🤖 AI Summary
This work addresses the security risk of "lingering permissions" arising from persistent privileges granted to coding agents by introducing PORTICO, a reference monitor grounded in explicit task contracts. PORTICO dynamically governs permissions across the request–authorization–invocation lifecycle through a combination of revocable capabilities, epoch-bound opaque handles, a typed tool catalog, and trusted closure predicates, thereby enforcing fine-grained, time-bound access control at the granularity of task phases. Empirical evaluation demonstrates that PORTICO consistently blocks all effectful operations prohibited by its contracts and rejects 100% of post-closure permission reuse attempts, whereas baseline approaches fail entirely, confirming its efficacy and robustness in real-world repository environments.
📝 Abstract
Coding agents often receive broad tool access for an entire task, even when a resource is needed only for one subgoal. We call this gap lingering authority: a temporary resource/effect capability remains exposed after the episode that justified it has closed.
PORTICO is a reference monitor for revocable capabilities exposed to the planner. It compiles an explicit task contract into initial capabilities, grant rules, trusted closure predicates, and global deny rules. A request-grant-invoke lifecycle materializes expansions as opaque, epoch-bound handles. Closure removes those handles from the next planner interface and rejects stale replay before side effects. The monitor assumes mediated tools and a sound typed catalog.
In controlled coding-agent tasks, PORTICO records no executed contract-forbidden effects in the evaluated runs, while controlled grants recover boundary work blocked by a fixed narrow envelope. A non-revoking comparator receives the same initial envelope and the same grants at the same turns. On the closure slice, both systems match task success, scope compliance, and all pre-closure decisions; PORTICO then rejects 10/10 post-closure reuses, while the comparator permits 10/10. A deterministic stale-write audit records 0/6 versus 6/6 executed forbidden effects. Scripted traces and six live model traces over file writes, git mutation, and network egress show the same split. In a four-episode same-policy diagnostic, broad request exposure preserves zero executed forbidden effects but raises blocked proposals from 67 to 84. Frozen real-repository runs, with commits and traces recorded, exercise the same lifecycle on real project layouts.