Research & papers

The science behind enclawed

enclawed isn’t a wrapper with a marketing claim — it’s the implementation of six papers on making agentic AI verifiable, containable, and auditable. All of them are here, authored by Alfredo Metere (Enclawed LLC).

arXiv preprint · the framework

enclawed: A Configurable, Sector-Neutral Hardening Framework for Single-User AI Assistant Gateways

The foundational paper — what enclawed is. A configurable, sector-neutral set of security controls (admission gate, hash-chained audit, two-layer egress, DLP, prompt shield) wrapped around the agent loop, shipped as named configuration “flavors” rather than feature flags.

arXiv:2604.16838 →

arXiv preprint · empirical comparison

Architectural Obsolescence of Unhardened Agentic-AI Runtimes

The head-to-head behind the headline number: upstream OpenClaw scores recall 0.000 on F1–F4; enclawed-oss scores 1.000 — across 1,600 adversarial/legitimate samples and a 10-LLM cross-model run. Argues the gap is structural (seven missing primitives), not a matter of tuning.

arXiv:2605.01740 →

Accepted · Agent Skills ’26 Workshop

Skills as Verifiable Artifacts: A Trust Schema and a Biconditional Correctness Criterion for Human-in-the-Loop Agent Runtimes

Treats an agent “skill” as untrusted code until verified. Defines a four-level trust lattice (unverified → declared → tested → formal) and a biconditional pass/fail criterion a runtime gate enforces — the single innovation that closes failure modes F1–F4.

arXiv:2605.00424 → First Workshop on Agent Skills ’26, San Jose

Zenodo preprint · companion paper

Methods for Formal Verification of Agent Skills: Three Layers Toward a Mechanically Checkable Capability-Containment Proof

How to raise a skill to the highest “formal” trust level: sound static capability-containment analysis, refinement-typed tool-call envelopes, and SMT-bounded model checking — composable methods toward a machine-checkable proof that a skill stays within its declared capabilities.

DOI 10.5281/zenodo.20100247 →

arXiv preprint

An Application-Layer Multi-Modal Covert-Channel Reference Monitor for LLM Agent Egress

The egress monitor that drives hidden-exfiltration capacity to zero across text (zero-width, homoglyph, whitespace, base64), image (LSB, luminance), and audio (ultrasonic, sonified) carriers — with information-theoretic capacity measurement to prove it.

arXiv:2605.20734 →

Zenodo preprint · MCP standards proposal

Attested Tool-Server Admission: A Security Extension to the Model Context Protocol

How to admit third-party MCP tool servers (e.g. Google Workspace) safely — an offline-signed clearance assertion, a deny-by-default per-server tool allowlist, and tamper-evident audit — without changing the Model Context Protocol itself.

DOI 10.5281/zenodo.20349262 → MCP standards proposal (SEP #2777) →

The central result is reproducible from the open-source core:
node --test enclawed/test/paper-conformance.test.mjs

Figures, data, and camera-ready copies on request — alfredo.metere@enclawed.com.