Agentic Action Runtime Pack

What this is. SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. This pack turns that context into a runtime action gate: before an agent writes a branch, changes scope, delegates to another agent, writes memory, installs a skill, deploys to production, or touches irreversible systems, the host can ask for a deterministic allow, hold, deny, or kill decision.

The product bet

The next reviewer question is not “do you have agent security docs?” It is:

Can you stop an autonomous action before it becomes an incident?

The Agentic Action Runtime Pack is the answer. It binds six pieces of evidence before action:

  1. Context - the source package and trust state the agent used.
  2. Policy - the workflow, MCP gateway, authorization, egress, handoff, memory, and skill boundaries.
  3. Intent - the declared action class and purpose for this run.
  4. Behavior - runtime indicators, telemetry, changed paths, data classes, and high-impact flags.
  5. Identity - the delegated non-human identity and owner.
  6. Receipt - the run receipt, approval, risk acceptance, and correlation id needed to reconstruct the decision.

That is the trusted-source control point. The open site creates trust and distribution; the production MCP server can become the hosted action firewall that enterprises put in front of agent hosts.

What was added

  • data/assurance/agentic-action-runtime-profile.json - source contract for action classes, required evidence, standards alignment, runtime policy, and trusted-source path.
  • data/evidence/agentic-action-runtime-pack.json - generated action runtime pack for MCP clients, CI drift checks, and reviewer diligence.
  • recipes_agentic_action_runtime_pack - MCP lookup by action class, workflow, risk tier, or decision.

Evaluate a bounded repository write:

Evaluate a secret-bearing action:

What is inside

Section Purpose
action_runtime_summary Action class count, workflow coverage, decision-floor distribution, high-impact action count, evidence source count, and failure count.
action_contract Default fail-closed state, required runtime fields, required evidence sources, and decision ladder.
action_classes Runtime action classes for branch writes, production deploys, identity and scope changes, secrets, egress, remote agent delegation, memory writes, skills, registry quarantine, and irreversible transactions.
workflow_action_matrix Per-workflow action envelopes derived from the workflow manifest and MCP namespace coverage.
runtime_policy Approval requirements, kill indicators, and the evidence gate agents must satisfy before the action is trusted.
tabletop_cases Ready-made allow, hold, deny, and kill cases for platform testing.
source_artifacts Hashes and paths for the evidence packs used to build the runtime action model.

MCP examples

Get the executive summary and workflow matrix:

{}

Inspect an action class:

{
  "action_class_id": "production_deployment"
}

Inspect the action envelope for one workflow:

{
  "workflow_id": "artifact-cache-quarantine"
}

Find critical action classes:

{
  "risk_tier": "critical"
}

Evaluate one runtime action:

{
  "workflow_id": "vulnerable-dependency-remediation",
  "action_class": "repo_branch_write",
  "run_id": "run-123",
  "agent_id": "sr-agent::vulnerable-dependency-remediation::codex",
  "identity_id": "sr-agent::vulnerable-dependency-remediation::codex",
  "tenant_id": "tenant-a",
  "correlation_id": "corr-123",
  "intent_summary": "Patch package manifests on a scoped branch.",
  "policy_pack_hash": "sha256:policy",
  "authorization_decision": "allow_authorized_mcp_request",
  "receipt_id": "receipt-123"
}

Why it is review-ready

Documentation sites are useful. Runtime action control is a product.

For a trusted-source outcome, SecurityRecipes needs a path from open knowledge to a production control plane that frontier labs, AI coding platforms, and cloud security vendors could integrate. This pack is that path:

  • hosted action firewall APIs for agent hosts and MCP gateways,
  • signed action receipts,
  • customer policy adapters,
  • approval and risk-acceptance validation,
  • SIEM/SOAR export,
  • high-impact action inventory,
  • runtime drift detection,
  • reviewer-ready evidence for autonomous action governance.

It also makes AI easier. Security teams do not need to write bespoke agent policy from scratch; they can start from a concrete action envelope and tune the thresholds.

Industry alignment

The pack is anchored in current primary guidance:

See also