Source

arXiv:2603.20953 — "Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents" (submitted March 21, 2026)

Key Contribution

Open Agent Passport (OAP): declarative policy engine that intercepts tool calls synchronously before execution, evaluates against capability-scoped policies, and emits cryptographically signed audit records. In adversarial testing: social engineering succeeded 74.6% of the time without OAP, 0% across 879 attempts with OAP. Median enforcement latency: 53ms.

Relevance to Zeph

zeph-tools — complements the existing ToolAudit layer (AEGIS) with a declarative pre-execution authorization gate. The OAP spec maps to a policy file in ToolExecutor, enabling per-tool capability scoping (e.g., disallow shell from writing outside project root). Orthogonal to AEGIS (#2305, pattern scanning) and VIGIL (#2306, verify-before-commit for web agents).

Implementation Sketch

• Add [tools.authorization] config section with per-tool capability declarations
• FirewallVerifier extended to evaluate policy rules before tool dispatch in ToolExecutor::execute()
• Signed audit records: extend ToolAudit log entries with policy match result
• 53ms enforcement latency is acceptable for interactive agent use

Priority Assessment

P3 (research) — OAP's deterministic zero-FPR approach is a strong complement to existing pattern-scanning AEGIS. Consider implementing when audit/authorization coverage is next prioritized.