SECURITY MODEL · TRUST NOTHING PAST INTENT

Trust the model less.Control the action more.

MonkeyShield does not try to make an AI model infallible. It controls the moment when a model's intention becomes a real operation on your system.

Intent is not permission Policy before execution Every decision leaves evidence
LIVE TRUST BOUNDARY ENFORCING
UNTRUSTED INTENTAI agenttool.call(request)
shell.execute
MONKEYSHIELDENFORCEMENT GATEidentity · context · policy · risk
ALLOWScoped action
APPROVALHuman decision
DENYBlocked action
23:18:41agent=local-agent-01rule=deny.shell.destructiveDENY
01The model is not the boundary

Safety prompts can guide behavior. They cannot enforce operating-system permissions.

02Compromise is assumed

A hostile document may influence the agent. The system must remain safe anyway.

03Damage must be bounded

A failed decision should become a denied action—not a destroyed workstation.

04Evidence is part of control

Requests, policy versions, approvals and outcomes must form one trace.

01 / THREAT MODEL

Assume the agent can be wrong, manipulated or overprivileged.

Choose a threat to see the attack path and the control MonkeyShield places between intention and impact.

UNTRUSTED INPUT → TOOL CALLHIGH RISK

Prompt injection becomes a real action

A document instructs the agent to ignore its task and read a secret file. The model may comply, but its request still crosses an enforcement boundary.

01Hostile contentInstruction hidden in a file
02Agent requestfile.read ~/.ssh/id_ed25519
03MonkeyShieldSecret path is outside allowed scope
04BLOCKEDNo system call reaches the target
CONTROL RESPONSEPath-scoped deny rule + audit event

The request, identity, target, matched rule and denial are recorded as one decision.

02 / TRUST BOUNDARY

The agent never receives direct authority over the target.

Every capability is mediated. The agent requests an action; MonkeyShield decides whether a narrowly scoped operation may occur.

UNTRUSTED ZONEModel intentprompt · memory · retrieved content
tool request
TRUST BOUNDARYMonkeyShieldauthenticate → contextualize → decide → enforce
scoped operation
CONTROLLED ZONE
FILESYSTEMpath · mode · owner
SHELLcommand · args · privilege
NETWORKhost · method · payload
SECRETSidentity · purpose · lifetime
KEY IDEA

MonkeyShield does not need to prove that the model is trustworthy. It only needs to enforce that each requested action is permitted.

03 / DECISION LIFECYCLE

One request. Seven explicit checkpoints.

  1. 01InterceptCapture the tool request before execution.
  2. 02IdentifyBind the request to an agent and session.
  3. 03ContextResolve target, path, command and destination.
  4. 04EvaluateMatch ordered policy and risk conditions.
  5. 05ApprovePause when a human decision is required.
  6. 06EnforceExecute only the permitted scoped operation.
  7. 07RecordLink request, rule, decision and result.
FAIL-CLOSED CONTRACT

If identity, policy or enforcement is unavailable, the action does not proceed.

UNKNOWNDENY
04 / DECISION CONTRACT

Three outcomes. No vague middle state.

A policy evaluation returns a result that the runtime can actually enforce.

ALLOWExecute within the exact scopepath + action + identity + context
APPROVALPause before side effectsallow once · deny · create rule
DENYStop before the targetreason + rule + evidence
decision.json
{
  "request_id": "req_7f2a",
  "agent": "local-agent-01",
  "action": "shell.execute",
  "target": "sudo rm -rf /",
  "matched_rule": "deny.shell.destructive",
  "decision": "deny",
  "reason": "destructive privileged command",
  "audit_hash": "sha256:6be5..."
}
05 / HONEST SCOPE

A security boundary is credible only when its limits are explicit.

MONKEYSHIELD CONTROLS

Agent actions at the tool boundary

  • File reads, writes and deletes
  • Shell commands and privilege requests
  • Network destinations, methods and payloads
  • Human approvals and policy versions
  • Structured, linked decision audit
MONKEYSHIELD DOES NOT CLAIM

To make the model itself safe or correct

  • It does not eliminate prompt injection
  • It does not guarantee truthful model output
  • It does not replace Linux permissions or sandboxing
  • It cannot protect bypassed or unmediated tools
  • It is not a promise of absolute security
DEFENSE IN DEPTH

Designed to sit inside a layered system

01 · OS permissions02 · Containers / sandbox03 · MonkeyShield policy04 · Human approval05 · Monitoring & response
06 / LINUX-FIRST

Start where enforcement primitives are transparent.

Linux gives MonkeyShield a clear foundation for identities, processes, paths, namespaces and auditability. The roadmap separates current work from planned and research ideas.

CURRENT · MVP

Enforcement core

  • file.read / file.write
  • shell.execute
  • deny-by-default YAML
  • local audit trail
PLANNED

Broader control plane

  • network.request
  • approval broker
  • signed policy versions
  • agent adapters
RESEARCH

Deeper isolation

  • namespace integration
  • system-call mediation
  • secret lease model
  • cross-platform design
07 / QUESTIONS

The questions a security product should answer early.

Is MonkeyShield an antivirus for AI?+

Not exactly. It is an enforcement layer for agent actions. It does not scan the model for malware; it controls what tool calls are allowed to reach the system.

Does it replace Docker, SELinux or Linux permissions?+

No. MonkeyShield is designed to complement operating-system isolation. Strong deployments should use both system controls and explicit agent policy.

What happens if MonkeyShield fails?+

The intended contract is fail-closed: an action without a valid identity, policy decision or enforcement path is denied.

Does the project send commands or logs to the cloud?+

The current design is local-first. The website Playground is a client-side simulation and does not execute or transmit entered commands.

Can users write their own policies?+

Yes—that is a core design goal. Policies should be readable, version-controlled and reviewable like code.

SEE THE DECISION

Theory explains the boundary. Playground shows it moving.

Run safe simulated requests and watch policy, approval and audit decisions appear in real time.

Open MonkeyShield Playground