Rokad
Toda la documentación
Documentación de dvar

Security boundary

Understand what Dvar protects, what it does not replace, and how to deploy it safely.

Ver repositorio
Documentación de dvar
Página 6 de 6

Dvar is a policy firewall for AI-agent actions. It is intentionally narrow: it protects action boundaries that are routed through Dvar.

What Dvar protects

Dvar can protect:

  • function tools wrapped with protectTool();
  • MCP calls routed through the Dvar proxy;
  • framework tools wrapped with Dvar adapters;
  • supervised local subprocess execution;
  • returned JSON and text output from protected tools.

If an action bypasses Dvar, Dvar cannot evaluate it, approve it, throttle it, or audit it.

What Dvar does not replace

Dvar does not replace:

  • application authorization;
  • IAM and OAuth scope design;
  • database permissions;
  • sandboxing and workload isolation;
  • secrets management;
  • network policy;
  • data-loss-prevention systems;
  • human operational review.

Use Dvar as one enforcement layer in a larger security architecture.

Monitor-first deployment

Monitor mode is for rollout evidence. It allows actions while recording would_allow, would_deny, and would_require_approval observations. Treat it as a discovery and tuning phase, not as enforcement.

Move to enforce or strict only after reviewing traffic, approvals, runtime limits, and failure behaviour.

Production checklist

  • Start with a restrictive default effect.
  • Require attribution for principal, agent, environment, tenant, session, and task where relevant.
  • Lock MCP inventories before trusting tools.
  • Require approvals for finance, infrastructure, repository writes, external communication, data export, and destructive operations.
  • Use Redis or Valkey for distributed runtime limits.
  • Filter tool output before model summarization.
  • Keep logs and audit events free of raw secrets and grants.