Description
Two complementary April 2026 papers propose principled credential delegation architectures where agents never receive secrets — they only propose operations, and a trusted broker/custodian executes them with scoped, single-use authority.
CapSeal (arXiv:2604.16762) — capability-sealed secret mediation:
- Agent requests a session-bound handle for a specific policy-evaluated intent
- Local trusted broker mediates all credential-bearing actions through typed execution paths
- Broker enforces schema constraints, redacts outputs, tracks anti-replay state, and records decisions in a tamper-evident audit chain
- Agent never obtains the raw secret; only the broker executes credential-bearing HTTP/SSH calls
SUDP (arXiv:2604.24920) — Secret-Use Delegation Protocol:
- Three-role protocol: requester (agent proposes canonical operation) → user (authorizes with fresh authenticator-backed grant) → custodian (redeems grant once for bounded use)
- Reusable authority never crosses the requester boundary
- Satisfies ASU requirements: authorization is verifiable, operation-bound, and single-use
- Explicitly designed to prevent prompt-injection-driven durable account compromise
Relevance to Zeph
Zeph's current vault resolves secrets at startup, making them available as strings within the agent process boundary. Under prompt injection, an exfiltration attempt could extract the raw credential value (e.g., via a tool call or response embedding). ExfiltrationGuard and ContentSanitizer reduce but do not eliminate this risk.
The CapSeal/SUDP pattern changes the invariant: the agent process never holds a usable secret — it only sends operation proposals to the vault daemon, which executes the bounded action and returns only the response body.
Proposed Zeph implementation path:
- Extend
VaultBackend with a propose_operation(intent, params) → result RPC (not get(key) → secret)
- Vault daemon validates intent against a policy whitelist (similar to CapSeal's schema constraints)
- All credential-bearing tool calls (API requests, SSH, webhook delivery) are routed through the vault broker
- Audit chain in vault records every credential use with turn ID, tool name, and operation hash
Expected Benefit
- Prompt injection + exfiltration attack surface reduced to zero for vault-managed credentials
- Tamper-evident audit trail for every secret use (maps naturally onto existing
zeph-tools audit log)
- Compatible with existing age vault architecture — the vault daemon already persists keys, only the access pattern changes
References
Description
Two complementary April 2026 papers propose principled credential delegation architectures where agents never receive secrets — they only propose operations, and a trusted broker/custodian executes them with scoped, single-use authority.
CapSeal (arXiv:2604.16762) — capability-sealed secret mediation:
SUDP (arXiv:2604.24920) — Secret-Use Delegation Protocol:
Relevance to Zeph
Zeph's current vault resolves secrets at startup, making them available as strings within the agent process boundary. Under prompt injection, an exfiltration attempt could extract the raw credential value (e.g., via a tool call or response embedding). ExfiltrationGuard and ContentSanitizer reduce but do not eliminate this risk.
The CapSeal/SUDP pattern changes the invariant: the agent process never holds a usable secret — it only sends operation proposals to the vault daemon, which executes the bounded action and returns only the response body.
Proposed Zeph implementation path:
VaultBackendwith apropose_operation(intent, params) → resultRPC (notget(key) → secret)Expected Benefit
zeph-toolsaudit log)References