Skip to content

computeaholic/threadforge-agent-containment-lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
agents
agents
 
 
docs
docs
 
 
k8s
k8s
 
 
scenarios
scenarios
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
START_HERE.md
START_HERE.md
 
 
STATUS.md
STATUS.md
 
 

Repository files navigation

Identity-First Containment for AI Agent Workloads

This repository demonstrates how untrusted AI agents can be safely contained using workload identity and service mesh authorization policies. The lab shows that a compromised agent cannot perform lateral movement, service enumeration, or data exfiltration.

Verified Containment Behavior

The lab and its attack scenarios were validated on a live cluster.

See the advisor validation memo:

docs/ADVISOR_VALIDATION.md

The deployment flow builds and pushes images to a cluster-reachable OCI registry. The default REGISTRY value uses ttl.sh for portability, and can be overridden for private clusters.

Document Flow

  1. START_HERE.md
  2. docs/ADVISOR_VALIDATION.md
  3. docs/IMPLEMENTATION_PLAN.md
  4. docs/DEMO_TRANSCRIPT.md

About

Demonstration of identity-based containment for AI agent workloads.

Topics

kubernetes istio zero-trust ai-security spiffe spire platform-engineering

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages