Features

RADIUS is designed around deterministic enforcement, transparent decisions, and operational safety for agentic workflows.

Core capabilities

Deterministic policy engine

• Fixed decision model: allow, deny, modify, challenge, alert
• No LLM in the enforcement path
• First-deny-wins pipeline behavior

Multi-layer protection

• Tool identity control (tool_policy)
• Filesystem topology limits (fs_guard)
• Shell payload filtering (command_guard)
• Optional process isolation (exec_sandbox)
• Network egress constraints (egress_guard)
• Output secret controls (output_dlp)

Human-in-the-loop safety

• Optional approval_gate for high-impact actions
• Timeout behavior is deterministic (deny or alert)
• Telegram channel support for mobile approvals

Operational observability

• Append-only audit stream with decision context
• File, stdout, webhook, OTLP sink options
• Supports post-incident reconstruction

Runtime resilience

• kill_switch emergency stop
• rate_budget to prevent runaway loops
• skill_scanner to catch malicious skill metadata

CLI workflows

RADIUS ships with practical commands for setup and validation:

• npx agentradius init — scaffold policy and framework hooks
• npx agentradius doctor — environment and config validation
• npx agentradius pentest — adversarial smoke tests against active policy
• npx agentradius hook — adapter entrypoint for hook events

Profile model

Framework integration

OpenClaw

• Generated hook script and hook registry
• PreToolUse/PostToolUse enforcement
• Works with Telegram approvals

Generic mode

• Works without framework lock-in
• Can be called through your own orchestrator path

Security posture summary

RADIUS is strongest when used as:

1. fail-closed policy (defaultAction: deny)
2. explicit tool allowlisting
3. strict filesystem/network constraints
4. continuous pentest + audit review

Next docs

• Modules for full module-by-module reference
• Configuration for YAML options
• What’s New for latest updates and migration notes