Safety prompts can guide behavior. They cannot enforce operating-system permissions.
Trust the model less.Control the action more.
MonkeyShield does not try to make an AI model infallible. It controls the moment when a model's intention becomes a real operation on your system.

A hostile document may influence the agent. The system must remain safe anyway.
A failed decision should become a denied action—not a destroyed workstation.
Requests, policy versions, approvals and outcomes must form one trace.
Assume the agent can be wrong, manipulated or overprivileged.
Choose a threat to see the attack path and the control MonkeyShield places between intention and impact.
Prompt injection becomes a real action
A document instructs the agent to ignore its task and read a secret file. The model may comply, but its request still crosses an enforcement boundary.
The request, identity, target, matched rule and denial are recorded as one decision.
The agent never receives direct authority over the target.
Every capability is mediated. The agent requests an action; MonkeyShield decides whether a narrowly scoped operation may occur.

MonkeyShield does not need to prove that the model is trustworthy. It only needs to enforce that each requested action is permitted.
One request. Seven explicit checkpoints.
- 01InterceptCapture the tool request before execution.
- 02IdentifyBind the request to an agent and session.
- 03ContextResolve target, path, command and destination.
- 04EvaluateMatch ordered policy and risk conditions.
- 05ApprovePause when a human decision is required.
- 06EnforceExecute only the permitted scoped operation.
- 07RecordLink request, rule, decision and result.
If identity, policy or enforcement is unavailable, the action does not proceed.
Three outcomes. No vague middle state.
A policy evaluation returns a result that the runtime can actually enforce.
{
"request_id": "req_7f2a",
"agent": "local-agent-01",
"action": "shell.execute",
"target": "sudo rm -rf /",
"matched_rule": "deny.shell.destructive",
"decision": "deny",
"reason": "destructive privileged command",
"audit_hash": "sha256:6be5..."
}
A security boundary is credible only when its limits are explicit.
Agent actions at the tool boundary
- File reads, writes and deletes
- Shell commands and privilege requests
- Network destinations, methods and payloads
- Human approvals and policy versions
- Structured, linked decision audit
To make the model itself safe or correct
- It does not eliminate prompt injection
- It does not guarantee truthful model output
- It does not replace Linux permissions or sandboxing
- It cannot protect bypassed or unmediated tools
- It is not a promise of absolute security
Designed to sit inside a layered system
Start where enforcement primitives are transparent.
Linux gives MonkeyShield a clear foundation for identities, processes, paths, namespaces and auditability. The roadmap separates current work from planned and research ideas.
Enforcement core
- file.read / file.write
- shell.execute
- deny-by-default YAML
- local audit trail
Broader control plane
- network.request
- approval broker
- signed policy versions
- agent adapters
Deeper isolation
- namespace integration
- system-call mediation
- secret lease model
- cross-platform design
The questions a security product should answer early.
Is MonkeyShield an antivirus for AI?+
Not exactly. It is an enforcement layer for agent actions. It does not scan the model for malware; it controls what tool calls are allowed to reach the system.
Does it replace Docker, SELinux or Linux permissions?+
No. MonkeyShield is designed to complement operating-system isolation. Strong deployments should use both system controls and explicit agent policy.
What happens if MonkeyShield fails?+
The intended contract is fail-closed: an action without a valid identity, policy decision or enforcement path is denied.
Does the project send commands or logs to the cloud?+
The current design is local-first. The website Playground is a client-side simulation and does not execute or transmit entered commands.
Can users write their own policies?+
Yes—that is a core design goal. Policies should be readable, version-controlled and reviewable like code.
Theory explains the boundary. Playground shows it moving.
Run safe simulated requests and watch policy, approval and audit decisions appear in real time.