CapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution

ArXi:2604.16762v1 Announce Type: cross Modern AI agents routinely depend on secrets such as API keys and SSH credentials, yet the dominant deployment model still exposes those secrets directly to the agent process through environment variables, local files, or forwarding sockets. This design fails against prompt injection, tool misuse, and model-controlled exfiltration because the agent can both use and reveal the same bearer credential.