Open problems we are funding
the work to solve.

Today's mainstream agent platforms — LangChain agent loops, OpenAI Assistants, the various GPT-Action-style tool-calling frameworks — share a runtime across customers. Tools, code execution, and tenant credentials co-exist in the same process or container. This works because the customer is typically a single engineering team that owns the deployment and reviews the tool code itself.

In a marketplace model, the runtime hosts code written by arbitrary open-source maintainers, executed on behalf of an SMB operator, with that operator's real production credentials for Stripe, Twilio, GoHighLevel, Calendly, and a long tail of other third-party services. A single prompt-injection vulnerability in one skill, a single credential exfiltration through one skill's tool call, or a single sandbox escape becomes a cross-tenant incident and a supply-chain incident at the same time. The 2025 Replit and Cursor MCP incidents, where adversarial inputs reached privileged tool calls in shared runtimes, are early proofs of concept of this failure mode.

The known robust answer is hardware-backed isolation: each (tenant, skill) pair runs in its own VM. AWS Lambda demonstrates this is operationally feasible at scale using Firecracker MicroVMs. But Lambda is a stateless function platform; an agent skill is stateful, and pricing the stateful per-(tenant, skill) case at SMB unit economics ($0.001–$0.01 per agent action) is unsolved.

A stateful agent-skill runtime is not a function invocation. It carries:

• multi-megabyte conversation history and tool-call traces
• the skill bundle itself (a chunk of third-party code)
• live credential leases for the customer's connected services (Stripe, Twilio, GHL)
• in-flight retry state for partially completed actions

Cold-starting that into a fresh Firecracker microVM today takes 2–4 seconds and several hundred milliseconds of CPU work. For a real-time voice receptionist deployed from the catalog, the latency budget is ≤ 700 ms end-to-end. For an SMS reply skill invoked from a webhook, the cost-per-invocation must stay below half a cent for the marketplace business model to hold. Closing both gaps simultaneously — sub-second stateful cold-start, sub-cent per-task — is the research target.

Three combined techniques:

1. Snapshot-restore with delta-only state hydration. The per-(tenant, skill) microVM image is restored from an immutable base snapshot, and a small per-action delta is rehydrated from a tenant-scoped object store.
2. Capability-scoped credential brokering. The skill runtime never holds long-lived customer credentials. It requests a short-lived (≤ 5 minute) action-scoped delegation from a separate broker — eliminating credential persistence inside any third-party skill's context, even if that skill is later found to be malicious or compromised.
3. Predictive warm pools by aisle. Aisle-specific traffic patterns (an HVAC operator's customer-service skill gets a phone-call burst at 7–9am Mountain Time) drive a scheduler that pre-warms microVMs against forecasted demand.

A measured cold-start latency distribution across 1,000 stateful microVM restorations spanning 30+ catalog skills, with target p95 < 800 ms and per-invocation cost < $0.005, on a representative SMB workload trace. Plus a credential-broker compliance audit showing zero long-lived customer credentials persisted inside any skill context across the test corpus.

In an enterprise deployment, the AI safety story relies on engineers reviewing logs, on SOC 2 controls maintained by a security team, and on a CISO who can read CloudTrail. None of those exist at a five-person HVAC business. The customer is the owner-operator. They cannot read JSON logs and they cannot interpret an audit trail expressed in IAM events.

The marketplace model adds a layer: each skill in the operator's composed deployment was authored by someone different. If each maintainer ships their own log format, the operator is asked to read five different idioms. The trustworthy-AI subproblem is: how do you give a non-technical operator the ability to verify, in plain English, what every skill in their deployment did on their behalf — and the ability to reverse it if it was wrong — without giving up the autonomy that makes the catalog valuable in the first place.

Three constraints fight each other. First, the audit must be tamper-evident: a malicious skill or a compromised process must not be able to retroactively edit its own history. Second, the audit must be replayable: an operator must be able to ask "what would have happened if I had said no to that action three hours ago?" and get a deterministic answer. Third, the surface must be readable by someone who has never seen a log line, which means the underlying record cannot be a verbose machine log — it has to be a structured, semantically rich event that renders into prose. And it has to be uniform across skills written by maintainers who never coordinated.

These constraints separately are well-studied. Tamper-evidence is solved by hash-chained logs (Merkle trees, certificate transparency). Replayability is solved by deterministic event-sourcing. Plain-English rendering is solved by templated event-to-prose generators. The combination — particularly the constraints that the LLM-generated prose cannot be the source of truth, and that the structured event schema must be enforced uniformly across heterogeneous third-party skills — is unsolved at the SMB-marketplace layer.

Cryptographically chained per-action event records emitted by the runtime, not by the skill. Each agent action produces a structured event with: (a) the skill's identity and version pin, (b) the input state hash, (c) the tool call's signed parameters, (d) the external resource ID, (e) the prior event's hash. The chain is anchored periodically to an immutable store. Operator-facing prose is rendered deterministically from the structured event by a small templated generator — the LLM is not in the audit path, eliminating hallucination as a class of audit failure. Because the event is emitted by the runtime, a malicious skill cannot opt out of being audited.

A reference implementation of the audit chain integrated with our existing AgentCore-based runtime, plus a usability study with 12 SMB operators measuring whether they can correctly identify a planted erroneous skill action from the operator-facing audit view. Target: ≥ 80% identification rate at the first reading.