Capability-bound microVM orchestrator for single-session agents.
Per-session VMs that spawn fast, carry a signed capability passport that expires with the VM, and revoke atomically on migration. The warden mediates every capability check; no ambient authority survives a session.
Agent loops (plan -> tool-call -> observe -> revise) churn through
hundreds of short-lived sessions per day. Containers share a kernel
and leak authority through namespaces. MicroVMs close the gap but
introduce a new risk: a snapshot is a frozen authority. If a resumed
sprite reuses the authority granted to its predecessor, snapshot speed
buys you a security regression.
sprite-warden binds the capability passport into the snapshot, ties
its lifetime to the VM lifecycle, and revokes atomically on migration.
Measured on a deterministic stub driver under fake-clock seeds. See paper.md for methodology.
| Workload | Result |
|---|---|
| Spawn latency p99, cold | 91.7 ms |
| Spawn latency p99, snapshot-resume | 14.4 ms (6.4x reduction) |
| Capability leak, 50,000 checks | 0 |
| Migration downtime p95 | 156.4 ms |
| Revocation overhead (mean) | 49.4 ms |
| Window-open failures, 1,000 migrations | 0 |
Reproduce:
go run ./experiments/cmd/run -sessions 1000 -seeds 5 -migrations 200 \
-leak-sessions 1000 -leak-ops 50import (
"time"
"github.com/andreahlert/sprite-warden/passport"
"github.com/andreahlert/sprite-warden/sprite"
"github.com/andreahlert/sprite-warden/warden"
)
w := warden.New(warden.Config{
Signer: passport.NewSigner([]byte("rotate-me")),
Driver: sprite.NewStubDriver(sprite.RealClock()),
MaxAge: 90 * time.Second,
})
sess, err := w.Spawn(
[]string{"net://api.anthropic.com", "fs:rw:/work"},
60*time.Second,
)
if err != nil { panic(err) }
defer w.Destroy(sess)
// Every cross-VM operation goes through the warden.
if err := w.Check(sess, "net://api.anthropic.com"); err != nil {
// denied, expired, or revoked
}go run ./cmd/warden demo
go run ./cmd/warden spawn -caps net://api,fs:rw:/work -ttl 60s
go run ./cmd/warden check -session <vmid> -cap net://api
go run ./cmd/warden destroy -session <vmid>
go run ./cmd/warden audit -suspicious 1saudit queries the otel recorder. suspicious flags revoked-passport
attempts and denied-then-granted retries inside a window.
passport/ HMAC-signed capability bundle, bound to VM identity
sprite/ microVM lifecycle interface + stub driver + fake clock
warden/ orchestrator: spawn, destroy, check, revoke
fleet/ multi-host: ownership, gossip propagation, fenced migration
otel/ capability-use recorder with session/cap/suspicious queries
experiments/ spawn latency, authority leak, migration downtime
cmd/warden/ CLI front-end
paper.md measured findings + design discussion
Passport binding. Signature commits to VM identity. A passport presented from a different VM is rejected at verify, not at check.
Two-phase migration commit. Destination mints successor passport. Source revokes predecessor. The volume rebinds only after the revocation is visible fleet-wide, not just published. The extra round-trip closes a window where a parallel resume could win against an in-flight revocation.
No ambient authority. Inside a sprite, all cross-VM operations route through the warden. The warden checks revocation, signature, expiry, and capability match in that order.
Builds on two prior attic projects:
- cordon capability tokens at the process layer. Passports here are a VM-lifecycle-bound extension.
- belltower gossip and CRDT primitives reused for fleet state distribution.
Apache-2.0.