Modules
RADIUS enforces security through an ordered module pipeline. Every event passes through the same deterministic path. No module asks an LLM to decide whether an action is safe.
Recommended full pipeline
kill_switchskill_scannertool_policyfs_guardcommand_guardexec_sandboxegress_guardoutput_dlprate_budgetapproval_gateaudit
If multiple modules could block the same action, the first deny in pipeline order wins.
Profile defaults are a subset of this full order (standard and unbounded start without egress_guard and approval_gate).
Optional hardening modules (v0.5+)
These modules are opt-in. Existing v0.4.x configs continue to work unchanged.
self_defense— place aftertool_policyand beforefs_guardtripwire_guard— place afterfs_guardto detect honeytoken path/env touchesrepetition_guard— place afterrate_budgetfor repeated identical-call detectionverdict_provider— place beforeapproval_gatewhen using external verdict services
Module matrix
| Module | Primary purpose | Typical decision | Default | Deep dive |
|---|---|---|---|---|
kill_switch | Emergency hard stop | deny | on | Open |
skill_scanner | Detect malicious skill payloads | challenge / deny | on | Open |
tool_policy | Allow/deny by tool identity | allow / deny | on | Open |
self_defense | Immutable config/control-plane protection | deny | optional | Open |
fs_guard | Restrict filesystem topology | deny | on | Open |
tripwire_guard | Honeytoken tripwires in files/env | deny / alert | optional | Open |
command_guard | Block dangerous shell patterns | deny | on | Open |
exec_sandbox | Isolate command execution | modify / deny | on | Open |
egress_guard | Control outbound network | deny | profile-dependent | Open |
output_dlp | Stop secret leakage in output | redact / deny | on | Open |
rate_budget | Cap tool-call velocity | deny | on | Open |
repetition_guard | Detect identical repeated tool calls | deny / alert | optional | Open |
verdict_provider | External deterministic verdict input | deny / allow | optional | Open |
approval_gate | Human-in-the-loop approval | challenge | optional | Open |
audit | Append-only event trail | alert (log only) | on | Open |
Deep-dive pages
- kill_switch
- skill_scanner
- tool_policy
- self_defense
- fs_guard
- tripwire_guard
- command_guard
- exec_sandbox
- egress_guard
- output_dlp
- rate_budget
- repetition_guard
- verdict_provider
- approval_gate
- audit
Recommended defaults by posture
| Posture | Goal | Notes |
|---|---|---|
local | Maximum containment | exec_sandbox required, strict deny |
standard | Daily development safety | Balanced deny + redact + challenge |
unbounded | Research/observation mode | Mostly allow, keep audit on |
Start with standard, move to local before production access to sensitive systems.