The Agent Stack #035 — Wednesday Stack
Two competing agent security frameworks dropped on HN this week. Both tackle the same critical problem: how to safely grant AI agents permission to actually do things. Neither is production-ready yet, but they’re worth testing now.
The timing isn’t coincidental. Google’s I/O showcased agents everywhere — Gemini Spark handling your calendar, AI agents monitoring your inbox, even Volvo’s EX60 using Gemini to read parking signs through external cameras. More capability means more attack surface.
Capframe: Object Capabilities for Agents
Capframe implements object capability security for agent tool calls. The core insight: instead of giving agents broad permissions, you issue specific capability tokens for individual actions.
Here’s how it works. Your agent needs to send an email. Instead of granting general email access, Capframe issues a token for “send one email to [email protected] about project X”. The token expires after use. No privilege escalation possible.
The architecture is clean — a capability server manages tokens, agents present them with each tool call, and the framework validates before execution. It’s OAuth for AI actions, essentially.
But there are rough edges. Token management gets complex quickly. What happens when an agent needs to iterate? How do you handle multi-step workflows where the second step depends on the first? The docs don’t cover these scenarios yet.
Enforra: Policy-Based Governance
Enforra takes a different approach. It’s policy-based governance with real-time monitoring. Think of it as a firewall for agent actions.
You define policies in YAML — which users can do what, under which conditions, with what approval workflows. Enforra intercepts tool calls, checks policies, and either permits or blocks them. It logs everything for audit trails.
The advantage: simpler mental model. Admins write policies once, agents operate within them. The framework handles the complexity.
The downside: performance overhead. Every tool call hits the policy engine. That’s fine for occasional actions, but problematic for high-frequency operations like data analysis agents.
Early testing shows 50-100ms latency per tool call. Acceptable for email sending, painful for API-heavy workflows.
The Reality Check
Both frameworks solve real problems, but they’re early. Capframe has elegant theory but limited tooling. Enforra has better developer experience but scaling concerns.
Neither handles the hardest cases yet. What about agents that need to provision cloud resources? Or trading algorithms that need split-second execution? The security models break down when you need both safety and speed.
The bigger issue: adoption. Security frameworks only work if everyone uses them. That requires either regulatory pressure or a major breach that forces the industry’s hand.
Quick Hits
• Perplexity claims their AI agent cut Rho’s meeting time by 90%. No technical details, but interesting if true — suggests agents work better for specific workflows than general assistance.
• YouTube MCP server landed on HN. Finally gives Claude/ChatGPT access to YouTube content via Model Context Protocol. Simple but useful for content analysis workflows.
• Ocean raised £22.4M to fight AI-powered phishing. Former Iron Dome researcher building “agentic email security.” Classic defence-in-depth play as AI attacks scale up.
One Thing to Try
Fork Enforra and test it with a simple agent workflow. The setup takes 10 minutes, and you’ll quickly understand the policy overhead trade-offs. Start with a file-reading agent — safe enough to experiment with, complex enough to reveal the framework’s limitations.
Production security for agents is still 12 months away, but the foundations are being laid now.