The science behind enclawed
enclawed isn’t a wrapper with a marketing claim — it’s the implementation of six papers on making agentic AI verifiable, containable, and auditable, now extending into hardware with a patent-pending, consensus-based root of trust. All authored by Alfredo Metere (Enclawed LLC).
Patent pending · hardware root of trust
Reimagining the Root of Trust: A Hardware-Isolated, Consensus-Based Accreditor for Securing Software and Agentic-AI Runtimes
enclawed’s software already delivers deterministic, auditable security that off-the-shelf agent runtimes simply don’t — that value stands entirely on its own, no special hardware required. The hardware root of trust is an optional, additional layer that anchors the same protection in tamper-proof silicon for the highest-assurance environments. It establishes trust by consensus among multiple mutually-isolated verifiers (instead of the single check used by conventional TPMs and HSMs), splits keys so that no single node ever holds a complete one, and continuously attests and accredits each sensitive operation inside a tamper-responsive, electromagnetically shielded boundary — extending trust even to threat models in which the host hardware itself is targeted. Designed to meet or exceed FIPS 140-3 Level 4, with protections beyond the standard’s mandate.
enclawed: A Configurable, Sector-Neutral Hardening Framework for Single-User AI Assistant Gateways
The foundational paper — what enclawed is. A configurable, sector-neutral set of security controls (admission gate, hash-chained audit, two-layer egress, DLP, prompt shield) wrapped around the agent loop, shipped as named configuration “flavors” rather than feature flags.
Architectural Obsolescence of Unhardened Agentic-AI Runtimes
The head-to-head behind the headline number: upstream OpenClaw scores recall 0.000 on F1–F4; enclawed-oss scores 1.000 — across 1,600 adversarial/legitimate samples and a 10-LLM cross-model run. Argues the gap is structural (seven missing primitives), not a matter of tuning.
Skills as Verifiable Artifacts: A Trust Schema and a Biconditional Correctness Criterion for Human-in-the-Loop Agent Runtimes
Treats an agent “skill” as untrusted code until verified. Defines a four-level trust lattice (unverified → declared → tested → formal) and a biconditional pass/fail criterion a runtime gate enforces — the single innovation that closes failure modes F1–F4.
Methods for Formal Verification of Agent Skills: Three Layers Toward a Mechanically Checkable Capability-Containment Proof
How to raise a skill to the highest “formal” trust level: sound static capability-containment analysis, refinement-typed tool-call envelopes, and SMT-bounded model checking — composable methods toward a machine-checkable proof that a skill stays within its declared capabilities.
An Application-Layer Multi-Modal Covert-Channel Reference Monitor for LLM Agent Egress
The egress monitor that drives hidden-exfiltration capacity to zero across text (zero-width, homoglyph, whitespace, base64), image (LSB, luminance), and audio (ultrasonic, sonified) carriers — with information-theoretic capacity measurement to prove it.
Attested Tool-Server Admission: A Security Extension to the Model Context Protocol
How to admit third-party MCP tool servers (e.g. Google Workspace) safely — an offline-signed clearance assertion, a deny-by-default per-server tool allowlist, and tamper-evident audit — without changing the Model Context Protocol itself.
The central result is reproducible from the open-source core:
node --test enclawed/test/paper-conformance.test.mjs
Figures, data, and camera-ready copies on request —
[email protected].