Deterministic security controls for AI agents. No LLM in the decision loop.
"The more data & control you give to the AI agent: (A) the more it can help you AND (B) the more it can hurt you." — Lex Fridman
Your agent has root access to your machine. Your security layer is a system prompt that says "please be careful." Think about that for a second.
User: "Please don't delete my files..."
Agent: "I understand. I'll be careful."
Agent: rm -rf /
Agent attempted: rm -rf /*
[ blocked by command_guard ]
Topology constraint violated. Action nullified.
Numbers from 78 validated research sources (114 analyzed), Feb 2026.
Of 3,984 marketplace skills scanned, 534 had critical issues. 76 were confirmed malicious — install-time scripts that stole credentials.
Researchers tested six coding agents for tool injection. All six gave up remote code execution through poisoned tool metadata.
A 78-study survey found most prompt-based guardrails break under adaptive red-team attacks. The LLM can't reliably police itself.
Every guard in RADIUS runs before the agent acts. A regex match on rm -rf is true or false. The agent can't talk its way past it.
Full source list in the research appendix.
Eleven modules, none with an LLM. They block or allow based on rules you write.
Blocks file access outside allowed paths. ~/.ssh, ~/.aws, /etc are unreachable.
Matches shell patterns — sudo, rm -rf, pipe chains. Blocked before execution.
Outbound network filter. Allowlist by domain, IP, port. Everything else dropped.
Catches secrets in output — AWS keys, tokens, private certs. Redacts or blocks.
Caps tool calls per minute. Stops runaway loops.
Inspects skills at load time for injection payloads: zero-width chars, base64 blobs, exfil URLs.
Sends risky operations to your Telegram for one-tap approval. You decide from your phone.
Append-only log. Every action, every timestamp. Can't be edited or deleted.
Emergency stop. Set an env var or drop a file, all risky actions halt.
Allow or deny by tool name. Optional argument schema validation. Default deny.
Wraps commands in bwrap. Restricted filesystem and network access.
One config change. Pick the containment level that matches your context.
Production, billing, credentials. Default deny. Sandbox required. 30 calls/min.
Development, staging, daily work. Default deny. Secrets redacted. 60 calls/min.
Research, brainstorming, migration. Observe mode. Logs everything, blocks nothing. 120 calls/min.
