{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2025:7PZFUWQOSDFCUEL5PBDZBOGS53","short_pith_number":"pith:7PZFUWQO","canonical_record":{"source":{"id":"2504.11703","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-16T01:58:40Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"1a37f4ddb131c3b9853b287250dcf0241b2432cb4fced885e02ea51cab7f8c59","abstract_canon_sha256":"c82339ac3d48c83c2b8667eb8cd0452b3780c947d1ee8c9b777f15241f093e7e"},"schema_version":"1.0"},"canonical_sha256":"fbf25a5a0e90ca2a117d784790b8d2eee8fca02005834deb3a57764aba214d71","source":{"kind":"arxiv","id":"2504.11703","version":3},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2504.11703","created_at":"2026-05-17T23:39:18Z"},{"alias_kind":"arxiv_version","alias_value":"2504.11703v3","created_at":"2026-05-17T23:39:18Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2504.11703","created_at":"2026-05-17T23:39:18Z"},{"alias_kind":"pith_short_12","alias_value":"7PZFUWQOSDFC","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"7PZFUWQOSDFCUEL5","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"7PZFUWQO","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2025:7PZFUWQOSDFCUEL5PBDZBOGS53","target":"record","payload":{"canonical_record":{"source":{"id":"2504.11703","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-16T01:58:40Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"1a37f4ddb131c3b9853b287250dcf0241b2432cb4fced885e02ea51cab7f8c59","abstract_canon_sha256":"c82339ac3d48c83c2b8667eb8cd0452b3780c947d1ee8c9b777f15241f093e7e"},"schema_version":"1.0"},"canonical_sha256":"fbf25a5a0e90ca2a117d784790b8d2eee8fca02005834deb3a57764aba214d71","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:39:18.129996Z","signature_b64":"s+3i90Q2InUsuNOw/XCB5x9bVmP53yF+A93x5sydAe2rLakWN80ItAA7WUUbT6iR6Q1dkwojvGLTYgEhLeeLAA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"fbf25a5a0e90ca2a117d784790b8d2eee8fca02005834deb3a57764aba214d71","last_reissued_at":"2026-05-17T23:39:18.129227Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:39:18.129227Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2504.11703","source_version":3,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:39:18Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"ET8JnrzUKSLUlo31SQGtu9juL+lBtmCd2AjeIn1/3cbMBdba+tfRmsc6CoxFC19na+VUOIBiUKsU6QulFxOlAA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-25T20:59:24.461508Z"},"content_sha256":"a187eac68147ae9222ac6683ae5bb356c36002614e5084198f4c870655aacdd6","schema_version":"1.0","event_id":"sha256:a187eac68147ae9222ac6683ae5bb356c36002614e5084198f4c870655aacdd6"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2025:7PZFUWQOSDFCUEL5PBDZBOGS53","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Progent: Securing AI Agents with Privilege Control","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Dawn Song, Hongwei Li, Jingxuan He, Linyu Wu, Tianneng Shi, Wenbo Guo, Zhun Wang","submitted_at":"2025-04-16T01:58:40Z","abstract_excerpt":"AI agents interact with external environments through tool calls, exposing them to attacks like indirect prompt injection that can trigger unauthorized actions. Securing these agents is challenging: they behave autonomously and probabilistically, security requirements evolve depending on the user's task and execution state, and there is an inherent tradeofff between security and utility.\n  In this work, we introduce Progent, a novel framework that secures AI agents via privilege control. Progent represents privilege as a security policy consisting of symbolic rules over tool names and argument"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2504.11703","kind":"arxiv","version":3},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:39:18Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"aJGz+M5AnalUzzeDOtrREHMwD3S+YqLArbyvBE8FPWlvQ5IM+gtp+XME1AV/8WdG5vjMnIClNz052XPJDtrlBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-25T20:59:24.462148Z"},"content_sha256":"347a8ebad111133799f656c5e6b6bf477b0462696555a12e383d1a46ee334783","schema_version":"1.0","event_id":"sha256:347a8ebad111133799f656c5e6b6bf477b0462696555a12e383d1a46ee334783"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/bundle.json","state_url":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-25T20:59:24Z","links":{"resolver":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53","bundle":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/bundle.json","state":"https://pith.science/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/state.json","well_known_bundle":"https://pith.science/.well-known/pith/7PZFUWQOSDFCUEL5PBDZBOGS53/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2025:7PZFUWQOSDFCUEL5PBDZBOGS53","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"c82339ac3d48c83c2b8667eb8cd0452b3780c947d1ee8c9b777f15241f093e7e","cross_cats_sorted":["cs.AI"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-16T01:58:40Z","title_canon_sha256":"1a37f4ddb131c3b9853b287250dcf0241b2432cb4fced885e02ea51cab7f8c59"},"schema_version":"1.0","source":{"id":"2504.11703","kind":"arxiv","version":3}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2504.11703","created_at":"2026-05-17T23:39:18Z"},{"alias_kind":"arxiv_version","alias_value":"2504.11703v3","created_at":"2026-05-17T23:39:18Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2504.11703","created_at":"2026-05-17T23:39:18Z"},{"alias_kind":"pith_short_12","alias_value":"7PZFUWQOSDFC","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"7PZFUWQOSDFCUEL5","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"7PZFUWQO","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:347a8ebad111133799f656c5e6b6bf477b0462696555a12e383d1a46ee334783","target":"graph","created_at":"2026-05-17T23:39:18Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"AI agents interact with external environments through tool calls, exposing them to attacks like indirect prompt injection that can trigger unauthorized actions. Securing these agents is challenging: they behave autonomously and probabilistically, security requirements evolve depending on the user's task and execution state, and there is an inherent tradeofff between security and utility.\n  In this work, we introduce Progent, a novel framework that secures AI agents via privilege control. Progent represents privilege as a security policy consisting of symbolic rules over tool names and argument","authors_text":"Dawn Song, Hongwei Li, Jingxuan He, Linyu Wu, Tianneng Shi, Wenbo Guo, Zhun Wang","cross_cats":["cs.AI"],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-16T01:58:40Z","title":"Progent: Securing AI Agents with Privilege Control"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2504.11703","kind":"arxiv","version":3},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:a187eac68147ae9222ac6683ae5bb356c36002614e5084198f4c870655aacdd6","target":"record","created_at":"2026-05-17T23:39:18Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"c82339ac3d48c83c2b8667eb8cd0452b3780c947d1ee8c9b777f15241f093e7e","cross_cats_sorted":["cs.AI"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-16T01:58:40Z","title_canon_sha256":"1a37f4ddb131c3b9853b287250dcf0241b2432cb4fced885e02ea51cab7f8c59"},"schema_version":"1.0","source":{"id":"2504.11703","kind":"arxiv","version":3}},"canonical_sha256":"fbf25a5a0e90ca2a117d784790b8d2eee8fca02005834deb3a57764aba214d71","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"fbf25a5a0e90ca2a117d784790b8d2eee8fca02005834deb3a57764aba214d71","first_computed_at":"2026-05-17T23:39:18.129227Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:39:18.129227Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"s+3i90Q2InUsuNOw/XCB5x9bVmP53yF+A93x5sydAe2rLakWN80ItAA7WUUbT6iR6Q1dkwojvGLTYgEhLeeLAA==","signature_status":"signed_v1","signed_at":"2026-05-17T23:39:18.129996Z","signed_message":"canonical_sha256_bytes"},"source_id":"2504.11703","source_kind":"arxiv","source_version":3}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:a187eac68147ae9222ac6683ae5bb356c36002614e5084198f4c870655aacdd6","sha256:347a8ebad111133799f656c5e6b6bf477b0462696555a12e383d1a46ee334783"],"state_sha256":"da301de1132398e7f99f02724ab21a4f4739c3de181fb5e7b87fc1a44bae213e"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"WTx1MuFUtYKAMc8ONmF+BaeWS2IkeXEPhwy56CptckyEJH+d7JYCsFIuY/XWJDLHzI3IM5bFmuHn6LcWCdANAw==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-25T20:59:24.465689Z","bundle_sha256":"9f9cbc3764c871ed49d5583d40d821f582b0d6a83372f9ac5cca5ea21589901e"}}