Elemm
HomeGuardianDocsBlogFAQ
Star on GitHub
HomeGuardianDocsBlogFAQ
Star on GitHub
Docs
Getting StartedWhat is Elemm?Core InstallationMCP Client SetupDocker Deployment
DashboardDashboard OverviewConfiguration ReferenceObservability ConsoleManifest DebuggerToken AnalyzerMCP Server ConfigurationSecurity PanelVault ManagerDashboard Settings
ProtocolThe Discovery ProtocolThe 9 Core ToolsSequence Engine & Data PipingResponse Hygiene
GatewayMulti-Protocol SupportSecurity (Guardian)Vault — AuthenticationProduction & VPS SecurityCLI Reference
DeveloperBuilding Landmark ServersExposing Landmark ServersSmartRepair & Error CodesPydantic & Smart UnboxingDeclarative YAML Configuration

Security (Guardian)

Multi-layered security engine with zero-trust, deep argument inspection, and data loss prevention.

Overview

The gateway includes a built-in security engine (the "Guardian") that enforces restrictions before any request reaches the target API. All policies are configured in ~/.elemm/config.json or can be configured via the Gateway UI.


Policy Layers

Policies are evaluated in this order. The first match blocks the action.

LayerConfig KeyDescription
Zero-Trust Whitelistenforce_whitelistOnly explicitly listed actions/landmarks are allowed. Everything else is denied.
HTTP Methodsallowed_methodsWhitelist of allowed HTTP methods. Empty list = all allowed.
Action Blacklistdisallowed_actionsExact action IDs to block.
Landmark Blacklistdisallowed_landmarksEntire landmark namespaces to hide and block.
Pattern Matchingdisallowed_patternsSubstrings that trigger blocking. Prefix with re: for regex.
Deep Argument Inspectiondisallowed_patternsPattern matching is applied recursively to all argument values.
Data Loss Preventionprevent_key_leakageVault API keys are automatically scrubbed from all responses.

Zero-Trust Mode

When enforce_whitelist: true is set, everything is blocked by default. Only explicitly listed landmarks and actions are allowed.

json
{
  "security": {
    "enforce_whitelist": true,
    "allowed_landmarks": ["repos", "issues"],
    "allowed_actions": ["repos_repos_get", "repos_repos_list-for-user"]
  }
}

Pattern Matching with Regex

Disallowed patterns can be simple substrings or full Python regex expressions:

json
{
  "security": {
    "disallowed_patterns": [
      "delete",
      "remove",
      "purge",
      "destroy",
      "re:.*secret.*",
      "re:^admin_.*"
    ]
  }
}
WARNING

Deep Argument Inspection means pattern matching is also applied to nested lists and dicts in arguments — not just the action name.


Discovery Filtering

Blocked landmarks are invisible to the agent:

  • They do not appear in get_landmarks output
  • inspect_landmark refuses to show their signatures
  • search_landmarks cannot find blocked tools

This prevents privilege escalation — the agent never learns about the existence of blocked functions.


Custom Remediation Messages

Custom error messages can be defined for specific blocked actions or patterns:

json
{
  "security": {
    "custom_remedies": {
      "delete": "Destructive operations are disabled in this environment. Use read-only alternatives.",
      "admin_reset_password": "Password resets require manual approval from the administrator."
    }
  }
}

Error Format on Violations

json
{
  "status": "error",
  "_PROTOCOL_ERROR": "ACCESS_DENIED",
  "message": "Action contains restricted pattern 'delete'.",
  "remedy": "Destructive operations are disabled by default. Use read-only or safe alternatives."
}

Exempt Actions

The following are always exempt from security checks:

  • All 9 core tools (connect_to_site, get_manifest, get_landmarks, inspect_landmark, search_landmarks, call_action, execute_sequence, list_aliases, clear_session)
  • Internal elemm:-prefixed actions
Elemm Logo

The Landmark Manifest. Exposing system interfaces natively to AI agents.

Framework

HomeAboutGuardianDocumentation

Community

GitHubDiscordPyPI Package

Legal

Imprint (Legal Notice)Privacy Policy© 2026 Marc Stöcker
elemm.dev — Infrastructure for the Agentic Web.