Agent Capability Flow Control
Cryptographically-enforced authorization for AI agent workflows. Unlike IAM ("Who are you?"), Tenuo asks: "Do you hold a valid, scoped token for this action?"
๐Ÿ›๏ธ
Control Plane
Central Authority โ€ข Secure Cluster
  • ๐Ÿ”
    Holds Root Private Key: HSM-backed in production
  • ๐Ÿ“œ
    Issues Warrants: HTTP API for token generation
  • โœ…
    Approval Workflows: Human-in-the-loop for sensitive ops v0.2
  • ๐Ÿ“Š
    Audit Logging: Complete trail of all issued warrants
  • ๐Ÿ”‘
    Key Rotation: Scheduled and emergency rotation v0.2
Deploy: Isolated namespace, RBAC-protected, limited network access
๐Ÿ”‘ Public Key
shared once at deploy
โšก
Data Plane
Edge Verification โ€ข Zero Network Dependency
  • ๐Ÿ“ด
    Offline Verification: Never calls Control Plane at runtime
  • โšก
    ~27ฮผs Allowed / ~150ns Blocked: Fast rejection short-circuits
  • ๐Ÿ”—
    Chain Verification: Validates full delegation path
  • ๐Ÿ”„
    Can Attenuate: Delegate narrower capabilities to sub-agents
  • ๐Ÿ›ก๏ธ
    Constraint Enforcement: Pattern, Range, CEL expressions
Deploy: Sidecar, library embed, or gateway. Works during CP outages
Why Tenuo?
๐Ÿ“ด
100% Offline
No runtime network calls
โฌ‡๏ธ
Monotonic
Capabilities only shrink
๐Ÿ”
Holder-Bound
Stolen warrants useless
โšก
~27ฮผs / ~150ns
Allow / Block latency
Unlike IAM ("Who are you?"), Tenuo asks: "Do you hold a valid, scoped token for this action?"

Complete Flow

STEP 1 Agent Registration & Warrant Issuance (Control Plane)
๐Ÿ‘ค
User/System
Initiates deployment
โ†’
POST /v1/warrants
๐Ÿ›๏ธ
Control Plane
Signs root warrant
โ†’
root warrant
๐ŸŽญ
Orchestrator
Receives capability
โ–ผ
STEP 2 Orchestrator's Perspective: Attenuate & Delegate
1. Receives Root Warrant
root warrant
max_depth: 3
โ†’
2. Attenuates
๐ŸŽญ
Orchestrator
Creates narrower warrant
binds to worker pubkey
โ†’
3. Delegates
โš™๏ธ Worker A
action: [upgrade, restart]
โ–ผ
STEP 3 Worker's Perspective: Verify Chain & Execute (100% Offline)
โš™๏ธ Worker A (Routine Actions)
action: [upgrade, restart]
1. Receive warrant chain
โ†“
2. Verify chain offline (~20ฮผs)
โ†“
3. Sign request (PoP, ~50ฮผs)
โ†“
4. โœ“ Execute Tool
Can delegate further to sub-agents (depth +1)
What gets verified at each step (all offline, ~27ฮผs)
๐Ÿ”—
Chain
โœ๏ธ
Signatures
โฌ‡๏ธ
Monotonicity
๐Ÿ”
Holder PoP
๐Ÿ”„
Replay
โฑ๏ธ
Expiration

Integration Points

CONTROL PLANE Warrant issuance, policy management
๐ŸŒ
HTTP API
Available
RESTful API for warrant issuance. JSON request/response with Base64-encoded CBOR warrants.
POST /v1/warrants
GET /v1/public-key
DATA PLANE Offline verification, authorization
๐Ÿฆ€
Rust Library
Available
Embed directly for maximum performance. Single dependency, no runtime overhead.
tenuo = "0.1"
use tenuo::Authorizer;
๐Ÿ
Python SDK
Available
Native Python bindings via PyO3. Drop-in integration for LangChain, AutoGPT, CrewAI.
pip install tenuo
from tenuo import Authorizer
๐Ÿšข
Kubernetes Sidecar
Available
Deploy as a sidecar container. Your agent calls localhost:9090 with zero cross-network latency.
containers:
  - name: tenuo-authorizer
๐Ÿค–
LangChain / LangGraph
Available
First-class support for LangChain Tools and LangGraph node scoping with @tenuo_node decorator.
@guard(tool="read_file")
def read_file(path: str): ...
โ˜๏ธ
Envoy / Istio
Available
External authorization service for Envoy ext_authz and Istio AuthorizationPolicy.
tenuo-authorizer serve \
  --config gateway.yaml

Use Cases

๐Ÿ”ง Tool Authorization
Control which tools an agent can invoke and with what parameters. "Agent X can call query_db but only on public_* tables."
๐Ÿ“Š Capacity Limits
Enforce resource caps across agent hierarchies. Parent grants 15 replicas, orchestrator limits to 10 per worker.
๐Ÿค– Multi-Agent Orchestration
Orchestrator โ†’ Worker A โ†’ Sub-Agent A1
Chain of trust maintained across all hops.
๐Ÿ—๏ธ Infrastructure Access
Kubernetes cluster operations, cloud resource management. "Upgrade staging-web only, not production."
โฑ๏ธ Time-Bounded Tasks
Warrants with TTL ensure capabilities expire. 10-minute window for a specific operation.

Performance Metrics

~27ฮผs
Allowed actions
~150ns
Blocked (short-circuit)
20ฮผs
Chain verify (3-hop)
0
Network calls

Roadmap

Now
v0.1 - Core
  • Warrant issuance & chain verification
  • Holder binding (PoP)
  • Python SDK (PyO3)
  • LangChain / LangGraph integration
  • Envoy ext_authz sidecar
  • 10+ constraint types
v0.2 - Multi-Agent
  • SecureGraph (auto attenuation)
  • Multi-sig approvals (M-of-N)
  • Notary Registry (identity mapping)
  • MCP native integration
v0.3 - Developer Tools
  • Warrant debugger
  • Chain inspector CLI
  • OpenTelemetry traces
  • Local dev simulator
Future
Security Extensions
  • Merkle Roots (RAG security)
  • Resource Nullifiers (fan-out prevention)
  • OAuth RAR Bridge
  • DID Federation (did:key)