Lingering Authority: Revocable Resource-and-Effect Capabilities for Coding Agents

📅 2026-06-21
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the security risk of "lingering permissions" arising from persistent privileges granted to coding agents by introducing PORTICO, a reference monitor grounded in explicit task contracts. PORTICO dynamically governs permissions across the request–authorization–invocation lifecycle through a combination of revocable capabilities, epoch-bound opaque handles, a typed tool catalog, and trusted closure predicates, thereby enforcing fine-grained, time-bound access control at the granularity of task phases. Empirical evaluation demonstrates that PORTICO consistently blocks all effectful operations prohibited by its contracts and rejects 100% of post-closure permission reuse attempts, whereas baseline approaches fail entirely, confirming its efficacy and robustness in real-world repository environments.
📝 Abstract
Coding agents often receive broad tool access for an entire task, even when a resource is needed only for one subgoal. We call this gap lingering authority: a temporary resource/effect capability remains exposed after the episode that justified it has closed. PORTICO is a reference monitor for revocable capabilities exposed to the planner. It compiles an explicit task contract into initial capabilities, grant rules, trusted closure predicates, and global deny rules. A request-grant-invoke lifecycle materializes expansions as opaque, epoch-bound handles. Closure removes those handles from the next planner interface and rejects stale replay before side effects. The monitor assumes mediated tools and a sound typed catalog. In controlled coding-agent tasks, PORTICO records no executed contract-forbidden effects in the evaluated runs, while controlled grants recover boundary work blocked by a fixed narrow envelope. A non-revoking comparator receives the same initial envelope and the same grants at the same turns. On the closure slice, both systems match task success, scope compliance, and all pre-closure decisions; PORTICO then rejects 10/10 post-closure reuses, while the comparator permits 10/10. A deterministic stale-write audit records 0/6 versus 6/6 executed forbidden effects. Scripted traces and six live model traces over file writes, git mutation, and network egress show the same split. In a four-episode same-policy diagnostic, broad request exposure preserves zero executed forbidden effects but raises blocked proposals from 67 to 84. Frozen real-repository runs, with commits and traces recorded, exercise the same lifecycle on real project layouts.
Problem

Research questions and friction points this paper is trying to address.

lingering authority
revocable capabilities
coding agents
resource access control
capability revocation
Innovation

Methods, ideas, or system contributions that make the work stand out.

revocable capabilities
reference monitor
lingering authority
task contract
capability lifecycle
🔎 Similar Papers