Context Governance, CaSH & CABR
The Problemโ
The security industry has spent decades governing what software systems can do. Access controls, firewalls, and authorization frameworks all focus on the action surface โ preventing systems from taking actions they are not permitted to take.
Autonomous agents introduce a second attack surface that existing infrastructure does not govern: the context surface. Every shell command an agent runs, every web page a browser agent loads, every tool response it receives, every file it reads โ these all flow into the agent's context window and become part of its reasoning state. Once sensitive information enters that context window, it can influence decisions, shape downstream tool calls, propagate through memory systems, and be operationalized in ways that were never authorized.
The context surface is not governed by action controls. An agent that is perfectly well-governed at the action layer โ that cannot invoke tools it is not authorized to use โ can still cause significant harm through what it acquires and reasons over. A browser agent asked to "summarize this page" may expose AWS keys, database passwords, OAuth tokens, and customer PII to the language model without invoking a single unauthorized tool. A coding agent asked to "fix this bug" may recursively read environment files, cloud credentials, and deployment configurations as part of its normal task execution.
This is the ambient authority problem. The agent did not take anything. The environment gave it everything.
The Inventionโ
This patent covers a unified context governance architecture โ a new infrastructure layer that governs what autonomous agents are permitted to acquire, retain, reason over, and operationalize across all capability surfaces, before information enters the model's cognition.
The architecture introduces three novel components:
CaSH โ Context-Aware Shellโ
CaSH is the shell, filesystem, and execution-layer governance component. It addresses a specific bypass vector: an agent that can execute shell commands can acquire any information on the host system โ credentials, configuration files, environment variables, deployment secrets โ regardless of what tool-name policies permit. Tool-name governance is bypassed the moment the agent has shell access.
CaSH intercepts context-producing operations at three layers. Shell mediation evaluates commands before execution against the agent's active behavior profile and the current session context model. FUSE-based filesystem interception governs read operations at the virtual filesystem layer โ before file contents flow into agent output โ for sensitive paths including credential files, cloud configuration directories, SSH keys, and environment files. eBPF-based syscall governance operates at the kernel layer, providing an enforcement boundary that no userspace implementation can bypass, governing context acquisition regardless of how it is initiated โ through the agent's tool interface, through a spawned subprocess, or through arbitrary code execution.
The inventive insight is that context governance must operate at the execution layer, not the tool abstraction layer. The execution surface is where actual information acquisition occurs. CaSH closes the gap between tool-name policy and execution-layer reality.
CABR โ Context-Aware Browser Runtimeโ
CABR is the browser-layer governance component. It addresses the ambient authority problem specific to web environments: browser agents inherit the full authenticated state of the browser session before any agent action takes place. Cookies, localStorage, session tokens, HTTP authorization headers, and authenticated sessions are all ambient โ present in the environment before the agent does anything, and automatically accessible from the moment the browser navigates to a page.
CABR establishes a policy layer between the browser's ambient authority and what the agent is permitted to acquire. It classifies DOM content, visual captures, storage state, and authenticated session data against the agent's active behavior profile before that information enters the context window. Content classified under labels the agent's profile does not include โ credentials, PII, financial data โ is redacted or blocked before the model sees it.
The inventive insight is that ambient authority is not the same as granted access. Browser agents require governance at the runtime layer โ before context flows โ not just governance over the tools they are allowed to invoke.
Context Accumulator and Context Firewallโ
The Context Accumulator maintains a stateful session context model that tracks everything the agent has acquired across its session: what information came from which surface, under which policies, at what time, classified under which sensitivity labels, and subject to what retention constraints.
The Context Firewall is the final pre-inference enforcement point. It evaluates the assembled context payload against the active behavior profile's data scope constraints before it is submitted to the model โ and operates as a pre-transmission gateway for remote model API calls, providing defense-in-depth before governed content leaves the trust boundary.
The three-layer architecture โ capability surface interception, context accumulation, context firewall โ provides independent protection at each stage. A failure at one layer does not compromise the others.
Why This Mattersโ
This architecture establishes a new category of infrastructure: context governance. It is not a complement to action governance โ it is a separate and equally necessary primitive. Action governance controls what agents can do. Context governance controls what agents can acquire & know.
Together they form the complete operational safety plane for autonomous AI systems. An enterprise that governs only the action surface has closed half the attack surface. An enterprise that governs both can make a verifiable claim about what its agents are permitted to do and what they are permitted to acquire & know โ at runtime, at scale, with an immutable audit trail.
That claim is what operational safety for agentic AI actually means.
Naveen Kumar Vandanapu โ Founder, Raksha AI ยท getraksha.com