I came to the same realization a while ago and started building an agent runtime designed to ensure all (I/O) effects are capability bound and validated by policies, while also allowing the agent to modify itself.
Thanks! Just looked at Agent OS. Love the 'Signed Receipts' concept in your AIR spec.
We reached the same conclusion on the 'Ambient Authority' problem, but I attacked it from the other end of the stack.
Tenuo is just the authorization primitive (attenuating warrants + verification), not the full runtime. The idea is you plug it into whatever runtime you're already using (LangChain, LangGraph, your own).
I'm currently in stealth-ish/private alpha, but the architecture is designed to be 'userspace' agnostic. I’d love to see if Tenuo’s warrant logic could eventually serve as a primitive inside an Agent OS process.
I'll shoot you a note. I would love to swap notes on the 'Capabilities vs. Guardrails' implementation details.
I came to the same realization a while ago and started building an agent runtime designed to ensure all (I/O) effects are capability bound and validated by policies, while also allowing the agent to modify itself.
https://github.com/smartcomputer-ai/agent-os/