Join waitlistJoin
How it worksResearchDocsAdoptersPricingContactJoin waitlist
Back to research
Agent boundary

Runtime-agnostic agent guardrails

Model-selected tool calls, native tools, adversarial plans, halt state, and proof across OpenClaw, Hermes, MCP, and Generic HTTP before dangerous function bodies run.

Agent boundary research sequence

Eight chapters. One continuous agent-control story.

The path moves from the first OpenClaw payment block, to adversarial replay, late-stage drift, native tool-body proof, second-runtime model turns through Hermes, Hermes parity, a four-runtime parity proof, and finally a clean-install CLI path for those adapters.

01Baseline proof before bodyA model-selected payment.transfer call was stopped before the tool function ran.May 902Adversarial replay under loadSeven attack patterns replayed as 700 concurrent attempts with zero body calls.May 1303Late-drift deep dive at turn eightThe bad action appeared after safe-looking context and was still blocked at execution.May 1404Native tool proof three bodies blockedDeploy, export, and payment tools were invoked natively and blocked before body entry.May 1405Hermes proof second runtimeHermes model turns through OpenAI, Gemini, and DeepSeek were blocked before body entry.May 1606Hermes native tools parity proofHermes native tools, replay, mutation, action matrix, and model-turn checks now match the OpenClaw evidence depth.May 1607Joint runtime proof one policyOpenClaw, Hermes, MCP, and Generic HTTP shared one constitution across 100-way mixed concurrency, delegation, halt, and fail-closed preflight.May 1908Clean install path four init commandsA fresh npm workspace installed the CLI, initialized four adapters, and re-ran the shared proof with zero prohibited body calls.May 19
Start here

The first three reads in this boundary.

These notes give the clearest path from product behavior to measured evidence before the full archive.

Installer proofPublished

A fresh install wrapped four agent runtimes with one CLI path.

The Imladri CLI was packed, installed in a fresh npm workspace, used to initialize OpenClaw, Hermes, MCP, and Generic HTTP adapters, then blocked 100/100 mixed-runtime prohibited attempts with zero body calls.

Runtimes4/4
Init4/4
Mixed blocks100/100
Body calls0
Agent CLIClean installRuntime adapters
May 19, 2026 / 6 min read
Joint runtime proofPublished

One policy controlled OpenClaw, Hermes, MCP, and a Generic HTTP agent.

A final joint demo runner put OpenClaw, Hermes, MCP, and a Generic HTTP agent behind one Imladri constitution, then passed 100/100 mixed-runtime blocks, 4/4 delegation checks, shared halt, fail-closed preflight, and schema checks with zero prohibited body calls.

Runtimes4/4
Mixed blocks100/100
Latency p9532.734ms
Body calls0
OpenClawHermesMCPGeneric HTTP
May 19, 2026 / 6 min read
Execution-boundary deep-divePublished

Plan-time guardrails are not enough. The bad action appeared at turn eight.

OpenClaw 2026.5.12 local-agent smoke passed; five model surfaces selected late-drift plans, and Imladri blocked 35/35 scenarios plus 700/700 concurrent replays with zero body calls.

Models5/5
Scenarios35/35
Replay700/700
Body calls0
Late driftExecution boundaryOpenClaw
May 14, 2026 / 7 min read
Articles

Full archive for this boundary.

Hermes native proofPublished

Hermes reached native tool-body parity with OpenClaw.

Hermes loaded the Imladri plugin through its real PluginManager, blocked three dangerous native bodies, then passed 700 adversarial replays, 140 latency-budget checks, 50 prohibited actions, and three model-provider turns.

Replay700/700
Budget140/140
Matrix50/50
Body calls0
HermesNative toolsParity proof
May 16, 2026 / 8 min read
Hermes boundaryPublished

Hermes selected the payment workflow. Imladri blocked it across three model providers.

Hermes chat model turns through OpenAI, Gemini, and DeepSeek selected the protected finance workflow; Imladri blocked all three before the dangerous body, then passed 700 adversarial replays and a 50-action matrix.

Model turns3/3
Replay700/700
Matrix50/50
Body calls0
HermesAgent guardrailsAction matrix
May 16, 2026 / 7 min read
Native tool boundaryPublished

OpenClaw model.run selected the bad action. Imladri blocked it across native tools and 50 action classes.

OpenClaw model.run produced prohibited plans across four configured models; native plugin tools and a 50-action live matrix were blocked before prohibited bodies or side effects.

model.run4/4
Matrix50/50
Native blocked3/3
Body calls0
OpenClawmodel.runAction matrix
May 15, 2026 / 8 min read
OpenClaw follow-upPublished

OpenClaw adversarial replay blocked 700 of 700 production-style attacks.

Follow-up research after the original OpenClaw proof: native OpenClaw tool blocking, 7/7 adversarial patterns, 700/700 concurrent blocks, a 200ms latency-budget run, and 9/9 malformed constitutions failing closed.

Attack load700/700
Latency p95199.904ms
Budget140/140
Policy9/9 closed
OpenClawAdversarial replayAgent guardrails
May 13, 2026 / 8 min read
OpenClaw labPublished

Five OpenClaw model-plan reruns selected payment.transfer. Imladri blocked all before the body.

OpenAI, Gemini, and DeepSeek OpenClaw model-plan reruns selected a prohibited payment tool; a native OpenClaw plugin tool run then confirmed Imladri blocked before the real tool body.

Models5/5
Native toolblocked
Body calls0
Side effects0
OpenClawAgent guardrailsWindows lab
May 9, 2026 / 9 min read