research(security): AgentWard lifecycle security — map five-stage defense model to zeph-subagent hooks.rs (arXiv:2604.24657)

[bug-ops]

Description

Paper: "AgentWard: A Lifecycle Security Architecture for Autonomous AI Agents" (arXiv:2604.24657, April 2026).

Directly relevant to the major hooks.rs expansion (+328 lines) in zeph-subagent HEAD 2d38c43.

Key Contributions

AgentWard organizes defense-in-depth across five agent lifecycle stages:

1. Initialization — validate loaded skills and tool registrations before first use
2. Input processing — intercept and sanitize external content before it reaches the planner
3. Memory — enforce read/write boundaries on memory operations
4. Decision-making — constrain planner outputs to declared tool scopes
5. Execution — contain tool invocations and monitor environmental side-effects

Actionable Implications for Zeph

1. Pre-execution hook coverage: Audit zeph-subagent/src/hooks.rs — does the new hook set cover all five stages, or only execution? Initialization-stage hooks (validate tool grants at spawn time) may be missing.
2. Cross-layer threat propagation: The paper warns that threats exploit gaps between lifecycle stages. Zeph's hooks should pass threat context across pre→post hook pairs (currently unknown).
3. Post-execution memory boundary enforcement: After tool execution, verify memory write guards are applied before the result is stored in the subagent context.

Acceptance Criteria

• Map AgentWard's five stages to existing hooks in hooks.rs
• Identify which stages lack hook coverage
• File targeted issues for gaps found

References

• Paper: https://arxiv.org/abs/2604.24657
• Changed file: crates/zeph-subagent/src/hooks.rs (+328 lines in HEAD)