
make security-scan-strict
Capability Coverage Guarantee

This capability page is intended as the canonical site-level inventory. When new runtime, adapter, operations, or compliance features are added, this page should be updated in the same change set so stakeholder-facing coverage stays complete.