Security (Guardian)

Multi-layered security engine with zero-trust, deep argument inspection, and data loss prevention.

Overview

The gateway includes a built-in security engine (the "Guardian") that enforces restrictions before any request reaches the target API. All policies are configured in ~/.elemm/config.json.

Policy Layers

Policies are evaluated in this order. The first match blocks the action.

Layer	Config Key	Description
Zero-Trust Whitelist	`enforce_whitelist`	Only explicitly listed actions/landmarks are allowed. Everything else is denied.
HTTP Methods	`allowed_methods`	Whitelist of allowed HTTP methods. Empty list = all allowed.
Action Blacklist	`disallowed_actions`	Exact action IDs to block.
Landmark Blacklist	`disallowed_landmarks`	Entire landmark namespaces to hide and block.
Pattern Matching	`disallowed_patterns`	Substrings that trigger blocking. Prefix with `re:` for regex.
Deep Argument Inspection	`disallowed_patterns`	Pattern matching is applied recursively to all argument values.
Data Loss Prevention	`prevent_key_leakage`	Vault API keys are automatically scrubbed from all responses.

Zero-Trust Mode

When enforce_whitelist: true is set, everything is blocked by default. Only explicitly listed landmarks and actions are allowed.

json

{
  "security": {
    "enforce_whitelist": true,
    "allowed_landmarks": ["repos", "issues"],
    "allowed_actions": ["repos_repos_get", "repos_repos_list-for-user"]
  }
}

Pattern Matching with Regex

Disallowed patterns can be simple substrings or full Python regex expressions:

json

{
  "security": {
    "disallowed_patterns": [
      "delete",
      "remove",
      "purge",
      "destroy",
      "re:.*secret.*",
      "re:^admin_.*"
    ]
  }
}

⚠️ WARNING

Deep Argument Inspection means pattern matching is also applied to nested lists and dicts in arguments — not just the action name.

Discovery Filtering

Blocked landmarks are invisible to the agent:

They do not appear in get_landmarks output
inspect_landmark refuses to show their signatures
search_landmarks cannot find blocked tools

This prevents privilege escalation — the agent never learns about the existence of blocked functions.

Custom Remediation Messages

Custom error messages can be defined for specific blocked actions or patterns:

json

{
  "security": {
    "custom_remedies": {
      "delete": "Destructive operations are disabled in this environment. Use read-only alternatives.",
      "admin_reset_password": "Password resets require manual approval from the administrator."
    }
  }
}

Error Format on Violations

json

{
  "status": "error",
  "_PROTOCOL_ERROR": "ACCESS_DENIED",
  "message": "Action contains restricted pattern 'delete'.",
  "remedy": "Destructive operations are disabled by default. Use read-only or safe alternatives."
}

Exempt Actions

The following are always exempt from security checks:

All 9 core tools (connect_to_site, get_manifest, get_landmarks, inspect_landmark, search_landmarks, call_action, execute_sequence, list_aliases, clear_session)
Internal elemm:-prefixed actions