Typestate-Enforced Agent Loops: Making Policy Gates Unskippable at Compile Time

This preprint introduces a typestate-enforced encoding of the Observe-Reason-Gate-Act (ORGA) loop used in the Symbiont AI agent runtime. The construction makes the policy gate a compile-time predecessor of tool dispatch in any program that typechecks against the runtime's public API. Skipping the gate, dispatching without reasoning, observing without dispatching, or substituting an action between policy approval and execution are not policy violations but expressions that fail to compile.

We argue that this shifts agent security from runtime interception (the prevailing pattern in Python frameworks like LangChain and AutoGen, where enforcement correctness is an emergent property of how callbacks are wired) to structural enforcement (where the type system precludes the failure mode). We formalize the resulting phase-ordering guarantee, identify five explicit assumptions under which it holds, and address the time-of-check-to-time-of-use gap by showing how affine ownership semantics seal the approved action inside the gated phase.

Empirical results. The paper reports an evaluation across nine widely available hosted LLMs (GPT-5, Claude Haiku 4.5, Gemini 2.5 Pro, DeepSeek-V3.1, Qwen3-235B, Qwen3.6-Plus, MiMo-V2-Pro, MiniMax-M2.7, gpt-oss-20b) routed through OpenRouter in April 2026:

• 263 forbidden tool-call attempts refused across 874 cloud-adversarial runs, zero attempts reaching execution; cumulative across all sweeps: 642 Cedar plus 34 executor refusals.
• Per-model latency, throughput, and cost baseline identifying Claude Haiku 4.5 as the speed/quality/cost tripoint (6.3 s p50 task latency, 1066 tok/s, $0.0096 per run at 100% pass rate) and MiniMax M2.7 as the cheapest 100% pass rate at $0.001 per run.
• False-positive baseline: zero Cedar policy denials on legitimate workloads across 8 of 9 models (813 runs); the gpt-oss-20b case explained as a model misconception correctly caught.
• Five compile-fail tests verifying the typestate property on every CI run by exhibiting the expected compiler diagnostic for each illegal state transition.

What this is and is not. The paper is a technical preprint, not a peer-reviewed systems paper. It claims a narrow result (the policy gate is structurally unavoidable) and is explicit about what it does not claim (does not introduce typestates, does not prevent prompt injection, does not fix policy errors, does not claim performance superiority over runtime interception). The construction relocates the security surface rather than eliminating it; the residual surface (policy correctness, tool faithfulness, supply-chain discipline maintaining unsafe/FFI assumptions) is non-trivial and is the work of other layers of the Open Agent Trust Stack (OATS) specification.

Reproduction artifact. A companion repository at github.com/ThirdKeyAI/symbiont-orga-demo packages the benchmark harness, the perf aggregator used to produce the paper's tables, the five compile-fail tests with pinned .stderr snapshots, the Cedar policy files, the adversarial prompt corpus, and the OpenRouter sweep scripts. Cloning the demo and running cargo test re-verifies the typestate compile-fail suite locally; running the sweep scripts with an OpenRouter key reproduces the per-model latency, cost, and refusal numbers.

Software. The Symbiont runtime is open source under Apache 2.0 at github.com/thirdkeyai/symbiont. The Open Agent Trust Stack (OATS) specification is published at openagenttruststack.org.

Contents: 16 pages, three tables (cloud-adversarial refusals by model, per-model performance baseline, compile-fail test summary), eight sections including Introduction, Background and Related Work, the ORGA construction, formal guarantee with assumptions, comparison with runtime interception, empirical evaluation, portability to non-Rust ecosystems, and conclusion.

Keywords: AI agents; LLM tool use; agent security; typestate pattern; Rust; affine types; policy enforcement; Cedar; zero trust; OATS; Symbiont; Model Context Protocol; phase-ordering guarantees; structural enforcement.

Correspondence: jascha@thirdkey.ai