The same agent, the same attack, the same tool calls — run twice, side by side.
Without fak (left) every call the model proposes just runs.
With fak (right) the kernel adjudicates each call first.
Each row is a real decision by the fak kernel — no model involved. Watch what gets through.
WITHOUT fak — raw agent
every proposed call runs
0
breaches
WITH fak — kernel-gated
dangerous calls refused at the boundary
0
breaches
WITHOUT fak
the tool call
WITH fak
breach (poison admitted / destructive op executed)held (paged out / refused)legitimate call — runs on both
Both columns are two readings of one live replay through the real kernel (k.Syscall): the per-call
verdict already encodes what fak did and what an unmediated baseline would have done — neither side is modeled.
This is the live, side-by-side counterpart of examples/adjudication-demo (a sequential CLI). Self-contained:
no model weights, reproducible on any box. Headless self-check: go run ./cmd/guarddemo -selfcheck.