MVAR is the execution firewall for AI agents.
If your AI agent can execute shell commands, call APIs, read files, or access credentials, prompt injection can escalate into real system execution.
Prompt injection is not a prompt problem — it's an execution problem.
Most defenses attempt to detect malicious prompts. That fails once model output reaches privileged tools.
MVAR does not attempt to detect malicious prompts. It assumes prompt injection will occur and prevents untrusted model output from reaching privileged execution sinks.
See ClawZero for a 60-second demo of MVAR protecting an OpenClaw agent: https://github.com/mvar-security/clawzero
python3 -m venv clawzero_demo && source clawzero_demo/bin/activate
pip install clawzero==0.1.2
clawzero demo openclaw --mode compare --scenario shellResult:
- Standard OpenClaw -> COMPROMISED (RCE via
curl | bash) - MVAR-protected -> BLOCKED ✓ (signed witness generated)
pip install mvar-securityfrom mvar import protect
safe_tool = protect(my_tool)Invariant: UNTRUSTED input + CRITICAL sink → BLOCK
50 attack vectors blocked · 200 benign vectors passed · CI-gated launch validation
30-Second Proof · Quick Start · Governed MCP Proof · Adapters Canonical proof runbook: RUN_THE_PROOF.md
git clone https://github.com/mvar-security/mvar.git
cd mvar
bash scripts/install.sh
bash scripts/run-agent-testbed.sh --scenario rag_injectionExpected result:
- Baseline runtime: attacker-influenced command is allowed
- MVAR runtime: execution is blocked before the tool runs
- Audit output: deterministic decision + cryptographic witness
Baseline: ALLOW -> executing bash command
MVAR: BLOCK -> UNTRUSTED input reaching CRITICAL sink
Governed runtime demo (MCP): docs/outreach/GOVERNED_MCP_RUNTIME_PROOF.md
⭐ Star the repo to follow development of execution-time security for AI agents.
from mvar import protect, ExecutionBlocked
safe_tool = protect(my_bash_tool) # balanced profile by default
try:
safe_tool("cat /etc/shadow")
except ExecutionBlocked as e:
print(e.decision["outcome"]) # BLOCK
print(e.decision["reason"])Profiles: balanced (default), strict, permissive.
MVAR (MIRRA Verified Agent Runtime) is a deterministic execution security layer for LLM agents.
Most defenses attempt to detect malicious prompts. MVAR enforces policy at execution sinks, where prompt-injection attacks cause real system effects.
- Not a prompt filter
- Not an LLM judge
- Deterministic policy at execution time
- Provenance-aware authorization
- Cryptographically auditable decisions
- 50 prompt-injection attack vectors blocked before tool execution
- Governed runtime CI gate on every change
- Reproducibility and launch checks in versioned scripts
Current metrics and snapshots: STATUS.md, TRUST.md
MVAR is for teams building agents that can:
- execute shell commands
- call external APIs
- read or write files
- handle credentials or sensitive data
If your agent can turn model output into real-world actions, MVAR constrains that authority at runtime.
| Mode | Components | Status | Primary Use Case |
|---|---|---|---|
| Standalone MVAR | MVAR only | ✅ Shipped | Drop-in deterministic execution boundary |
| MVAR + Verify | MVAR + Entry 500 SDK | 🚧 Integration path | Add trust signals alongside sink enforcement |
| Full Governed Runtime | MVAR + Entry 500 + EOS + Execution Governor | 🚧 Scaffold / feature-flagged | Unified privileged-action control plane |
- LangChain
- OpenAI tool calling
- OpenAI Agents SDK
- MCP
- Claude tool runtimes
- AutoGen
- CrewAI
- OpenClaw
Install first: INSTALL.md#installation
Then pick an adapter quickstart: docs/FIRST_PARTY_ADAPTERS.md
Need source + quickstart per adapter: Adapter Code + Quickstart Map
LLM reasoning
|
v
tool request
|
v
MVAR enforcement layer
|
v
privileged execution sinks
(shell / APIs / filesystem / credentials)
flowchart LR
A[LLM Agent] --> B[MVAR Runtime Boundary]
B --> C[Policy / Provenance / Capability Checks]
C --> D[Shell / API / Filesystem / Secrets]
Spec links:
spec/execution_intent/v1.schema.jsonspec/decision_record/v1.schema.json- Execution contract model (one-page): docs/architecture/execution_contract_model.md
- Execution Boundary Specification: docs/specs/EXECUTION_BOUNDARY_SPEC.md Execution boundary rationale: docs/WHY_EXECUTION_BOUNDARIES.md
Skeptical? Run the proof yourself in under 2 minutes.
Fast path (works even if you forgot to activate the right venv):
bash scripts/doctor-environment.sh
bash scripts/quick-verify.sh
./run_proof_pack.shManual path (from repo root):
bash scripts/run-python.sh -m pytest -q
bash scripts/launch-gate.sh
bash scripts/run-python.sh scripts/generate_security_scorecard.py
bash scripts/run-python.sh scripts/update_status_md.pyWhat this proves:
- Launch gate and full suite are green in CI
- Attack corpus blocks 50/50 under current policy
- Benign corpus has zero false blocks
- Exact current numbers are published in STATUS.md
- Repro artifact pack is emitted under
artifacts/repro/<timestamp>/with checksums and summary JSON - Repro pack command:
bash scripts/repro-validation-pack.sh(updatesartifacts/repro/latest)
MVAR can verify signed witness artifacts offline, including signature validity and previous-signature chain integrity.
mvar-verify-witness data/mvar_decisions.jsonl --require-chainExpected result:
{
"total_records": 2,
"verified_records": 2,
"all_signatures_valid": true,
"chain_valid": true
}- Use MVAR in your agent: docs/integration/USE_MVAR_IN_YOUR_AGENT.md
- Demo and testbed catalog: docs/demos/DEMOS_AND_TESTBEDS.md
- Adapter quickstarts: docs/FIRST_PARTY_ADAPTERS.md
MVAR is not:
- Not a prompt filter — MVAR does not attempt to detect or block malicious prompts
- Not an LLM judge — MVAR does not use a secondary model to classify intent
- Not a replacement for OS sandboxing — MVAR complements Docker/seccomp, does not replace them
- Not a replacement for network security — Firewalls, host hardening, and network isolation remain necessary
- Not a malicious-intent detector — MVAR enforces structural constraints, not behavioral anomaly detection
MVAR is a deterministic reference monitor at privileged execution sinks. It assumes untrusted inputs exist and prevents them from reaching critical operations, regardless of detection accuracy.
MVAR has validated enforcement against these attack classes:
- Prompt-injection-driven tool execution (tests/test_launch_redteam_gate.py)
- Credential exfiltration attempts (demo/extreme_attack_suite_50.py, vectors 22-25)
- Encoded/obfuscated malicious payloads (demo/extreme_attack_suite_50.py, category 3)
- Multi-step composition attacks (tests/test_composition_risk.py)
- Taint laundering via cache/logs/temp files (demo/extreme_attack_suite_50.py, category 6)
See STATUS.md for exact current validation numbers.
What does MVAR block? 50 attack vectors · 9 categories · CI-gated on every commit
MVAR's sink policy was evaluated against a 50-vector adversarial corpus spanning 9 attack categories:
| Category | Vectors | Result |
|---|---|---|
| Direct command injection | 6 | ✅ 6/6 blocked |
| Environment variable attacks | 5 | ✅ 5/5 blocked |
| Encoding/obfuscation (Base64, Unicode, hex) | 8 | ✅ 8/8 blocked |
| Shell manipulation (pipes, eval, substitution) | 7 | ✅ 7/7 blocked |
| Multi-stage attacks (download+execute) | 6 | ✅ 6/6 blocked |
| Taint laundering (cache, logs, temp files) | 5 | ✅ 5/5 blocked |
| Template escaping (JSON, XML, Markdown) | 5 | ✅ 5/5 blocked |
| Credential theft (AWS, SSH keys) | 4 | ✅ 4/4 blocked |
| Novel corpus variants | 4 | ✅ 4/4 blocked |
Result: Blocked every vector in the current validation corpus under the tested policy and sink configuration.
Scope: This demonstrates consistent enforcement for this validation corpus. Not a proof of completeness against all possible attacks.
This README is intentionally front-loaded for fast evaluation. Detailed material is split into focused docs:
- Why boundary enforcement (not prompt filtering): docs/WHY_CONTROL_PLANE_NOT_FILTERS.md
- Full architecture and design lineage: ARCHITECTURE.md, DESIGN_LINEAGE.md
- Execution contract model (current vs planned scope): docs/architecture/execution_contract_model.md
- Validation showcases and attack trilogy: docs/ATTACK_VALIDATION_SHOWCASE.md, docs/AGENT_TESTBED.md
- Integration examples: docs/integration/USE_MVAR_IN_YOUR_AGENT.md
- Demos and reproducible testbeds: docs/demos/DEMOS_AND_TESTBEDS.md
- Adapter contracts and integration playbook: docs/ADAPTER_SPEC.md, docs/AGENT_INTEGRATION_PLAYBOOK.md, conformance/README.md
- Security profiles, trust posture, and observability: docs/SECURITY_PROFILES.md, TRUST.md, docs/OBSERVABILITY.md
- Agent-runtime risk class explainer: docs/security/AGENT_RUNTIME_INCIDENT_CLASS.md
- Performance, non-goals, threat model: docs/PERFORMANCE_AND_THREAT_MODEL.md
- Research paper: docs/papers/execution-witness-binding.pdf
- Run validation:
bash scripts/launch-gate.sh - Submit adversarial vectors: docs/ATTACK_VECTOR_SUBMISSIONS.md
- Build adapters and integrations: CONTRIBUTING.md
- Use the pinned 30-second proof post: docs/outreach/GITHUB_PINNED_POST_30S_PROOF.md
MVAR is open source by design. We welcome adapter integrations, security hardening, tests, and documentation improvements that preserve security invariants. See CONTRIBUTING.md for contribution lanes, requirements, conformance expectations, and security reporting workflow.
This is early. The clawzero demo shows enforcement in harness + OpenClaw simulation.
Real multi-turn agent testing is next.
If you're running agents (LangChain, CrewAI, AutoGen, OpenClaw, etc.) and want to try it live:
- DM @Shawndcohen on X
- Open an issue with your setup/framework
Happy to pair debug and share results.
Apache License 2.0 — see LICENSE.md
Patent: US Provisional filed (Feb 24, 2026)
Machine-readable citation metadata: CITATION.cff
@software{mvar2026,
author = {Cohen, Shawn},
title = {MVAR: MIRRA Verified Agent Runtime},
year = {2026},
url = {https://github.com/mvar-security/mvar},
note = {Deterministic prompt injection defense via information flow control}
}Shawn Cohen Email: security@mvar.io GitHub: @mvar-security
MVAR: Deterministic sink enforcement against prompt-injection-driven tool misuse via information flow control and cryptographic provenance tracking.