The trust boundary for AI agents
Your agent isthe attack surface.
Every AI agent you deploy is untrusted code with access to your credentials, your APIs, and your infrastructure. Vekt is the execution layer that assumes breach — WASM-sandboxed workers that can't see your secrets, can't touch your network, and die the moment they step out of line.
Skill execution trace
MCP → VektArchitecture
Four layers. Zero trust between them.
Channels feed events to the gateway. The gateway feeds the supervisor. The supervisor runs WASM workers. Workers can only request actions — the supervisor decides what actually executes. Credentials never cross the boundary.
Gateway
Authenticates events via HMAC, API key, or bearer token. Normalizes inputs, strips injection vectors, and enforces policy before anything reaches the supervisor.
Supervisor
Hosts the Wasmtime runtime. Manages worker lifecycle, enforces fuel and memory quotas, resolves secrets server-side, and writes the immutable audit trail.
WASM Workers
Disposable sandboxes with zero capabilities by default — no network, no filesystem, no env vars. Workers request actions through host functions; the supervisor decides what happens.
Secrets Service
Pluggable vault with macOS Keychain, 1Password Connect, and encrypted file backends. Secrets are resolved by the supervisor and injected into outbound requests — workers never see credential values.
Security model
The worker is hostile. Design accordingly.
Vekt treats every WASM worker as potentially compromised. The isolation model is capability denial — workers start with nothing and can only do what policy explicitly allows, mediated entirely by the supervisor.
- Linear memory isolation — no shared state between workers
- Fuel and memory limits — deterministic execution with hard caps
- Three host functions only — request_action, emit_event, get_task_context
- Secrets resolved server-side — workers reference keys, never see values
- Microsecond teardown — kill and replace any worker instantly
WASM sandbox
Wasmtime runtime with zero WASI capabilities granted. No filesystem, no network, no environment variables. The worker address space is a dead end.
Policy engine
Default-deny with pattern-based rules. llm.* matches all LLM actions. Each secret is scoped to specific action types — groq_api_key only works for llm.* requests.
Secrets vault
AES-256-GCM encryption, PBKDF2 key derivation (100k iterations), split key/secrets files. Out-of-band provisioning via vekt-vault CLI.
Capabilities
Ship it. We'll contain it.
MCP-native
Ships as an MCP server. Claude Desktop, Claude Code, Codex — any MCP client gets Vekt's tools automatically, including skills that self-register on load.
Declarative skills
Define agent workflows in YAML. Chain LLM calls, HTTP requests, and memory operations with template variables and conditional logic. No WASM required.
Persistent memory
Workers remember things across invocations. Namespace isolation keeps skill memory separate by default — or opt into shared namespaces when skills need to collaborate. TTL expiration and full audit trail.
Pluggable secrets
macOS Keychain, 1Password Connect, or encrypted file vault. Bring your existing secret infrastructure — Vekt wraps it in the same trust boundary.
Bring your own keys
Multi-provider LLM support — Groq, OpenAI, Anthropic, Ollama, LM Studio. Your keys stay in the vault; the worker just says what model to call.
Default-deny policy
Every worker request is checked against pattern-based rules before execution. No policy, no action. Every secret is scoped to specific action types.
Why Vekt
What happens when your agent goes wrong?
What's next
Try it in your browser.
We're building a live demo where a real WASM worker runs in your browser — executing skills, enforcing policy, and producing audit traces. Same architecture, same isolation, no server required.
Don't get rekt — get vekt.
Get in touch
Your agents are running. Are they contained?
Vekt is built for teams shipping AI agents into production — where "it works on my machine" isn't good enough and "trust the model" isn't a security policy.