Agentor: Building a Secure AI Agents Framework in Rust

The Challenge

AI agents frameworks have become essential infrastructure for teams integrating large language models into production workflows. Most of these frameworks are written in Python — a language optimized for rapid prototyping but fundamentally limited in memory safety, runtime performance, and deterministic behavior. Xcapit was engaged to conduct a security audit of a prominent open-source AI agents framework, and the findings were concerning.

The audit revealed three categories of structural limitations. First, memory safety: Python's garbage collector introduces non-deterministic pauses and the lack of ownership semantics makes it impossible to guarantee that sensitive data — API keys, user prompts, model responses — is properly deallocated. Second, runtime overhead: agent orchestration in Python consumed 5 to 10 times more memory than equivalent logic in a systems language, making multi-agent deployments prohibitively expensive. Third, compliance gaps: the framework's architecture made it difficult to implement audit trails, sandboxed execution, and data residency controls required by ISO 27001, GDPR, and similar regulatory standards.

These were not bugs that could be patched. They were consequences of fundamental architectural decisions — the choice of language, the absence of execution isolation, and the lack of structured security boundaries.

From Audit to Agentor: The Origin

The security audit produced a detailed report with over 40 findings classified by severity. While the framework's maintainers received the report constructively, it became clear that addressing the root causes would require a complete rewrite — not of the framework's features, but of its foundation. Xcapit's engineering team, with deep experience in systems programming and cryptographic infrastructure, decided to build that foundation themselves.

The project was named Agentor. The goal was explicit: replicate all the functional capabilities of the audited framework — agent orchestration, tool execution, provider integration, conversation management — but implement them in Rust with memory safety, zero-cost abstractions, and compliance-ready architecture from day one. The framework would be released under AGPL-3.0 to ensure it remains open source while protecting against proprietary forks.

Architecture in Rust

Agentor is structured as 13 modular crates, each with a single responsibility and well-defined interfaces. This design allows teams to use only the components they need and replace individual modules without affecting the rest of the system.

• agentor-core: type definitions, traits, and shared abstractions used across all crates
• agentor-runtime: the agent execution engine with structured conversation loops and configurable strategies
• agentor-providers: integrations with LLM providers (OpenAI, Anthropic, local models) via a unified trait
• agentor-tools: tool registration, validation, and execution with schema-based argument parsing
• agentor-mcp: full implementation of the Model Context Protocol for cross-framework interoperability
• agentor-sandbox: WASM-based sandboxed execution environment for untrusted tool code
• agentor-cli: command-line interface for running agents, managing configurations, and debugging workflows

The entire codebase uses zero-copy serialization where possible, avoiding unnecessary memory allocations during message passing between agents and tools. Rust's ownership model guarantees that sensitive data such as API keys and model responses cannot be accessed after being moved or dropped — a guarantee that is simply not possible in garbage-collected languages.

WASM Sandbox

One of the most critical security features in Agentor is the WASM sandbox for tool execution. When an AI agent decides to invoke a tool — whether it is reading a file, executing code, or calling an external API — that execution happens inside a WebAssembly sandbox with strictly defined capabilities.

The sandbox enforces memory isolation (tools cannot access the host process memory), filesystem restrictions (tools can only access explicitly granted paths), network boundaries (outbound requests are filtered by allowlist), and time limits (runaway tools are terminated after a configurable timeout). This means that even if a tool contains malicious logic or an LLM hallucinates a dangerous command, the blast radius is contained within the sandbox boundary.

Optimized for Code Generation

While most AI agents frameworks treat code generation as one use case among many, Agentor was designed from the ground up with code generation as a first-class workflow. This is its key differentiator. Development teams using LLMs to generate, refactor, and test code need an agent framework that understands the structure of software projects — not just text.

• Spec-driven development: agents can ingest structured specifications (OpenAPI, protobuf, JSON Schema) and generate implementation code that conforms to the spec, with validation at every step
• Multi-file code output: unlike frameworks that produce single-file responses, Agentor supports coordinated multi-file generation with dependency tracking and import resolution
• AST-aware transformations: code modifications are performed at the abstract syntax tree level rather than string manipulation, reducing the risk of syntax errors and preserving formatting conventions
• Integrated testing pipelines: generated code is automatically routed through configurable test suites before being presented as final output, catching errors before they reach the developer
• Context-window optimization: large codebases are intelligently chunked and prioritized so that the most relevant files are included in the LLM context window, maximizing generation quality

This combination of features makes Agentor particularly suited for enterprise environments where code generation must be reliable, auditable, and integrated into existing CI/CD pipelines.

MCP Protocol Integration

Agentor includes a complete implementation of the Model Context Protocol (MCP), the emerging standard for connecting AI agents to external tools, data sources, and services. MCP support means that any tool built for Claude, GPT, or other MCP-compatible models can be used directly within Agentor without modification.

The integration works in both directions: Agentor can act as an MCP client, consuming tools exposed by external MCP servers, and as an MCP server, exposing its own tools and capabilities to other agents or orchestration systems. This bidirectional compatibility ensures that Agentor fits into existing infrastructure rather than requiring teams to replace their current tooling.

Compliance & Security

Agentor was built with regulatory compliance as a design constraint, not an afterthought. The framework includes features that address the most common requirements across regulated industries:

• GDPR-ready: all data processing paths support explicit consent tracking, data minimization, and the right to erasure. Sensitive fields can be annotated for automatic redaction in logs
• ISO 27001 aligned: the modular architecture maps directly to ISO 27001 control domains, with documented security boundaries between crates and explicit risk ownership per module
• DPGA candidate: as an open-source project with documented social impact potential, Agentor is being submitted to the Digital Public Goods Alliance registry
• AGPL-3.0 license: ensures the framework remains open source and any modifications deployed as a service must also be open source, preventing proprietary lock-in
• Audit trail: every agent decision, tool invocation, and model response is logged with structured metadata for post-hoc analysis and regulatory review

Results & Metrics

Agentor's development has reached production readiness with measurable outcomes that validate the architectural decisions made during the rewrite:

• 483+ automated tests covering unit, integration, and end-to-end scenarios across all 13 crates
• 13 modular crates with clear dependency boundaries, enabling teams to adopt incrementally
• Cold start time under 50ms — compared to 2-5 seconds for equivalent Python frameworks
• 10x less memory consumption than Python-based alternatives in multi-agent orchestration benchmarks
• WASM sandbox isolation with configurable filesystem, network, and memory boundaries per tool execution
• Full MCP Protocol compliance, verified against the official test suite

Key Takeaways

• Security audits can reveal structural limitations that no amount of patching can fix — sometimes the right answer is a clean rewrite in a systems language
• Rust's ownership model provides memory safety guarantees that are essential for AI agents handling sensitive data in production
• WASM sandboxing turns tool execution from a trust-based model into a capability-based model, fundamentally changing the security posture of AI agents
• Optimizing for code generation as a first-class workflow — not just text generation — requires AST-aware transformations, multi-file coordination, and integrated testing
• MCP Protocol support ensures interoperability with the broader AI ecosystem without vendor lock-in
• Open-source licensing under AGPL-3.0 protects the framework from proprietary capture while enabling broad adoption

Interested in deploying AI agents with production-grade security and performance? Whether you need a secure agent framework for regulated environments, code generation pipelines for your development team, or custom AI integrations — Xcapit has the infrastructure and the expertise. Let's talk.