The last six months of agent security have been a dumpster fire of vulnerabilities—from EchoLeak to CurXecute. Most current security relies on "prompt and pray" or sandboxing. Prompts are suggestions, not constraints. Sandboxes are a blunt instrument that often break agent utility.

At Unprompted conference, we released our work on a deterministic Reference Monitor for coding agents like Claude Code, Cursor, and GitHub Copilot CLI.

The Architecture: We use local hook adapters to intercept events over stdio. These normalize agent-specific tool calls into a common Trajectory Event Model (Actions, Observations, Control, State).

Deterministic Adjudication with Cedar: Instead of LLM as a judge, we use the Cedar policy language to authorize tool calls. Cedar allows us to write formally analyzable policies that return a binary ALLOW or DENY. It replaces probabilistic hope with a hard, deterministic boundary between the agent and your shell/filesystem.

Trajectory-Aware State: A single request check misses the pattern. Our harness tracks state across the full execution history. If an agent reads a credential in step 1, the policy engine blocks it from calling an external API in step 10.

We’ve open sourced the hook implementations and policy packs for various coding agents:https://github.com/sondera-ai/sondera-coding-agent-hooks

Key Demos in the write-up:

--Blocking destructive commands in Claude Code. --Stopping the lethal trifecta in Cursor. --Enforcing Information Flow Control in Gemini CLI.