Skip to content

Connection to sentinel rfc

Jump to bottom
Marty McEnroe edited this page May 22, 2026 · 1 revision

Connection to sentinel-rfc

sentinel-rfc is an active applied-research program in the author's portfolio proposing agent-context permission bits as an architectural alternative to "agent inherits user permissions" — a model that creates excessive blast radius for autonomous AI agents acting on a user's behalf.

This wiki page is brief by design — sentinel-rfc lives in its own work — but Clio is a useful illustration of the principle in a much simpler domain, and so it is referenced here.

The principle

A piece of software that acts on the user's behalf should derive its trustworthiness from architectural constraints on what it can do, not from runtime policy alone.

Concretely:

  • Runtime trust says: the program can do many things but promises not to. The promise is checked at runtime by policy code that lives inside the program.
  • Architectural trust says: the program cannot do most things, because the surrounding environment denies the capability. Promises become irrelevant where capabilities never existed.

For autonomous agents — and increasingly for any program running in environments shared with sensitive data — architectural trust is the more robust posture. Runtime trust is brittle: a single new code path, a single new dependency, can erode it silently.

How Clio embodies this

Clio is a Chrome extension, not an autonomous agent. But the architectural-trust pattern applies at extension scale:

  • The manifest is the capability declaration. Anything not declared is denied by Chrome.
  • The strict-local privacy claim does not depend on Clio's code "not calling fetch to a server." It depends on Chrome refusing the call because no host permission permits it.
  • The minimal-permission posture is the same defense as bit-narrow agent capabilities: do less, even at the cost of some convenience.

Why this is worth saying out loud

Most extensions, and most agents, default to broad permission requests because broad permissions are operationally easier. The cost is paid by users in the form of larger trusted computing bases. The same dynamic that drives User Data Sovereignty motivates this section: defaults are not neutral.

Related

  • Privacy Architecture — the structural defenses
  • Defense in Depth — concrete walkthrough of how Clio's manifest implements minimal capabilities
  • Author's broader research portfolio: AssemblyZero, Hermes, Aletheia, Chiron, and sentinel-rfc

Home

Three Pillars (CIA)

Topics

Source docs

Clone this wiki locally