MIT OPEN SOURCE

VAREK

Deterministic OS-Level Containment for Autonomous Agents

Developed by Sober Agentic Infrastructure, Inc.

The Probabilistic Liability Gap

Large Language Models are probabilistic. Enterprise infrastructure is deterministic. Current safety approaches — prompt engineering, API monitoring — merely encourage good behavior, resulting in an unacceptable failure rate in high-stakes environments.

VAREK is the physical circuit breaker. It is a highly privileged, open-source "Warden" process that isolates untrusted AI agents and intercepts their raw system calls at the Linux kernel boundary (seccomp-unotify), entirely preventing unauthorized network egress or file modification.

May 2026 Milestone — v1.5 Released

VAREK v1.5 ships sub-microsecond policy decisions. The hybrid fast-path matcher achieves P99 = 271 ns across 10,000 measured decisions on commodity hardware — confirming that policy evaluation is not the bottleneck in seccomp-unotify enforcement, and freeing the architecture to scale to richer policy classes via the reserved decision-procedure slow path.

Core Architecture Metrics

VAREK is built for high-frequency execution environments, trapping and deriving semantic intent without introducing network latency. All numbers measured on commodity hardware (DigitalOcean 1 vCPU / 512 MB).

End-to-End Pipeline (v1.4)

57μs

Full Warden Enforcement

P99 latency for the full Warden pipeline: seccomp-unotify trap, cross-process memory extraction, policy decision, and in-kernel verdict injection. Measured across 10,000 decisions.

Policy Decision (v1.5)

271ns

Sub-Microsecond Policy Matcher

P99 latency for the v1.5 hybrid fast-path matcher (sorted prefix array + binary search). Two orders of magnitude faster than the end-to-end pipeline — the kernel trap, not the policy decision, dominates Warden latency.

Pre-Execution Plan Verification (v1.6 — in development)

Whole-Plan Compositional Decision

Admissibility analysis applied to an agent's planned sequence of actions before any action executes. Plans are represented as directed acyclic graphs of planned operations; a compositional decision procedure evaluates the entire plan with three-state ALLOW / DENY / UNKNOWN verdicts and symmetric suppression. Per-action enforcement remains continuously active during plan revisions, ensuring no protection gap. Protected by USPTO Provisional #64/062,549 (filed May 2026).

The Enterprise Hook: SAI Formal Verification

While VAREK provides the OS-level "Brawn," it is designed to natively route complex semantic transitions up to the proprietary Sober Agentic Infrastructure (SAI) engine for mathematical proof generation and enterprise compliance reporting.

WAISE Operational Target

When VAREK is paired with the SAI Enterprise Verification Engine, the architecture is designed to provide:

Zero False Negative Target: Designed to mathematically block adversarial workflow attack classes including multi-step privilege escalation, deceptive filesystem traversal, and covert channel exfiltration patterns. WAISE benchmark suite evaluation planned.
Bounded Latency: v1.5 hybrid fast-path achieves 271 ns P99 policy decisions today; richer policy classes (regex, integer ranges, multi-rule conjunctions) route to a reserved decision-procedure slow path. Architecture targets enterprise-grade latency budgets without perceptible overhead on human-facing workflows.

End-to-End Pipeline (VAREK + SAI)

Stage	Component
1. Intent Generation	Untrusted AI Agent executes `connect()`
2. Kernel Trap	VAREK: `seccomp-unotify` Bridge
3. Semantic Derivation	VAREK: Stateful Context Tracker
4. Formal Verification	VAREK: SMT Decision Procedure
5. Hardware Enforcement	VAREK: Warden injects `EPERM` via Kernel
Total Pre-Execution Block	57 μs P99 (v1.4 measured)

Open Source (The Lure)

VAREK is licensed under MIT, providing developers with an explicit patent grant to use the core OS-level interception architecture frictionlessly.

Proprietary Patents (The Hook)

Three foundational provisional patents forming a vertical kernel-to-plan verification stack. All assigned wholly to Sober Agentic Infrastructure, Inc.

USPTO Provisional Patent #1 — SMT-based deterministic safety decision procedure with three-state verdicts and symmetric suppression (filed March 2026)
USPTO Provisional Patent #2 — Warden architecture: privileged supervisor with kernel-level system-call interception, cross-process memory extraction, and in-kernel verdict injection (filed May 2026)
USPTO Provisional Patent #3 — Pre-execution verification of autonomous-agent plans via compositional policy decision over directed acyclic graphs of planned actions; extends the Warden architecture from per-action to whole-plan verification with continuous protection during plan revision (filed May 2026)