Skip to main content
AIDiveForge AIDiveForge
Visit Trajeckt

Get This Tool

License: Apache-2.0 Any use incl. commercial
Local-run terms: Source available under Apache-2.0; build and run via cargo or Docker with full commercial use permitted.

Share This Tool

Compare This Tool
📋 Embed this tool on your site

Copy this code to embed a compact tool card:

Trajeckt

FreeOpen SourceAPISelf-Hosted

Pricing

Model
Free

Summary

An AI agent that reads a file, then calls an external API, then exfiltrates the result — each step passes your per-action policy check, and the data is already gone by the time you notice. Trajeckt exists to close that gap.

The tool sits as a runtime gateway between your agent and its tools, evaluating the sequence of calls rather than any individual call in isolation. The vendor states enforcement runs deterministically in approximately 1.6ms, outside the model itself, so policy decisions cannot be overridden by prompt injection. It is open-source under Apache-2.0 and self-hostable via Docker or Cargo. Where it fits well is MCP-compatible setups that need sequence-level rules without building a custom policy engine. Where it breaks is anywhere you need probabilistic or context-aware rules — this is deterministic enforcement, and the constraints you do not define ahead of time do not get caught.

Bottom line: Pick trajeckt when you are shipping an MCP-based agent and need to enforce 'this tool call must never follow that one' as a hard rule; skip it when your threat model requires adaptive policies that evolve with session context, because the deterministic rule engine will not cover what you did not anticipate.

Community Performance Report Card

No community ratings yet. Be the first to rate this tool!

Best For: AI agent deployments requiring sequence-level policy enforcement, Environments using MCP or similar tool-calling interfaces, Developers needing lightweight deterministic guardrails

Community Benchmarks Community

No community benchmarks yet. Be the first to share a real-world data point.

  • Trajectory-aware blocking catches multi-step exfiltration chains where every individual call looks clean, so attacks that evade per-action filters get stopped before data leaves the environment.
  • Deterministic enforcement at approximately 1.6ms per decision, per the vendor, so adding this layer to an agent's tool-call path does not introduce meaningful latency at typical request volumes.
  • Runs outside the model and is not reachable by prompt injection, which means a compromised prompt cannot talk the policy engine into allowing a blocked sequence.
  • Apache-2.0 license with self-hosted Docker and Cargo deployment paths, so your traffic and trajectory data stay inside your own infrastructure without a vendor dependency.
  • Python SDK included alongside the core gateway, which means integrating trajeckt into an existing Python-based agent stack does not require wrapping a foreign-language binary by hand.
  • Policy coverage is limited to sequences you define in advance: if an attacker constructs an exfiltration chain you did not model in the config, no rule fires and the traffic passes. Teams with a broad or evolving threat surface end up writing and maintaining a growing config corpus, at which point the 'lightweight' framing stops holding.
  • The deterministic rule engine has no probabilistic or semantic layer — it cannot flag 'this trajectory looks unusual even if no explicit rule matches.' Teams that need anomaly detection on top of hard rules typically add a separate monitoring layer, which means maintaining two systems.
  • At the point where your agent's allowed call graph is genuinely complex — branching on prior results, conditional paths, dynamic tool registration — encoding that graph as causal constraints becomes its own engineering problem. Teams with agents at that complexity level often move to a full policy engine that supports programmatic rule generation rather than static config files.

Community Reviews

No reviews yet. Be the first to share your experience.

About

Platforms
Rust, Docker
API Available
Yes
Self-Hosted
Yes
Last Updated
2026-07-01T02:41:19.795Z

Best For

Who it's for

  • AI agent deployments requiring sequence-level policy enforcement
  • Environments using MCP or similar tool-calling interfaces
  • Developers needing lightweight deterministic guardrails

What it does well

  • Preventing data exfiltration via chained tool calls in AI agents
  • Enforcing causal constraints on agent trajectories at runtime
  • Adding trajectory-aware security to MCP-compatible agent setups

Integrations

MCP

Discussion Community

No discussion yet. Sign in to start the conversation.

Spotted incorrect or missing data? Join our community of contributors.

Sign Up to Contribute

Community Notes & Tips Community

Be the first to contribute. General notes, observations, gotchas, and tips from people who use this tool day-to-day.

Frequently Asked Questions

Is Trajeckt free?
Yes — Trajeckt is fully free to use. There is no paid tier.
Is Trajeckt open source?
Yes. Trajeckt is open source.
Does Trajeckt have an API?
Yes. Trajeckt exposes a developer API. See the official documentation at https://github.com/beebeevb/trajeckt for details.
Can I self-host Trajeckt?
Yes. Trajeckt supports self-hosting on your own infrastructure.
What platforms does Trajeckt support?
Trajeckt is available on: Rust, Docker.

Hours Saved & ROI Stories Community

Be the first to contribute. Concrete time/cost savings, with context. e.g. "Cut my code review backlog from 4h to 45m per week."

Trajeckt

Trajeckt is a runtime enforcement gateway that inspects the trajectory — the ordered sequence of tool calls an agent makes — and blocks chains that violate defined causal constraints, even when each individual call would pass a per-action check. The core workflow is interception: agent tool calls route through trajeckt, the gateway checks the call against trajectory state, and it either passes or blocks before the downstream tool executes. Policy is defined ahead of time in config; the docs describe a baseline trajectory file that encodes allowed sequences.

The differentiating design choice is trajectory-awareness. Per-action filters, the default in most guardrail setups, evaluate each call in isolation. That misses multi-step exploits: read-then-exfiltrate, enumerate-then-exfiltrate, or any pattern where harm only emerges from the sequence. Trajeckt tracks trajectory state across the session and applies causal rules to the chain, not the individual link.

This architecture fits tightly scoped, high-trust environments — internal tool-calling agents, MCP-compatible setups, or any deployment where the allowed call sequences are knowable in advance and worth encoding explicitly. It breaks when the threat surface is open-ended: if an attacker can construct a novel exfiltration chain you did not anticipate, there is no rule to block it. Teams that need probabilistic anomaly detection or rules that adapt to session semantics will find the deterministic engine a ceiling, not a floor, and typically add a second layer or move to a policy engine that supports learned baselines.

The repository includes Docker and Cargo setup paths, a Python SDK under sdk-python, deployment configs, and example trajectories. The vendor states latency at approximately 1.6ms per enforcement decision, and the gateway runs outside the model, which means prompt injection cannot reach the enforcement logic directly.