jwc-global

Status: positioning note. Companion to the Checkpoint Enforcement System — Requirements. Every external system below was verified against its source (arXiv IDs in References); see the Verification note for the one figure we could not independently confirm.

Proposed framing (a direction we might move in)

Boundary-Triggered Deliberation: Non-Disruptive Reasoning Checkpoints for Long-Horizon Agents.

The name carries all three pillars of the requirements: boundary-triggered (R4/R5 — the WHEN), deliberation / reasoning checkpoints (R1/R3 — the WHAT), and non-disruptive (R9/R10 — the HOW). It also locates the work in its camp: a runtime-trajectory control plane that infers structure rather than authoring it (L10/L13/L14).

Short answer

AgentSpec is the closest single match to the control model, and the behavioral-firewall pDFA (arXiv 2604.26274) is the closest match to the boundary-detection mechanism. Nothing in the wild is a full match, because the R9 (zero workflow modification) + R1 (mechanism-agnostic checkpoint) combination is the part nobody else has. Ranked honestly against the actual requirements:

AgentSpec — closest on modality (R5 / R7 / R10)

A runtime-enforcement layer with a trigger → predicate → enforcement rule structure, whose enforcement vocabulary already includes both of our postures: it can steer ("enforce self-reflection via an LLM before a high-risk task") and hard-gate ("enforce human verification before modifying sensitive data"). That shape is essentially our R5-detect → R7-classify → R10-steer-or-gate pipeline.

Where it diverges: AgentSpec rules are largely hand-authored, and it is framed as an embedded enforcement library (implemented in LangChain), not a hook control plane over a closed third-party agent. It matches our logic but assumes more access than we have.

Behavioral-firewall pDFA (Praetor) — closest on detection (R5 / R5a / R11)

It compiles observed tool-call telemetry into a deterministic automaton over the recent trajectory and gates by O(1) state lookup — exactly our "deterministic predicate over the trajectory" with an audit trail.

But it is a cautionary twin as much as a sibling. It learns its automaton offline from clean traces, which makes it brittle under tool-set drift — benign-task breakage is the documented failure mode. That is precisely why R5a (anti-flap) and the insistence on coarse tool-class signals (rather than learned fine-grained sequences) exist. We detect online without a training corpus, so we are deliberately the same family built to avoid its failure mode — more general, at the cost of a coarser signal.

AEGIS — closest on the boundary primitive (R10 / R13 / L13)

A pre-execution firewall that intercepts every tool call and returns allow / block / pending(→human), with a tamper-evident audit trail. That triad is exactly our window-vs-grant posture, and "intercept at the tool boundary, decide, audit" is our L13 boundary-exposure model.

Where it diverges: AEGIS is stateless and single-call — it judges each call in isolation. We are explicitly stateful (windows span a coherent batch, R6). AEGIS is our enforcement doorway without the phase/window concept on top.

Progent — closest on the determinism stance (L4 / L5)

Privilege control via a deterministic policy over tool names + arguments, model-independent. It is the cleanest existing proof of our "no model in the enforcement path" principle.

Where it diverges: Progent is a privilege/permission system (what an agent is allowed to touch), not a cadence/re-planning system (when it must re-deliberate). Different axis — it governs scope; we govern rhythm.

The orchestration camp (LangGraph / Temporal / DBOS) — borrowed primitive only (L11)

Already settled: we take their checkpoint/state-snapshot concept and nothing else. They are World-1 (author the graph); we are World-2 (infer it). Not architecturally similar — just the donor of one data structure.

The honest composite

We are an AEGIS-style tool-boundary interceptor, running an AgentSpec-style trigger/predicate/enforce rule engine, whose detector is a deliberately-coarsened, online, drift-resistant cousin of the Praetor pDFA, holding Progent's no-model-in-the-path determinism, and borrowing LangGraph's checkpoint primitive for the window state. No shipping system is that combination.

What actually makes ours distinct

The thing that separates this from every system above is the pairing of R1 (the checkpoint is a pluggable, mechanism-agnostic "deliberate reassessment occurred" slot) with R9 (zero user-workflow modification).

Every system above governs an agent to make it safe — block the bad tool call, prevent the exfiltration, enforce the privilege boundary. None is built to make a long task re-deliberate at phase boundaries while being invisible to how the human works. AEGIS / Progent / AgentSpec are safety guardrails; the behavioral firewall is an attack-trajectory blocker. Ours is a work-cadence / reasoning-quality control plane that happens to use the same deterministic-interception machinery. That is a genuinely different purpose sitting on shared mechanism — which is exactly why the mechanisms match closely and nothing matches the whole.

Caveat (calibration)

All five names are 2025–2026 work, several are preprints, and the field moves fast enough that a closer match could exist under a name that has not crossed our training or the searches run so far. The open, narrow, answerable question is: is there a published system doing the cadence / re-planning job specifically — not just safety? That search has not yet been run to exhaustion. From what we have verified: closest-on-modality is AgentSpec, closest-on-detection is the behavioral firewall, and the whole of this design has no current twin.

References

  • AgentSpec: Customizable Runtime Enforcement for Safe and Reliable LLM AgentsarXiv 2503.18666
  • Enforcing Benign Trajectories: A Behavioral Firewall for Structured-Workflow AI Agents (Praetor; pDFA) — arXiv 2604.26274
  • AEGIS: No Tool Call Left Unchecked — A Pre-Execution Firewall and Audit Layer for AI AgentsarXiv 2603.12621
  • Progent: Programmable Privilege Control for LLM AgentsarXiv 2504.11703
  • Orchestration camp: LangGraph (checkpoint/interrupt-resume), Temporal / DBOS (durable execution) — reference architectures, not dependencies (L11/L12).
  • Related context (from the Requirements doc): Guardrails as Infrastructure arXiv 2603.18059; TraceSafe arXiv 2604.07223.

Verification note

AgentSpec, Praetor/behavioral-firewall, AEGIS, and Progent were each confirmed to exist with the titles and arXiv IDs above and to match the characterizations given. One figure is not independently confirmed: the claim that the behavioral firewall "broke ~24% of benign tasks under tool-set drift." Search snippets surfaced its attack-success metrics (where it is framed as outperforming AEGIS), not a benign-breakage rate — so the precise number should be confirmed against arXiv 2604.26274 before it is relied on. The qualitative point (offline-learned automata are brittle under tool-set drift, motivating R5a) stands regardless.