Seven-Layer Security Pipeline

Before any request enters the security pipeline, SpiceDB enforces Zanzibar-style relationship-based access control in under 5ms. OPA evaluates Rego policies compiled to WASM in under 2ms. Together they determine whether the caller has permission to use the requested model, access the target memory namespace, and invoke specific tools. Unauthorized requests are rejected before consuming any compute.

The API gate validates authentication tokens, enforces rate limits, and checks quota availability. Agent-Vault provides a secure credential store for agent-held secrets like API keys and OAuth tokens, ensuring that credentials never appear in prompts or logs. All credentials are encrypted at rest with AES-256-GCM and decrypted only at the moment of use.

Every user message passes through five defense layers before reaching an LLM. LlamaFirewall is the primary defense, orchestrating multiple classifiers in a single pass. DeBERTa-v3 performs deep semantic analysis to detect sophisticated social engineering. LLM Guard scans for over 30 attack categories. Presidio identifies and optionally redacts PII like names, emails, phone numbers, and financial data. PromptGuard 2 runs within LlamaFirewall specifically to detect prompt injection and jailbreak attempts.

Protects the memory layer from poisoning attacks. When content is written to vector storage, it is scanned for adversarial embeddings designed to manipulate retrieval results. Namespace isolation ensures that one tenant's memory cannot influence another's search results. Write integrity verification detects anomalous embedding patterns that deviate from expected distributions.

Before the request is forwarded to an LLM provider, the secure routing layer strips sensitive metadata, applies data residency rules (ensuring EU data stays in EU regions), and verifies that the selected provider meets the tenant's compliance requirements. Provider credentials are injected at the last moment and never travel with the request object.

LLM responses are scanned before delivery to the caller. LLM Guard checks for leaked training data, harmful content, and policy violations. Presidio scans outputs for unintended PII exposure. Output scanning catches cases where the model itself generates sensitive information, even when the input was clean.

Augustus continuously probes the system with adversarial inputs to verify that security layers are functioning correctly. These synthetic attack simulations run on a configurable schedule and test each security layer independently. If a probe bypasses a layer it shouldn't, Augustus raises an alert and can automatically increase the security posture for affected tenants.

Scans Model Context Protocol tools before they are loaded into agent workflows. mcp-scan verifies tool provenance, checks for known vulnerabilities, and validates that tool capabilities match their declared permissions. This prevents supply chain attacks where compromised MCP tools could exfiltrate data or execute unauthorized actions.