Tenuo makes authority task-scoped. A manager agent starts with a signed capability ("warrant") and can delegate to workers, but delegation can only attenuate. Each step gets narrower authority, and it disappears when the task ends.
Even if an agent is prompt-injected, it can't take actions outside its warrant. Every tool call requires proof-of-possession, and arguments are validated against explicit constraints before execution.
This is inspired by systems like Macaroons / Biscuit / UCAN, but adapted for AI agents processing untrusted input:
- signed, ephemeral capability tokens
- mandatory proof-of-possession
- constraint checking on tool arguments
- fail-closed by default (no warrant = no action)
Implementation details:
- Rust core, Python SDK
- ~27μs verification per call, offline
- integrations for LangGraph, OpenAI SDK, MCP, A2A, etc.
Repo: https://github.com/tenuo-ai/tenuo
Launch post (2025): https://niyikiza.com/posts/tenuo-launch/
Happy to answer questions or hear where this breaks down.