Cordon exposes cross-step violations that existing per-call guardrails miss, according to an evaluation across adversarial and benign workflows. That finding comes from a new transactional runtime for tool-using LLM agents.
Today's agent runtimes expose tools as isolated RPCs. Each call gets its own guardrails, but the system lacks a task-scoped execution boundary for commit, rollback, recovery, and audit across multi-step workflows. The Cordon authors argue this mismatch calls for a runtime containment boundary, not another per-call filter.
The Semantic Transaction Abstraction
Cordon introduces a transaction manager that tracks derived result objects, executes reversible mutations in shadow state, stages outward-facing actions in an effect outbox, and records recovery metadata. A semantic transaction binds tool intents and runtime-tracked result lineage to reversible local state, staged external effects, delegated authority, and audit metadata. The runtime validates the composed execution flow before it commits state or releases external effects.
Cross-Step Violations Caught in Evaluation
The paper evaluates Cordon against both adversarial and benign workflows. It exposes cross-step violations that existing defenses miss entirely. Cordon also reduces irreversible-effect failures while preserving benign task completion, all with modest approval and latency overhead.
Cordon suggests a concrete path toward runtime containment boundaries for LLM agents, making multi-step tool use safer without sacrificing task completion.
Source: Cordon: Semantic Transactions for Tool-Using LLM Agents
Domain: arxiv.org
Comments load interactively on the live page.