AI coding agent security glossaryShared vocabulary for real threat models.

Security teams that work on AI coding agents spend a lot of time arguing about things that aren't the real disagreement. Is an MCP server a "dependency"? Is prompt injection "an attack" or "unexpected behavior"? Does "ambient credential" mean anything different from "secret in my shell"? The argument usually isn't about the concept. It's about the word.

This is a vocabulary problem with real consequences. Threat models built on ambiguous terms produce controls that point at the wrong surface. A policy that says "prevent prompt injection" without defining what injection means doesn't prevent anything.

OX Security's early 2026 report counted around 7,000 MCP servers in the wild with roughly 150 million downloads and no signature requirement. The shared language hasn't kept pace.

The glossary below covers the terms that show up most often in incident reports, architecture reviews, and security team debates. Where a term is genuinely contested, I pick a working definition and say why. Where a term is being misused, I name the misuse.

What to know before reading

Five things that frame the rest:

• These definitions are for AI coding agents specifically. Some terms exist in adjacent fields with different meanings.
• "Agent" is doing too much work in every conversation. Read the section on retired terms before assuming everyone means the same thing.
• Glossaries age. The MCP specification is moving. Terms like "sampling" have changed meaning across spec versions.
• Sources cited inline: Knostic (Feb 2026 disclosures), Check Point (CVE-2025-59536, Feb 2026), GitGuardian (State of Secrets Sprawl 2026), OX Security (MCP ecosystem report, early 2026), Snyk (MCP prompt injection research, early 2026).
• Definitions that carry an opinion say so inline.

Agents and runtimes

This is the layer where code runs and where most security assumptions go untested.

Coding agent. A language model integration that can read files, run shell commands, call APIs, and modify a codebase on a developer's behalf. Examples include Claude Code, Cursor's agent mode, Codex CLI, and Aider. The defining property is real side effects: file writes, API calls, shell execution. The risk surface is anything the agent's process can reach.

MCP (Model Context Protocol). An open protocol, released by Anthropic in late 2024, that defines how a model host communicates with external tool servers. MCP separates the model from the tools it uses. The security implication is that you can now have a third-party tool server in your agent's execution path that is not the agent vendor's code and not your code.

MCP server. A process that implements the MCP server side of the protocol, exposing tools, prompts, or resources to a connected model host. An MCP server can be local (a process on your machine) or remote (an HTTPS endpoint). OX Security's early 2026 count found around 7,000 in the wild with no signing or verification requirement. Treat an MCP server from an untrusted source the same way you'd treat a browser extension from an untrusted source.

Tool call. A structured request from the model to an MCP server (or native tool) asking it to execute a named function with given arguments. The model generates the call. The host executes it. Security matters here because the model decides what to call, but the human in the loop may not see the call before it runs.

Sampling. In the MCP spec, the mechanism by which an MCP server can request a model completion on its behalf, mid-session. A server that can trigger sampling can influence the model's reasoning from inside the tool layer. Most developers don't expect that when they add an MCP server.

Plan mode. A mode offered by some agents (Claude Code's --plan flag, others) in which the agent describes proposed actions before executing them. Security value: creates a human-visible checkpoint before side effects occur. Limitation: the plan is generated by the same model that executes. An adversarial prompt that manipulates the model can produce a plausible-looking plan and a different execution.

Agent loop. The repeated cycle of observation, reasoning, and action that an autonomous agent runs until it finishes a task or hits a stop condition. Security matters because each loop iteration can take new actions. An agent with a corrupted context window may loop for many steps before a human notices. Blast radius scales with loop length.

Secrets and brokers

Secrets management vocabulary was built for human operators and static infrastructure. Agent-specific patterns stress the original definitions in ways worth naming explicitly.

Secret zero. The initial credential needed to bootstrap access to other credentials, for example the key that unlocks a vault. With coding agents, secret zero is often an unscoped token or a master API key sitting in the developer's shell environment, visible to every process the agent spawns. Knostic's February 2026 disclosure found this value captured in Claude Code's settings.local.json and shipped in npm packages.

Broker. A process that holds secrets and mediates agent access to them. The broker receives a request, validates it, and injects the value into a specific child process at exec time. Without a broker, the agent reads secrets directly from the environment. That direct read is the root cause of most agent credential incidents.

Vault. An encrypted, access-controlled store for secrets. In agent security, the relevant properties are: where the vault runs (local vs. cloud), whether it enforces per-request authorization, and whether it generates an audit record for each access. A vault that the agent can read in bulk at startup is only marginally safer than an unencrypted file.

Grant. A time-bounded authorization for an agent to access a specific secret. A grant expires. It covers one secret, not all secrets. Logging a grant means you have a record of which agent accessed which credential, when, and in what context. "Grant" is more precise than "permission" for this use case because it implies both scope and expiry.

Ephemeral injection. Delivering a secret's value into a specific process's environment at exec time and not persisting it anywhere the agent can later read. The value exists in memory for the duration of that process. It does not appear in state files, log streams, or subsequent agent sessions. This is the mechanism that gives the broker model its security property: the secret was never written anywhere, so it has nowhere to leak from.

Process-tree scope. The set of processes descended from a given parent process. When a broker injects a secret into a child process, process-tree scope determines which other processes can see that environment variable. On POSIX systems, child processes inherit the parent's environment unless explicitly scrubbed. A broker that injects into a specific child reduces scope. An agent that receives the secret and forks a shell opens it back up.

Redactor. A component that scans agent output streams (stdout, stderr, log files, context windows) and removes or replaces secret values before they reach persistent storage or a human-readable channel. Use a redactor as defense-in-depth, not as a substitute for ephemeral injection: it operates after the value has appeared in the stream, not before. GitGuardian's 2026 State of Secrets Sprawl report documents how AI-assisted commits leak roughly twice as often as baseline. A redactor helps, but it catches leaks after they happen.

Sigil. A placeholder or reference token that stands in for a secret value in the agent's context. The agent uses the sigil to request execution. The broker substitutes the real value at injection time. The agent's context window, its log stream, and any state files it writes contain only the sigil. Agent log files are safe to read and share because the actual secret never appeared in them.

Attack surface

These terms show up in security reports and architecture reviews. Multiple vendors define several of them differently, which is exactly where team disagreements start.

Prompt injection. An attack where adversarial text in the model's context causes it to execute unintended instructions. The injected text hijacks the model's reasoning the same way SQL injection hijacks query construction. There are two subtypes that matter for agent security, described below. Check Point published a command-injection variant against Claude Code project files in early February 2026 (CVE-2025-59536).

Tool poisoning. A subtype of prompt injection where the adversarial content is in an MCP server's tool descriptions, resource metadata, or return values. The model reads the tool's description, which includes a hidden instruction. The model follows the instruction because it treats tool descriptions as trusted context. Snyk researchers documented this pattern against real MCP servers in early 2026.

Indirect prompt injection. Injection that reaches the model through data the agent reads rather than through a direct user message. Examples: a web page the agent fetches as part of research, a file the agent reads from the repository, a GitHub issue the agent is asked to triage. The MCP GitHub prompt-injection data heist documented by Snyk and other researchers in early 2026 used this vector. The agent read repository content containing hidden instructions and exfiltrated data as a result.

Supply-chain attack on MCP. Installing or running a malicious MCP server that mimics a legitimate one. Because MCP servers have no signature requirement (OX Security, early 2026), a typosquatted or compromised server can receive tool calls intended for the legitimate server. This is structurally identical to npm typosquatting but with broader access because MCP servers can read and write files.

State file leak. Exposure of a file that the agent persists to disk as part of its session state. The February 2026 Claude Code disclosure (Knostic) is the canonical example: settings.local.json captured environment variables and shipped them in npm package tarballs. Knostic found the file in about 1 in 13 scanned npm packages. State file leaks are not unique to one vendor. Knostic documented the equivalent in Cursor's .cursor/ directory in late January 2026.

Credential harvesting. Collecting secrets from an agent's environment, state files, or log streams for later misuse. Credential harvesting has higher expected value for most attackers than prompt injection: harvested credentials provide persistent access across sessions, while prompt injection affects only the current run. GitGuardian's 2026 report tracks AI-service token leaks up 81% year over year. The primary vector is ambient credentials that agent processes can read and log.

Ambient credential. A secret that is present in a process's environment without having been explicitly requested for that process. Running export OPENAI_API_KEY=... in your shell makes the key ambient: every process you spawn, including the coding agent, inherits it. The agent did not ask for the key. You did not authorize the agent to have it. It has it anyway.

Hardening and audit

These terms appear in security policies, audit requirements, and tool documentation. A few are agent-specific enough that no standard definition exists yet. The descriptions below are working definitions, not final specs.

HMAC-chained log. An audit log where each entry includes an HMAC of the previous entry. Tampering with a past entry breaks the chain, which is detectable by replaying the verification. For agent audit logs, this matters because a compromised agent or a post-incident attacker might try to remove evidence of credential access. An HMAC-chained log cannot be silently edited.

Append-only audit. An audit log that accepts new records but does not allow deletion or modification of existing ones. In practice, "append-only" is often enforced by file permissions, write-once storage, or a separate append-only service. "Append-only" is a weaker guarantee than HMAC-chaining: it prevents casual deletion but does not detect overwrites that preserve file permissions.

Blast radius. The maximum scope of damage if a given agent action goes wrong or a given credential is stolen. Blast radius analysis asks: if the agent's context window is poisoned right now, what can it affect? If this API key leaks, what can an attacker do with it? Keeping blast radius small means scoped credentials, short-lived grants, and an agent that can't access production while editing staging.

Ambient credential. (See attack surface section.) In hardening terms, the goal is eliminating ambient credentials by delivering secrets only through a broker at exec time. Ephemeral injection is the mechanism.

.agentignore. A proposed file format (similar to .gitignore) for specifying paths the agent should not read, even if it could. No coding agent tool currently enforces a universal .agentignore spec, though Claude Code's .claudeignore and similar per-tool variants exist. The Register broke a story in January 2026 about .claudeignore partial bypasses, where files listed in the ignore config were still readable under certain access patterns. Treat per-tool ignore files as guidance, not enforcement.

.gitignore vs. .npmignore. Two different files with different semantics that are frequently confused in agent security discussions. .gitignore prevents files from entering version control. .npmignore prevents files from entering npm package tarballs. A file in .gitignore is still included in an npm publish unless also in .npmignore (or the package's files field). The Knostic disclosure in February 2026 exploited exactly this gap. Assume no path excluded from git is automatically excluded from any publish artifact.

Terms that should be retired

Some terms have been stretched past the point where they carry precise meaning. Each of the five below actively misleads when written into a security policy or threat model.

"AI safety" is the most overloaded term in the field. In alignment research, it refers to ensuring models behave as intended over time. In enterprise security, it gets applied to access control, data exfiltration, and prompt injection prevention. In product marketing, it's a synonym for "guardrails." When someone says an AI system is "safe," ask which definition they mean. If the answer isn't specific, the claim is empty.

"RAG" (Retrieval-Augmented Generation) is frequently used to describe any pattern where the model reads external content. In actual RAG systems, a retrieval component fetches documents to augment the context. The term is misapplied to tool calls, web browsing, and file reading. An agent that reads your codebase is not doing RAG. The security model for RAG asks what the retriever can access. The security model for tool calls asks what the model can instruct the tool to do. Conflating them produces analysis that fits neither.

"Agent" itself is overloaded enough to belong here. "Agent" describes: a single model call with tool access, a multi-step autonomous loop, a human-in-the-loop system with suggestions, and orchestration frameworks with multiple models. In security documents, "agent" should always be followed by a description of what it can do. "An agent with write access to the repository and internet access" is precise. "An agent" is not.

"Guardrails" now means any system-level limit on model behavior, without distinguishing between input filtering, output filtering, function-level restrictions, and runtime enforcement. Most systems labeled "guardrails" do regex-based filtering that rephrased adversarial content bypasses. Name the control by what it does.

"Zero trust for AI" arrived as a marketing term before the technical definition stabilized. "Zero trust" in network security means verify every request, never assume a trusted perimeter. Applied to agents, it should mean: verify every tool call, treat agent context as potentially adversarial. Vendors use it to describe any access control system, with or without verification.

Checklist for your team glossary

Every security policy or threat model document for agent systems should explicitly define these terms. Paste this into the appendix of your security policy and fill in the blank after each colon.

Agent security definitions (fill in before policy review)

- "agent" in this document means:
- "tool call" approval means:
- "ambient credential" means we will / will not allow:
- "ephemeral injection" is handled by:
- "blast radius" for a compromised agent session is bounded by:
- "prompt injection" in this context includes / excludes indirect injection:
- "audit log" for agent actions is stored at:
- "grant" expiry in this system is:
- ".agentignore / .claudeignore" enforcement is:
- ".gitignore" and publish artifact ignore files are:
- "RAG" in this document refers specifically to:
- "AI safety" in this document means:

If you can't fill in each blank, the policy isn't ready to review.

What this means for your stack

Shared vocabulary is necessary but not enough. The terms above describe attack patterns and controls. Those controls only work if your runtime actually implements them.

Most agent setups today default to the architecture that makes these attacks easy: the agent reads ambient credentials, persists environment state to disk, and logs freely. Researchers have more vocabulary for exploiting that setup than most defenders have for changing it.

hasp is one working implementation of the broker model described here. curl -fsSL https://gethasp.com/install.sh | sh, hasp setup, connect a project, and the agent receives sigils instead of values. State files hold references. Audit entries are HMAC-chained. Source-available (FCL-1.0), local-first, macOS and Linux, no account.

The durable lesson is narrower: a team that agrees on definitions before an incident will write better controls, scope smaller blast radii, and understand a postmortem faster. A team that debates terminology during an incident loses time it doesn't have.