MVAR is an IFC-based reference monitor for AI agent runtimes. Rather than attempting to detect prompt injection at the model layer, it enforces deterministic policy at privileged execution sinks.
Core invariant:
UNTRUSTED + CRITICAL → BLOCK
All data carries integrity and confidentiality labels with conservative propagation. Policy decisions depend on provenance and sink classification, not payload inspection or intent scoring.
Enforcement is structural rather than content-aware. MVAR does not parse prompts or evaluate semantics; it evaluates data lineage flowing into privileged sinks.
The goal is impact reduction: preventing untrusted-derived outputs from triggering unsafe tool execution.
Phase 1 scope and known limitations are documented in THREAT_MODEL.md (manual sink registration, no composition attack modeling yet, etc.).
Reproduce locally:
./scripts/launch-gate.sh
Happy to answer technical questions and welcome adversarial feedback.
Author here.
MVAR is an IFC-based reference monitor for AI agent runtimes. Rather than attempting to detect prompt injection at the model layer, it enforces deterministic policy at privileged execution sinks.
Core invariant:
UNTRUSTED + CRITICAL → BLOCK
All data carries integrity and confidentiality labels with conservative propagation. Policy decisions depend on provenance and sink classification, not payload inspection or intent scoring.
Enforcement is structural rather than content-aware. MVAR does not parse prompts or evaluate semantics; it evaluates data lineage flowing into privileged sinks.
The goal is impact reduction: preventing untrusted-derived outputs from triggering unsafe tool execution.
Phase 1 scope and known limitations are documented in THREAT_MODEL.md (manual sink registration, no composition attack modeling yet, etc.).
Reproduce locally: ./scripts/launch-gate.sh
Happy to answer technical questions and welcome adversarial feedback.