HackerLangs
TopNewTrendsCommentsPastAskShowJobs

euan21

1 karmajoined 3 miesiące temu

Submissions

[untitled]

1 points·by euan21·3 dni temu·0 comments

Show HN: I scanned 87 MCP servers for agent-authority hygiene – leaderboard

capframe.ai
1 points·by euan21·14 dni temu·4 comments

Show HN: Capframe – capability tokens for AI agent tool calls

capframe.ai
1 points·by euan21·2 miesiące temu·2 comments

comments

euan21
·12 dni temu·discuss
[flagged]
euan21
·14 dni temu·discuss
[dead]
euan21
·14 dni temu·discuss
[flagged]
euan21
·14 dni temu·discuss
Thanks for flagging — can you share which filters you tried? The leaderboard at capframe.ai/leaderboard filters by severity/rule client-side. If something's broken on Kubuntu/Firefox I want to fix it.
euan21
·14 dni temu·discuss
[dead]
euan21
·2 miesiące temu·discuss
[flagged]
euan21
·2 miesiące temu·discuss
Hi HN — I just shipped v0.2 of Capframe, an open-source toolkit or AI agentsthat call tools.The wedge I'm trying to fill: agents calling MCP servers / OpenAI functions / LangGraph nodes have no principled authority model at the tool-call boundary. Existing approaches either (a) wrap an LLM around the allow/deny decision (un-auditable), or (b) lean on prompt-time guardrails (inherits prompt injection's "best-effort" guarantee). Capframe takes the opposite stance — deterministic, capability-based, no LLM in the decision path.

  Three modules, each its own repo, glued by a single Rust
  dispatcher CLI:

  - Find (mcp-recon)  — discovers an MCP server's tool surface,
  emits a
    structured findings document. Six deterministic rules today
  (R1
    unconstrained string input, R2 missing auth on side-effecting
  tools,
    R3 side-effect/name mismatch, R4 unbounded numeric on
  money-ish params,
    R5 money in description but no money side-effect, R6
  indirect-injection
    surface from external-fetch tools).
  - Bind (capnagent)  — mints macaroon-style capability tokens.
  Ed25519
    holder-of-key, attenuable by holders without contacting the
  issuer,
    revocable, signed denial receipts (HMAC-SHA256).
  - Guard (mcp-guard) — deterministic policy evaluator with three
  modes
    (synthesize / evaluate / backtest). Pure-stdlib Python,
  microsecond
    decision path.

  The wire format binding them is a public JSON Schema (Draft
  2020-12,
  additionalProperties:false, regex-validated OWASP LLM / NIST AI
  RMF / MITRE
  ATLAS IDs): https://capframe.ai/schema . I'd like this to become
   the
  SARIF-equivalent for AI agent security — happy to take
  suggestions and PRs.

  Install: `curl -fsSL capframe.ai/install | sh` —
  sha256-verified, native
  binaries on GitHub Releases for linux/macos/windows ×
  x86_64/aarch64.
  Source: https://github.com/capframe/capframe (MIT).

  A "Pro" tier on the landing page is a waitlist, not a product —
  ignore it
  for now.

  Three things I'd love feedback on:

  1. The schema shape. If you've shipped or reviewed anything in
  this space,
     does the findings.v1 envelope work, or am I missing fields?

  2. The Find / Bind / Guard decomposition. Is that how you'd want
   to adopt
     this incrementally in an existing agent stack, or are the
  lines drawn
     wrong?

  3. The caveat DSL (`tool in [...]`, `max_refund <= 50`, `region
  == "eu"`).
     Reasonable on top of macaroons, or reinventing badly?

  Happy to answer anything.