The independent in-kernel enforcement & audit-of-record layer for AI agents — the only one that guards its own off-switch and ships an audit even root can't scrub.
Watch your language!
Every command an agent speaks is read at the syscall — and ruled before it runs.
Every escape attempt fails — denied at the syscall, or defeated by persistence.
The agent runs in userspace. Oknek runs in the kernel — where the operator it runs under can't quietly turn it off or rewrite what it saw.
Every syscall the agent makes hits a BPF-LSM hook first. Not on the allowlist → EPERM, before it runs. Watched agents are also denied kernel-module loads (R18) and setuid escalation (R15).
R20 pins the hooks: root rm, mv, umount and map-write all return EPERM — and killing the daemon just leaves the kernel enforcement running. The off-switch guards itself.
Okular: hash-chained, ed25519-signed, immutable Object-Lock. A locked version's DELETE returns 403.
Root owns the box and still can't disarm the enforcer. Every disable path is hooked and denied — and killing the daemon just leaves the kernel enforcement running.
No absolute claims. A reboot or a kernel exploit is out-of-band — and it doesn't go quiet.
A gap in the audit chain is itself the alarm. You can break Oknek — you can't do it quietly.
Okular hash-chains every verdict, ed25519-signs each anchor, and parks it under Object-Lock. Delete a locked version → 403.
Every other tool is a daemon root owns — mute it, unload it, edit the log. Three rows nobody else can fill.
| Capability | Oknek | Detection / EDR | Userspace guardrails |
|---|---|---|---|
| Stops the action before it runs | Enforce · in-kernel | Detect after | Advisory |
| Survives its own root operator | Self-guarding · R20 | root-removable | root-removable |
| Ships an audit root can't scrub | WORM · DELETE → 403 | tamperable log | tamperable log |
| Scoped to autonomous agents | Agent-native policy | Host-generic | Prompt-layer |
Run Tetragon for your workloads. Run Oknek for the thing making autonomous decisions on top of them.
Start in observe, watch the verdicts, flip to enforce. Three templates cover the agents most teams run first.
No egress, no shell-out beyond the repo sandbox.
Egress allowlist only; creds files unreadable.
Pinned APIs, no lateral host or socket pivot.
Observe-first means zero surprise denials. The pins you arm on purpose are the pins you disarm on purpose.
R20 holds against a rogue root mid-run. Adoption is gated-disarm from the SB lane — you stay in control of arming and removing it.
One host, one agent, observe-first. See the verdicts on your own workload before you arm a single pin.