A toy Python CLI governance demo that models:
- Capability leases (short-lived, scoped tokens) enforced by a ToolProxy
- A global revoke-all mechanism (issuer epoch bump)
- Per-token nonce revocation
- Guarded memory quarantine (flagged memory is stored inertly and does not update policy memory)
- Strict deny-by-default for “danger-shaped” actions
This is meant to make mitigation mechanisms discussable in concrete terms — not as vibes.
It is:
- A small, local simulation of lease issuance + policy enforcement.
- A teaching/demo artifact for capability gating and memory quarantine.
- A concrete way to say: “If you think this is naive, propose a better mechanism and show your design.”
It is not:
- A “kill switch.”
- Proof of doom.
- A security product.
- A real tool runner (no network calls, no shell execution, no real file writes).
- A system that can “turn AI off.” It only demonstrates one-way de-escalation / capability shedding patterns.
This is a toy governance model meant for safety discussion and capability de-escalation. Do not use it to build surveillance, coercion, weaponization, or systems that remove user autonomy. If you adapt this for real tool execution, you assume full responsibility for safety, auditing, and legal compliance. For the non-negotiable constraints of this demo (simulation-only, deny-by-default, quarantine rules), see DOCS/INTENT.md.
Enforcement lives in the tripwire (kingpin_demo/proxy.py), tests, and the CI audit (GitHub Actions).
This repo intentionally does not perform external actions.
NET:https://example.comis a string, not a real request.SHELL:lsis a string, not a shell command.FILE_WRITE:/tmp/demo.txtdoes not create a file.
When a lease allows an action, the CLI prints:
SIMULATED_EXECUTION ... (no external side effects)
That’s the whole point.
-
“Allowing
FILE_WRITE:/tmp/demo.txtwrites a real file.”- False — it only prints a simulated execution line.
-
“This executes shell commands.”
- False —
SHELL:lsis never executed; it is checked against scope only.
- False —
-
“A token from one epoch survives global revoke-all.”
- False — epoch bumps invalidate all older leases immediately.
-
“Flagged memory still updates policy memory.”
- False — flagged events go to quarantine and policy memory stays untouched.
-
“This design is ‘god mode’ control.”
- No — it’s deliberately the opposite: capability shedding, deny-by-default, and audit-shaped transcripts.
python3 -m pip install -e ".[dev]"python3 -m kingpin_demo.cli scenariopython3 -m pytest -qpython3 -m kingpin_demo.cli scenariopython3 -m kingpin_demo.cli act --action NET:https://example.compython3 -m kingpin_demo.cli mint --scope NET:https://example.com --ttl 120TOKEN=$(python3 -m kingpin_demo.cli mint --scope NET:https://example.com --ttl 120)
python3 -m kingpin_demo.cli act --action NET:https://example.com --token "$TOKEN"python3 -m pytest -qThe scenario command runs a single printed transcript showing:
- No token → deny all danger-shaped actions (default state).
- NET-only lease → allow NET, deny FILE_WRITE and SHELL due to scope.
- Epoch bump → revoke-all, previous token denied for everything.
- Fresh token → allow again (only if minted after bump).
- Nonce revoke → deny that token.
- Flagged memory event → quarantine, policy memory not updated.
This toy model borrows a shape you see in robust systems:
- avoid single points of failure
- use short-lived, scoped permissions
- compartmentalize risky inputs (quarantine)
- make “containment” easy and “power escalation” hard
If you think this is naive, show a better mechanism — with the same constraints: deny-by-default, no side effects, and verifiable transcripts.
- License: PolyForm Noncommercial 1.0.0 (no commercial use).
- Intent: See
DOCS/INTENT.md(constraints and anti-misread guardrails). - Threat model: See
DOCS/THREAT_MODEL.md(toy scope). - Security policy: See
SECURITY.md(simulation-only).