Dvar protects the boundary where an agent action enters a real system. In version 0.7 that boundary can be a framework tool, an MCP call, an ordinary function, a local subprocess, or a returned tool output.
Vercel AI SDK adapter
import { protectVercelAISDKTools } from "@rokadhq/dvar/adapters/vercel-ai-sdk";
const tools = protectVercelAISDKTools(originalTools, {
runtime: dvar,
context: {
principal: { id: "user-1", type: "user" },
agent: { id: "assistant", framework: "vercel-ai-sdk" },
environment: "production",
session: { id: "session-1" }
}
});The adapter preserves the framework-facing tool shape and routes execution through Dvar. Calls to the original unwrapped tool objects bypass Dvar.
Output guard
const dvar = await createDvar({
policyPath: "dvar.yaml",
outputGuard: {
policy: {
maxBytes: 64000,
allowedContentTypes: ["json", "text"],
redactBuiltInSecrets: true,
deny: [{ id: "prompt-injection", pattern: "ignore previous instructions" }]
}
}
});Output filtering happens before protected-tool results are returned to the application or model context. Denied output is not returned to protected-tool callers.
Stdio and local tools
import { createStdioSupervisor } from "@rokadhq/dvar/stdio";
const supervisor = createStdioSupervisor({
runtime: dvar,
policy: {
requireAbsoluteCommand: true,
allowedExecutables: [{ command: "/usr/bin/git" }],
timeoutMs: 10000,
maxStdoutBytes: 32000,
env: { inherit: false }
}
});Dvar spawns supervised processes with shell: false and does not inherit the parent environment by default. It can inspect executable identity, bound arguments, restrict cwd and paths, cap output, and record outcomes.
Boundary rule
Dvar is not a sandbox, IAM layer, secrets manager, DLP platform, or SIEM. It must be combined with operating-system permissions, workload isolation, application authorization, credential scoping, and network policy.