ThirdKey publishes the trust primitives we ship as open specifications and peer-reviewable preprints. Every cryptographic boundary, every policy phase, every guarantee — written down so security teams can audit it before it runs in production.
Open-access on Zenodo. Specifications, threat-research preprints, and empirical evaluations — each one a self-contained artifact a security engineer can read, implement, and audit.
An empirical study of how attackers with write access to RAG ingestion pipelines can hide payloads inside embeddings — noise injection, rotation, scaling, offset, and fragmentation that preserve retrieval behavior while defeating statistical detectors. Disjoint-Givens rotation reaches ⌊d/2⌋·b bits per vector (1,920 bytes at d=3072). Introduces VectorPin — Ed25519 signatures binding each embedding to source and model, breaking verification on any post-embedding tamper.
A specification for declarative tool interface contracts in agentic runtimes. A single .clad.toml manifest defines typed parameters, validation, invocation, output parsing, and Cedar policy — across CLI, sessions, and governed browser execution. Replaces freeform shell generation with allow-list-validated tool invocation.
A compile-time approach to enforcing policy gates in AI agent loops via typestate encoding. Evaluated across nine hosted LLM providers — 263 forbidden tool-call attempts refused without execution at 30–95µs per check. Addresses the time-of-check-to-time-of-use problem with affine ownership semantics.
An open specification for zero-trust execution of AI agents. Defines declarative tool contracts with allow-list enforcement, compile-time verification of the Observe-Reason-Gate-Act loop, and structural separation of the policy gate from language-model influence across five architectural layers.
Working notes from research.thirdkey.ai — what we’re building, what we got wrong, what changed.
RAG ingestion pipelines treat any vector that retrieves well as legitimate — a trust model attackers exploit to hide payloads inside embeddings. VectorPin closes the gap with Ed25519 signatures binding each vector to source content and producing model.
Prompt-based safety degrades under operational load — a kind of context rot that parallels human goal neglect. The fix is structural: policy evaluation and typed contracts, not prose rules.
ToolClad replaces freeform shell generation with a declarative manifest of typed parameters and templates — safer agent execution through allow-list validation, not deny-list filtering.
A Rust agent runtime that enforces policy evaluation as a mandatory compile-time phase — combining typestate patterns, durable journaling, and cryptographic auditing so agents can’t bypass authorization.
A guarantee that can’t be written down isn’t one.