Seven capabilities that compose into a complete agent security architecture. Each one is independently valuable. Together, they cover every attack surface.
Every piece of data carries a trust label. Untrusted data can never drive privileged actions — no matter how many agents process it.
The lethal trifecta: ingress + data + egress = exfiltration. The bus ensures no single agent holds all three capabilities.
Agents share a knowledge brain. Each sees only what its data access tiers allow. Same query, different agent, different answer.
Every agent gets a cryptographic identity. Every session gets a scoped mandate. Credentials attenuate monotonically.
Three independent gates before every consequential action. Workflow drift, data trust, session risk. All three must pass.
Same tools, different order, different security posture. read_db then send_email is exfiltration. Reversed, it's fine.
Ed25519 signatures on every MCP tool manifest. If a tool description changes after approval, the signature fails.