Intent-bound action authorization for AI agents — deterministic, per-action approval a prompt injection can't re-point, with a signed, tamper-evident audit trail.
Renfield — penetration testing for AI agents: finds and PROVES cross-server confused-deputy exfiltration chains in an MCP tool mesh, measures whether a real LLM falls for them, gates them at runtime, and runs as an MCP server any agent can call.