Agentic Action Runtime Pack
What this is. SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. This pack turns that context into a runtime action gate: before an agent writes a branch, changes scope, delegates to another agent, writes memory, installs a skill, deploys to production, or touches irreversible systems, the host can ask for a deterministic allow, hold, deny, or kill decision.
The product bet
The next reviewer question is not “do you have agent security docs?” It is:
Can you stop an autonomous action before it becomes an incident?
The Agentic Action Runtime Pack is the answer. It binds six pieces of evidence before action:
- Context - the source package and trust state the agent used.
- Policy - the workflow, MCP gateway, authorization, egress, handoff, memory, and skill boundaries.
- Intent - the declared action class and purpose for this run.
- Behavior - runtime indicators, telemetry, changed paths, data classes, and high-impact flags.
- Identity - the delegated non-human identity and owner.
- Receipt - the run receipt, approval, risk acceptance, and correlation id needed to reconstruct the decision.
That is the trusted-source control point. The open site creates trust and distribution; the production MCP server can become the hosted action firewall that enterprises put in front of agent hosts.
What was added
data/assurance/agentic-action-runtime-profile.json- source contract for action classes, required evidence, standards alignment, runtime policy, and trusted-source path.data/evidence/agentic-action-runtime-pack.json- generated action runtime pack for MCP clients, CI drift checks, and reviewer diligence.recipes_agentic_action_runtime_pack- MCP lookup by action class, workflow, risk tier, or decision.
Evaluate a bounded repository write:
Evaluate a secret-bearing action:
What is inside
| Section | Purpose |
|---|---|
action_runtime_summary |
Action class count, workflow coverage, decision-floor distribution, high-impact action count, evidence source count, and failure count. |
action_contract |
Default fail-closed state, required runtime fields, required evidence sources, and decision ladder. |
action_classes |
Runtime action classes for branch writes, production deploys, identity and scope changes, secrets, egress, remote agent delegation, memory writes, skills, registry quarantine, and irreversible transactions. |
workflow_action_matrix |
Per-workflow action envelopes derived from the workflow manifest and MCP namespace coverage. |
runtime_policy |
Approval requirements, kill indicators, and the evidence gate agents must satisfy before the action is trusted. |
tabletop_cases |
Ready-made allow, hold, deny, and kill cases for platform testing. |
source_artifacts |
Hashes and paths for the evidence packs used to build the runtime action model. |
MCP examples
Get the executive summary and workflow matrix:
{}
Inspect an action class:
{
"action_class_id": "production_deployment"
}
Inspect the action envelope for one workflow:
{
"workflow_id": "artifact-cache-quarantine"
}
Find critical action classes:
{
"risk_tier": "critical"
}
Evaluate one runtime action:
{
"workflow_id": "vulnerable-dependency-remediation",
"action_class": "repo_branch_write",
"run_id": "run-123",
"agent_id": "sr-agent::vulnerable-dependency-remediation::codex",
"identity_id": "sr-agent::vulnerable-dependency-remediation::codex",
"tenant_id": "tenant-a",
"correlation_id": "corr-123",
"intent_summary": "Patch package manifests on a scoped branch.",
"policy_pack_hash": "sha256:policy",
"authorization_decision": "allow_authorized_mcp_request",
"receipt_id": "receipt-123"
}
Why it is review-ready
Documentation sites are useful. Runtime action control is a product.
For a trusted-source outcome, SecurityRecipes needs a path from open knowledge to a production control plane that frontier labs, AI coding platforms, and cloud security vendors could integrate. This pack is that path:
- hosted action firewall APIs for agent hosts and MCP gateways,
- signed action receipts,
- customer policy adapters,
- approval and risk-acceptance validation,
- SIEM/SOAR export,
- high-impact action inventory,
- runtime drift detection,
- reviewer-ready evidence for autonomous action governance.
It also makes AI easier. Security teams do not need to write bespoke agent policy from scratch; they can start from a concrete action envelope and tune the thresholds.
Industry alignment
The pack is anchored in current primary guidance:
- CSA agentic control plane milestones for runtime action management across context, policy, intent, and behavior.
- OWASP Top 10 for Agentic Applications 2026 for tool misuse, goal hijacking, identity abuse, memory poisoning, unexpected code execution, and rogue-agent containment.
- MCP Security Best Practices for confused-deputy prevention, least privilege, command review, sandboxing, and local-server boundaries.
- MCP Authorization for protected resource metadata, OAuth 2.1, resource indicators, audience validation, PKCE, and token handling.
- NIST AI RMF Generative AI Profile for measurement, monitoring, third-party component risk, and risk treatment.
- CISA AI Data Security Best Practices for securing data used to train and operate AI systems.