MACAW Primitives
Three cryptographic primitives that provide deterministic verification at every boundary crossing. Together, they enable secure AI operations without trusting agents.
The Three Pillars
MACAW security is built on three cryptographic primitives. Each addresses a specific aspect of secure agent operation, and together they form a complete security foundation.
Authenticated Workflows
Signed invocations with receiver-side verification. The tool verifies, not the agent.
Authenticated Prompts
Lineage tracking with monotonic narrowing. Derived prompts cannot exceed parent permissions.
Authenticated Context
Session-bound state with tamper evidence. Secure isolation across users and sessions.
Authenticated Workflows
Every inter-entity invocation is augmented with a policy binding and cryptographic signature. The key insight: the receiver (tool) verifies, not the sender (agent).
This prevents a compromised agent from "grading its own homework"—verification is performed by an independent party with no incentive to forge.
| Guarantee | Mechanism |
|---|---|
| Authenticity | Ed25519 signature links WHO to WHAT |
| Policy Binding | Policy cryptographically bound to invocation |
| Tamper Evidence | Hash chains and sequence numbers |
| Non-Repudiation | Signatures create undeniable proof |
Authenticated Prompts
Prompts carry cryptographic proof of their origin and derivation chain. A prompt passed from Agent A to Agent B to Agent C maintains verifiable lineage.
Crucially, permissions can only decrease along the chain. A derived prompt cannot grant more access than its parent—this is monotonic narrowing.
| Property | Description |
|---|---|
| Lineage Tracking | Each prompt references its parent |
| Monotonic Narrowing | Scope can only decrease, never increase |
| Origin Verification | Traceable back to root prompt |
| Delegation Control | Configurable depth limits |
Authenticated Context
Session state is bound to cryptographic signatures, ensuring tamper evidence and isolation. User A's session cannot access User B's context.
This enables secure multi-tenant scenarios like shared chatbots where each user's conversation history is cryptographically isolated.
| Feature | Description |
|---|---|
| Session Binding | Operations bound to session scope |
| Replay Prevention | Sequence numbers detect replays |
| Attestation Chains | Proof of prerequisite completion |
| Multi-User Isolation | Cryptographic tenant separation |
Working Together
The three primitives combine to create a complete security model. Each operation flows through all three layers:
Each primitive adds a layer of security: context ensures session isolation, prompts ensure delegation control, and workflows ensure operation authorization. Breaking one doesn't break the others.