9) Threat model mapping to prompt-injection - Control-plane…

9) Threat model mapping to prompt-injection
- Control-plane isolation: Only signed envelopes can change behavior, tools, or policies. Untrusted content is data-only.
- Scope minimization: Even valid signed prompts are confined to explicit capabilities.
- Replay resistance: Nonces + expiry + session scoping.
- Key hygiene: Owner uses multisig or account abstraction; session keys are short-lived and revocable.
- Optional TEEs/attestation: Run verification and policy enforcement in a TEE; publish attestation so external tools know the agent enforces capabilities.