Capframe — Capability security for AI agents<br>v0.2.0 · liveMITRust 1.78+MCP-native<br>OWASP LLM·NIST AI RMF·MITRE ATLAS
Install ↗<br>v0.2.0 releasedAI agent security<br>Capability security<br>for AI agents.<br>Three Rust modules for AI agents that call tools. Find what they touch. Bind their authority. Guard every call. MCP-native. Audit-mapped to OWASP LLM, NIST AI RMF, MITRE ATLAS. MIT licensed.<br>Install Capframe→ Star on GitHub<br>curl -fsSL capframe.ai/install | sh
~/agents — capframe install<br>$ capframe install<br>→ mcp-recon<br>✓ mcp-recon v0.0.4 sha256 ok · 1.2 MB<br>→ capnagent<br>✓ capnagent v0.7.6 sha256 ok · 1.2 MB<br>→ mcp-guard<br>✓ mcp-guard v0.5.4 sha256 ok · 19.9 MB
Verify with: capframe doctor<br>Add to PATH: ~/.capframe/bin
§ 01The pipeline<br>Four stages. One binary. No LLM in the decision path.<br>01Discovery<br>Find<br>Map the tool surface. Catch indirect-injection gaps.<br>→ findings.json
02Authority<br>Bind<br>Mint scoped, revocable capability tokens.<br>→ cf_tok_a91…
03Enforcement<br>Guard<br>Evaluate every tool call against policy at runtime.<br>→ allow / deny
04Compliance<br>Report<br>Audit-ready artifact: OWASP / NIST / ATLAS.<br>→ report.html
§ 02The three modules<br>Standalone, or composed.<br>Each module ships as its own Rust crate, its own CLI subcommand, and its own GitHub repo. Run them independently or wire them together through a shared findings schema.<br>02.1Discovery<br>Find<br>Walks every MCP server, every tool endpoint, every parameter your agent can touch. Surfaces indirect-injection gaps and unconstrained inputs, then emits a structured findings file aligned to the OWASP LLM Top 10.
capframe find<br>$ capframe find ./mcp-server.toml<br>✓ mapped 14 tools across 2 mcp servers<br>⚠ 3 tools accept input without constraints (LLM01)<br>→ ./capframe.findings.json
02.2Authority<br>Bind<br>Mints capability tokens — macaroon-style, attenuable, revocable, ed25519 holder-of-key, with signed denial receipts (HMAC-SHA256). Each agent carries a scoped token; every call produces a tamper-evident receipt that doubles as compliance evidence.
capframe bind<br>$ capframe bind --agent shopify-bot \<br>--tools "order.read, refund.write" \<br>--limit max_refund=50 --limit region=eu \<br>--ttl 24h<br>✓ token minted: cf_tok_a91f4e…<br>scope: 2 tools, 2 limits<br>expires: 2026-05-18T08:14:00Z
02.3Enforcement<br>Guard<br>A deterministic policy evaluator. Synthesize a YAML policy from an observed gap, backtest it against the default corpus, then drop the evaluator into your agent's tool-call boundary. No LLM in the decision path. Single-digit-microsecond evaluation.
capframe guard<br>$ capframe guard backtest ./policy.yaml<br>✓ 247/247 corpus cases pass<br>✓ 14 rules, 3 categories<br>✓ false-positive rate: 0.0%
§ 03Compliance<br>The artifact your security team hands to an auditor.<br>Every Capframe run produces evidence mapped to the three frameworks regulated buyers already require. Run capframe report to export HTML or PDF.<br>OWASP LLM<br>Top 10 — 2025<br>✓LLM01 prompt injection<br>✓LLM02 insecure output<br>✓LLM07 insecure plugin<br>✓LLM08 excessive agency
NIST AI RMF<br>v1.0<br>✓GOVERN<br>✓MAP<br>✓MEASURE<br>✓MANAGE
MITRE ATLAS<br>v4.7<br>✓TA0043 reconnaissance<br>✓TA0006 credential access<br>✓TA0040 impact<br>✓TA0007 discovery
§ 04Specimen transcript<br>What it looks like in the shell.<br>~/agents — capframe — 80×24<br>$ capframe find ./my-mcp-server.toml<br>✓ mapped 14 tools across 2 MCP servers<br>⚠ 3 tools accept input without constraints (LLM01)<br>⚠ 1 tool has indirect-injection surface (LLM01, ATLAS T0051)<br>→ findings written to ./capframe.findings.json
$ capframe bind --agent shopify-bot \<br>--tools "order.read, refund.write" \<br>--limit max_refund=50 --limit region=eu \<br>--ttl 24h<br>✓ token minted: cf_tok_a91f4e…<br>holder: ed25519 / shopify-bot<br>scope: 2 tools · max_refund≤50 · region=eu<br>expires: 2026-05-18T08:14:00Z<br>revoke: capframe revoke cf_tok_a91f4e
$ capframe guard backtest ./policy.yaml<br>✓ 247/247 corpus cases pass<br>✓ 14 rules, 3 categories<br>✓ false-positive rate: 0.0%
$ capframe report --format html --out ./report.html<br>✓ report written<br>OWASP LLM Top 10: 4/10 covered, 2 findings open<br>NIST AI RMF: Govern ✓ Map ✓ Measure ✓ Manage ✓<br>MITRE ATLAS: 2 techniques flagged, 0 active exploits<br>curl -fsSL capframe.ai/install | sh<br>Read the source →
§ 05Pricing<br>Open source. Hosted when you need it.<br>available<br>Free<br>$0<br>self-hosted
All three modules. Local CLI. Full OWASP / NIST / ATLAS report generator. MIT license.<br>✓All three modules<br>✓Local-first CLI<br>✓Full report generator (HTML + PDF)<br>✓sha256-verified installer<br>✓Run anywhere<br>Install →<br>early access · waitlist open<br>Pro<br>$199<br>per month
Hosted control plane for AI teams shipping agents at velocity. Currently in private early access — join the waitlist below.<br>✓Hosted dashboard (in build)<br>✓Findings history + cross-scan diffing<br>✓Scheduled scans<br>✓Slack alerts<br>✓Up to 10 agents<br>Join waitlist →<br>design partners<br>Enterprise<br>Talk<br>to us
On-prem / VPC. SSO, audit logs, signed compliance reports, SLA. Taking a small number of design partners in regulated industries.<br>✓SSO + audit logs<br>✓On-prem / VPC deploy<br>✓Signed compliance reports<br>✓SLA + private Slack channel<br>✓Unlimited...