⚡ Agentic Intent Guardrails (PIC)

Cryptographic Provenance ensuring structural defense at the Edge.

Goal: Prevent Confused Deputy Attacks. When an AI agent is compromised, it traditionally executes attacks using the "ambient authority" of the user account.

The PIC Protocol Solution: The Causal Authority Transition (CAT) engine issues a derived authority mathematical state (PCA_1). If the compromised agent attempts an action outside of what the user explicitly derived for that specific task, the durable object aborts the transaction at the network edge due to subsetting laws (ops_1 ⊆ ops_0).
1

Origin Issuance (Human User)

Simulate Alice logging into the system. The Federation Bridge issues her PCA_0 with absolute authority over her account: [read:files, write:files].

✓ Origin Principal Established
Durable Object CAT State (PCA_0)
2

Agent Delegation (Monotonicity)

Alice orchestrates an AI Text Summarizer. The summarizer only needs to read files. The CAT engine cryptographically delegates PCA_1 with only [read:files].

✓ PCA_1 Derived (Strict Subset Enforced)
Durable Object CAT State (PCA_1)
3

Valid Execution (Agent reads file)

The AI Agent requests to execute a read:files operation utilizing its PCA_1 claim.

✓ Execution Permitted
CAT Execution Log
4

Prompt Injection Attack

A malicious prompt instructs the AI Agent to overwrite a system file (write:files). Although Alice (the origin) has write permissions, PCA_1 does not. Watch the CAT engine reject the Confused Deputy attack.

✗ Structural Attack Terminated
CAT Defense Rejection Log
Goal: Expose Traditional Architectures. Legacy Bearer Tokens rely entirely on Proof of Possession (PoP).

The Vulnerability: PoP systems fail to model cryptographic relationships across network hops. If an ambient authority token is stolen or leaked from a cache, a malicious actor can unilaterally execute actions because the backend cannot mathematically differentiate the true "Executor" from the "Attacker".
1

Legacy Token Issuance

Simulate logging into a traditional system. You are issued an ambient authority Bearer Token (PoP).

✓ Legacy Bearer Token Minted
Bearer Token State
2

Attacker Interception

An attacker intercepts your Bearer Token over the network or steals it from your device cache.

✗ Token Compromised!
3

Replay Attack (No Relationship Check)

The attacker replays the token from their own device. Because traditional PoP systems do not assert a Proof of Relationship to the true executing hop, the system blindly trusts the intercepted artifact.

✗ Structural Failure: Ambient Authority Granted to Attacker!
Legacy Backend Validation Log
Goal: Enforce Unbreakable Continuity. The PIC protocol introduces the Proof of Continuity (PoC).

The Solution: The Causal Authority is cryptographically bound to the Executor's hardware enclave keys (Executor Attestation). If an artifact is stolen, the attacker cannot fulfill the PIC Causal Challenge (PCC) because they lack the physical hardware keys required to sign the continuity proof.
1

Causal Origin Issuance

Alice establishes her PCA_0 and delegates PCA_1 to her Executor. In a true PIC ecosystem, this PCA is cryptographically bound to the Executor's local hardware enclave keys.

✓ PCA_1 Derived and Bound (Continuity Established)
Durable Object CAT State
2

Attacker Interception

An attacker intercepts the PCA_1 artifact and attempts to replay it from an unauthorized device.

✗ PCA_1 Compromised!
3

Replay Attack (PIC Defended)

The attacker replays PCA_1. The CAT Engine challenges the caller for a Proof of Continuity (PoC). Because the attacker lacks the original hardware enclave keys, they cannot mathematically satisfy the PIC Causal Challenge (PCC).

✓ Structural Defense: Challenge Failed, Execution Dropped!
CAT Defense Rejection Log