Version: 0.1 Status: Draft Reference Implementation: MVAR runtime (github.com/mvar-security/mvar)
This specification defines the minimum execution boundary contract for AI agent runtimes. It is designed to be runtime-agnostic and implementable by any agent framework.
Every action submitted to a privileged execution sink MUST include:
| Field | Values | Description |
|---|---|---|
| source | model, user, system | Origin of the action request |
| trust_level | trusted, untrusted | Trust classification |
| trace_id | string | Unique trace identifier |
The following sink categories are defined as critical:
| Sink | Examples |
|---|---|
| shell | bash, exec, subprocess |
| filesystem | read, write, delete |
| network | HTTP, TCP, DNS |
| credentials | API keys, tokens, secrets |
| process_spawn | fork, spawn, daemon |
The core invariant of this specification:
UNTRUSTED input MUST NOT invoke CRITICAL sinks without explicit policy approval.
This invariant is deterministic. It does not depend on:
- Prompt classification
- Intent detection
- Model confidence scores
- Uncertainty quantification signals
A runtime is considered conformant with this specification if:
- All critical sink invocations are mediated by a policy decision
- Provenance fields are propagated across agent boundaries
- Policy decisions are logged with trace_id binding
- Enforcement is fail-closed on missing or invalid provenance
MVAR implements this specification in full.
Verification: pip install mvar-security bash scripts/repro-validation-pack.sh
This specification follows semantic versioning. Breaking changes increment the major version. Additive changes increment the minor version.
- v0.1 — Initial draft. Provenance model, sink categories, enforcement invariant.