Files

Christian Nennemann 5ec7410b89 feat: proposal intake pipeline with AI-powered generation on /proposals/new

Add full proposal system: DB schema (proposals + proposal_gaps tables),
CLI `ietf intake` command, and web UI with Quick Generate on /proposals/new.
The new page merges AI intake (paste URL/text → Haiku generates multiple
proposals auto-linked to gaps) with manual form entry. Generated proposals
are clickable cards that fill the editor below for refinement.

Uses claude_model_cheap (Haiku) for cost-efficient web intake. Includes
CaML-inspired draft proposals from arXiv:2503.18813 analysis.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-09 03:15:11 +01:00

3.9 KiB

Raw Blame History

title, source_paper, source_authors, date, status

title	source_paper	source_authors	date	status
CaML-Inspired IETF Draft Proposals	Defeating Prompt Injections by Design (arXiv:2503.18813)	Debenedetti, Shumailov, Fan, Hayes, Carlini, Fabian, Kern, Shi, Terzis, Tramèr	2026-03-09	proposal

CaML-Inspired IETF Draft Proposals

Six IETF Internet-Draft proposals derived from Defeating Prompt Injections by Design (Google DeepMind / ETH Zurich, 2025), cross-referenced with the 12 identified gaps in the IETF AI agent standards landscape.

Source Paper: CaML (CApabilities for MachinE Learning)

CaML proposes a capability-based security layer around LLM agents that defeats prompt injection attacks by design, not through model training. Key concepts:

Privileged/Quarantined LLM separation: planning (trusted) vs. data processing (untrusted)
Capability tags: every data value carries provenance (source) and access control (allowed readers)
Security policies: Python-expressible per-tool policies checked before execution
Data flow graph: tracks dependencies between all variables across tool calls
Control flow integrity: prevents untrusted data from influencing execution plans
Evaluated on AgentDojo: 77% task success with provable security (vs. 84% undefended)

Draft Overview

#	Draft Name	Status	Primary Gaps	CaML Section
1	Capability-Based Security Policies	outline	#86, #89, #93	§5.2, §5.3
2	Control/Data Flow Integrity	outline	#85, #88, #89	§2, §5.4, §6.4
3	Data Provenance Tracking Protocol	outline	#84, #88, #93	§5.3, §5.4
4	Security Policy Federation	outline	#83, #87, #90	§5.2, §9.1
5	Privileged/Quarantined Execution Model	outline	#89, #92, #94	§5.1
6	Side-Channel Mitigation Framework	outline	#89, #93	§7

Dependency Graph

Draft 5 (Execution Model)
  └─► Draft 1 (Capabilities)     ◄── foundational
        ├─► Draft 2 (Flow Integrity)
        ├─► Draft 3 (Provenance)
        └─► Draft 4 (Policy Federation)
              └─► Draft 6 (Side Channels)  ◄── BCP document

Reading order: 5 → 1 → 2/3 (parallel) → 4 → 6

Gap Coverage Matrix

Gap	Topic	Drafts
#83	Cross-org AI agent liability	4
#84	Real-time explainability	3
#85	Emergency shutdown coordination	2
#86	Resource consumption governance	1
#87	Cross-domain identity federation	4
#88	Decision audit trail interop	2, 3
#89	Adversarial agent detection	1, 2, 5, 6
#90	Capability negotiation protocols	4
#91	Decentralized model version control	—
#92	Ethical decision conflict resolution	5 (partial)
#93	Privacy-preserving A2A communication	1, 3, 6
#94	Behavioral specification languages	5

Relationship to Existing Work

These drafts build on (not compete with) existing IETF work:

WIMSE (Workload Identity in Multi-System Environments): identity + security context propagation → our capabilities extend this with data-level provenance
ECT (Execution Context Tokens): DAG-linked audit records → our provenance tracking is complementary
MCP (Model Context Protocol): tool interface standard → our security policies wrap around MCP tool calls
A2A (Agent-to-Agent): agent communication → our flow integrity applies to A2A message exchanges
GNAP/OAuth: authorization → our policy federation extends authz to data-flow-aware decisions

Iteration Tracking

Date	Change	Author
2026-03-09	Initial outlines for all 6 drafts	—

3.9 KiB Raw Blame History