As AI agents proliferate across the internet, security researchers are waking up to a brutal truth: every authorization system on the market evaluates one action at a time. That framing structurally cannot see violations that live in the ordering and data-flow between actions. A new open-source project called trajeckt—dropped on Hacker News this weekend—aims to fix that with deterministic, fail-closed enforcement that runs in roughly 1.6 milliseconds.

The Core Problem With Current Agent Security

The author, posting as beebeeVB, frames it cleanly: reading a database is allowed. Sending an email is allowed. Doing them in that order is data exfiltration—and every per-action check walks right through. Existing solutions use LLMs to guard agents, which introduces hallucination and latency into the security path itself. trajeckt takes a different approach entirely: instead of asking "is this individual action safe?", it asks "does this action fit within the sealed trajectory we've already committed to?"

How Sealed Commitment Enforcement Works

The architecture centers on something called a CompiledGraph (Gτ)—a cryptographically signed, operator-approved declaration of exactly which tools an agent may call, in what order, and to which data sinks. Before any tool call is allowed, the gateway requires this sealed graph. Once sealed, that graph becomes the authority. Every subsequent action gets checked against the current reachable frontier of the sealed graph, with taint propagation tracking where sensitive data originated. The enforcement happens at multiple levels: Type V checks verify transitions exist in the committed graph; Type II provenance constraints ensure sensitive read outputs don't reach unauthorized sinks; and an origin-trust lattice (Untrusted < Memory < External < ToolOutput < CleanWorkspace < TrustedUser) blocks control-flow attacks unless explicitly authorized. Sessions with no installed graph are hard-refused before any evaluation runs.

Built in Rust for Sub-Millisecond Latency

The entire enforcement gateway is written in Rust, and the performance numbers back up the choice: approximately 1.6 milliseconds per enforcement decision. The project ships as a Docker container that bundles the traj compiler, bringing sealed-commitment enforcement live out of the box with zero hand-authored config required. A full smoke test—sensitive read allowed, then the external write that completes an exfiltration blocked—is included in DOCKER.md.

Two Enforcement Modes for Different Risk Profiles

trajeckt operates in two distinct modes. The primary mode is sealed-commitment enforcement (auto_commitment=on, require_commitment=on by default), where every session must have a cryptographically signed trajectory graph installed before any tool calls are evaluated. The fallback mode is heuristic sequence detection—triggered only when allow_uncommitted: true is explicitly set in the policy YAML—which catches known-bad patterns like ReadSensitive → ExternalWrite chains and ShellExec → NetworkEgress command-and-control sequences.

ClawTrojan Benchmark Integration

The project includes end-to-end test coverage against the ClawTrojan benchmark, an independent published suite of trajectory-style agent attacks. The stealthy-delay pattern (cs_delay_002) is enforced fully: writes to control sinks that consume memory- or untrusted-origin content are blocked unless a trusted instruction authorizes them. The origin-trust lattice and control-flow floor are defined identically in both trajeckt and the Traj language, with cross-repo equivalence vectors preventing drift.

Key Takeaways

  • trajeckt evaluates entire agent trajectories, not individual actions—so multi-step exfiltration attempts get blocked even when each step looks legal
  • Rust-based enforcement runs at ~1.6ms per decision; Docker quickstart brings sealed-commitment security live with no config authoring
  • MCP protocol implementation (2025-11-25 non-streaming profile) lets you proxy any MCP-speaking agent through the gateway by changing one URL
  • The ClawTrojan cs_delay_002 pattern is proven end-to-end, with architecture that generalizes to other trajectory-style attacks via shared primitives

The Bottom Line

This is exactly the kind of infrastructure we need as AI agents graduate from demos to production systems handling real data. Per-action security checks are theater for anything beyond toy examples—and beebeeVB's insight that you can't secure trajectories with LLMs (hello, hallucination) without adding latency and failure modes is spot-on. trajeckt won't catch prompt-injection attacks or semantic content analysis, but it addresses a real gap that no other open-source tool currently fills.