About

About

I write about security, authorization, AI agents, and the systems challenges that come with powerful but untrusted components.

My focus is on structural approaches: capability-based authorization, attenuable tokens, runtime boundaries, and designs where certain classes of harm become unrepresentable rather than merely unlikely. I’m the author of Warden, a Rust-based reference runtime that enforces strict, auditable authority limits on agent tool calls.

This site is the home for longer-form technical writing on these topics — and related work in Rust, infrastructure, and application security.

Projects

  • Warden — A capability-secure runtime for AI agent tool calls. Rust, Biscuit tokens, structural authority boundaries.
  • Capsule — An MCP capability gateway combining sandbox boundaries with content-based taint tracking.

If you’re new here, start with:

  1. Prompt Injection Is an Authorization Bug: Capability-Bounded AI Agents — The foundational post. Two agents, same injected attack. One leaks secrets; the other can’t.
  2. The Signature Verified, the Authority Widened Anyway — How a verified crypto signature still lets attackers escalate privileges (Part 2).
  3. Capability Boundaries Have No Memory — When sandboxing isn’t enough and you need content provenance too (Part 3).

Contact

I’m an engineering leader focused on cloud platforms, security, and agentic systems. Worked on SaaS/PaaS and modern cloud infrastructure.

The goal here is clarity over volume: posts that go deep on one hard problem, with honest threat models and reproducible examples.