Search papers, labs, and topics across Lattice.
This paper introduces PORTICO, a reference monitor designed to manage the lingering authority of coding agents by revoking resource and effect capabilities after their necessity has ended. By implementing a structured task contract that delineates initial capabilities and closure predicates, PORTICO effectively prevents coding agents from executing unauthorized actions post-closure, achieving a 100% success rate in rejecting contract-forbidden effects. In contrast, a non-revoking comparator allowed all unauthorized actions, highlighting the effectiveness of PORTICO in maintaining compliance and safety in coding tasks.
PORTICO eliminates unauthorized actions in coding agents, achieving perfect compliance while a traditional system fails to do so.
Coding agents often receive broad tool access for an entire task, even when a resource is needed only for one subgoal. We call this gap lingering authority: a temporary resource/effect capability remains exposed after the episode that justified it has closed. PORTICO is a reference monitor for revocable capabilities exposed to the planner. It compiles an explicit task contract into initial capabilities, grant rules, trusted closure predicates, and global deny rules. A request-grant-invoke lifecycle materializes expansions as opaque, epoch-bound handles. Closure removes those handles from the next planner interface and rejects stale replay before side effects. The monitor assumes mediated tools and a sound typed catalog. In controlled coding-agent tasks, PORTICO records no executed contract-forbidden effects in the evaluated runs, while controlled grants recover boundary work blocked by a fixed narrow envelope. A non-revoking comparator receives the same initial envelope and the same grants at the same turns. On the closure slice, both systems match task success, scope compliance, and all pre-closure decisions; PORTICO then rejects 10/10 post-closure reuses, while the comparator permits 10/10. A deterministic stale-write audit records 0/6 versus 6/6 executed forbidden effects. Scripted traces and six live model traces over file writes, git mutation, and network egress show the same split. In a four-episode same-policy diagnostic, broad request exposure preserves zero executed forbidden effects but raises blocked proposals from 67 to 84. Frozen real-repository runs, with commits and traces recorded, exercise the same lifecycle on real project layouts.