Toward Zero-Copy OCI Layers
How Kalahari turns OCI image layers into page-aligned EROFS images, hands them to the guest as virtio-pmem with DAX, and lets overlayfs do the stacking.
filesystems oci virtualization erofs kalahari
blog
Technical writing on AI agent security, capability-based authorization, and the infrastructure gap between identity, orchestration, and choreography.
Two Kernel Bugs on the Way to Zero-Copy OCI Layers
A DAX altmap kernel paging fault in fs/dax and a 7-year-old ESTALE bug in overlayfs copy-up: two upstream Linux bugs surfaced while building Kalahari.
linux kernel dax overlayfs erofs virtio-pmem kalahari
A Kernel Config You Can Read in One Sitting
How Kalahari's guest kernel boots in milliseconds: starting from allnoconfig and turning on only the devices the microVM's VMM actually exposes.
kalahari linux virtualization developer-tools
Introducing Kalahari: MicroVM Isolation for Agent Code
Kalahari is an agent sandbox SDK that runs OCI images in a microVM on Linux (KVM) and macOS (Hypervisor.framework), with no remote service required.
kalahari release developer-tools virtualization security
Compatibility Layers Should Be Thin, Not Fake
How Kalahari maps common ComputeSDK, E2B-style, and Daytona-style process and filesystem workflows onto one native sandbox lifecycle.
kalahari developer-tools typescript infrastructure
How Kalahari Branches VM Memory on macOS with Mach Memory Entries
Why Kalahari uses Mach memory entries, mach_vm_map(copy=TRUE), Mach IPC port descriptors, and registered-port bootstrap to make VM branching portable.
virtualization rust macos mach
Network Policy Belongs in the VM Device Model
How Kalahari turns sandbox network options into VM device state through usernet, packet policy, packet leases, and scoped wake tokens.
networking security virtualization kalahari
Vsock Doesn't Survive Snapshots. A Shared-Memory Ring Does.
Why Kalahari's host-guest IPC is an SPSC ring buffer over shared memory instead of vsock, and what Firecracker and SmolVM say about where vsock state lives.
kalahari rust virtualization developer-tools
Process Handles Are Scheduler Contracts
How Kalahari keeps process handles, PTYs, callbacks, and zygote boundaries coherent across parked VM runs.
kalahari rust virtualization developer-tools
Making Invalid VM State Unrepresentable
How Kalahari narrows snapshot and restore correctness with typed topology, queue counts, memory geometry, VM state views, and architecture-specific exits.
rust virtualization systems kalahari
Virtio Bugs Are Ownership Bugs
How Kalahari's virtio layer turns descriptor ownership into completion tokens, queue brands, deferred writable regions, and exact used-ring lengths.
rust virtualization security systems
A VM Snapshot Is a Quiescence Protocol
Why zygote-style VM spawning is less about copying memory and more about establishing that every device, backend, and guest channel is quiet enough to freeze.
infrastructure virtualization rust kalahari
Introducing amla-sandbox: Secure Code Execution for AI Agents
A secure execution environment that lets AI agents write and run code safely—with 98% fewer tokens than tool-call loops.
release agents security python open-source
ForcedLeak: What Salesforce's Agentforce Vulnerability Reveals About Agent Security
Salesforce patched a critical prompt injection vulnerability in Agentforce. The attack chain reveals why input filtering alone can't secure agentic AI—and what actually works.
security prompt-injection salesforce agents confused-deputy capabilities
LangGrinch: A Bug in the Library, A Lesson for the Architecture
A critical CVE in LangChain shows why credential isolation matters more than perfect code.
security langchain cve credentials architecture
Why NHI Can't Secure Agentic AI: The Confused Deputy Returns
Non-Human Identity (NHI) is necessary hygiene, but it can't solve the authority-flow problems in multi-agent systems. The right unit is the transaction, and the right primitive is capability-based authorization.
security identity authorization capabilities nhi architecture
79% of Organizations Have No Guardrails for AI Agents
Akto surveyed 100+ CISOs and security leaders. The findings: agents are in production, but inventory, governance, and runtime controls are missing. The gap is now measurable.
market research security governance mcp
Agents Need Kernels, Not Guardrails
OS history solved process isolation structurally, not behaviorally. Agents need the same treatment: a kernel that controls what they can see and do.
architecture security kernel isolation
MCP Security: Why Guardrails Aren't Enough
A new paper proposes defense-in-depth for MCP security. The diagnosis is right, but policy enforcement can't solve what structural isolation must.
security mcp capabilities architecture research
Why Microsoft Copilot's Audit Log Failure Was Inevitable
The Copilot vulnerability that allowed silent file access exposes a structural flaw: ambient authority plus bolt-on audit logging. Capability chains make that class of bug impossible.
security ai-agents microsoft capability-security confused-deputy
Your Agent's Memory Is a Security Hole
Default agent memory patterns leak unless you enforce scoping at the runtime boundary. The problem isn't implementation bugs—it's architectural.
memory security architecture enterprise
IAM Locked Cloudflare Out. It'll Lock Your Agents Out Too.
Cloudflare's December 2025 resilience report reveals what every zero-trust org learns: your security stack becomes the outage when the platform is on fire.
security iam availability cloudflare incidents
When OAuth Becomes a Weapon: Lessons from CVE-2025-6514
A critical vulnerability in mcp-remote affected 558,846 downloads. The bug was client-side, but the attack exploited OAuth dynamic discovery—a trust assumption that breaks for autonomous agents.
security oauth mcp vulnerability analysis
Stop Hardcoding API Keys in Your Agents
API keys in prompts, env vars, or code turn agents into confused deputies. Here is the safer pattern.
security agents authorization best-practices
Agents That Can Actually Do Things
Enterprise agents that demo autonomous refunds ship with 'click to approve' buttons. Here's why—and what changes when authorization is solved.
agents authorization enterprise security trust
Capabilities 101: The Security Primitive That Changes Everything
What capabilities are, how they differ from ACLs, and why they matter for AI agent security—but also why capabilities alone aren't enough.
security capabilities authorization technical fundamentals
The Confused Deputy Problem, Explained
A 1988 security paper predicted why AI agents are vulnerable. The standard fix is incomplete.
security confused-deputy capabilities authorization technical
GitHub's Agentic Security: Right Problem, Incomplete Solution
GitHub's security principles minimize autonomy to minimize risk. But what if you could maximize autonomy within cryptographic bounds?
github security copilot agents authorization
Context Engineering for Agent Trust
Everyone's optimizing what agents know. Nobody's solving what agents are permitted to do. The context engineering revolution is incomplete without trust.
context-engineering security authorization multi-agent architecture
Researchers Broke Every Major Agent Defense. Here's What Failed.
AgentVigil achieved 70%+ attack success rates against o3-mini and GPT-4o agents—with all defenses active. Linguistic defenses are necessary but insufficient.
research security attacks validation prompt-injection
MCP Standardizes Tools. It Doesn't Secure Them.
The Model Context Protocol solves agent-to-tool communication. But who authorized the agent to use that tool, with what constraints, for which transaction?
mcp security tools anthropic infrastructure
LangChain State of Agent Engineering: Security Is Now a Top Barrier
1,340 practitioners surveyed. 57% have agents in production. Security ranks as the #1 concern for large enterprises. What this means for agent infrastructure.
market research langchain security production
Proof of Continuity for Compliance: EU AI Act, SOC2, and Beyond
How capability-based authorization maps to regulatory requirements—and what auditors actually need to see.
compliance eu-ai-act soc2 regulations
5 Ways Your AI Agents Will Get Hacked
A threat taxonomy for multi-agent systems—and where traditional security controls struggle.
security threats attacks taxonomy
Why We're Demoing Agent Security with Insurance Claims
Insurance isn't just a convenient example—it's a perfect example. It exposes exactly why existing security models break.
insurance demo use-case proof-of-continuity
Cross-Organizational Agent Trust in 30 Seconds
How a referral agent proves authorization without sharing credentials—and why OAuth can't do this.
healthcare cross-org interoperability use-case
What the Definitive Book on AI Agent Security Gets Right—and What It Leaves Open
Springer just published the most comprehensive treatment of agentic AI security. It validates the problem. It acknowledges the gap. It does not fill the gap.
security architecture analysis industry
Proof of Continuity: Why Token Theft Becomes Useless
Traditional security asks what you possess. Capability security asks who you are in the transaction.
security cryptography proof-of-continuity technical
Why Multi-Agent Security Isn't Optional: What Google and MIT Found
New research quantifies the chaos: uncoordinated agents amplify errors 17x. The question is who builds the guardrails.
research multi-agent security validation
The Missing Layer: Authorization After Identity
Identity providers solve 'who is this agent?' Orchestration platforms solve 'what should this agent do?' But what solves 'what can this agent actually do right now, in this transaction?'
security architecture identity authorization
a16z Calls 'Know Your Agent' a Big Idea for 2026. Here's Why.
When the architect of a $150B stablecoin calls for cryptographic agent credentials, the market is sending a signal.
market validation a16z infrastructure
OpenAI's Agent Playbook Has a Security-Shaped Hole
The #1 AI lab just told enterprises how to build agents. They forgot to explain how to secure them.
security openai agents analysis