Security is the foundation
Not a feature. Not a layer. The constraint every other decision is shaped around.
Philosophy
The thesis
The LLM is not trustworthy. Everything that crosses a trust boundary is validated by deterministic code before the LLM ever sees it, and everything the LLM produces is validated again before it has any effect on the outside world.
The reflex when designing a security layer in 2026 is to put an LLM in it — "have the model judge whether this call is safe." That's wrong. LLM-based checks can be prompt-injected by the very payloads they're inspecting, they're slow, and they're expensive. LegionForge sticks to regex, hash compare, signature verify, and capability lookups. They're crude. They're also predictable and auditable.
Five non-negotiables
Principles that shape every component
Fail-safe tiering
Halt → sandbox/retry → degrade. Never silently succeed. Errors propagate with intent.
Human gates on mutations
Destructive actions cross a human-in-the-loop boundary by default.
Replace AI with determinism
The LLM is the last resort, not the first. Rules, tables, and pattern matchers run ahead.
Validate at trust boundaries
Sanitize once, at the edge. Internal code trusts internal data. Validate at the edges, not at every node.
Privilege tied to tasks
Capability is scoped to the active task and expires when the task ends. No persistent agent privilege.
Differentiators
How LegionForge differs from the others
| LegionForge | Cloud agent platforms (OpenAI Operator, Anthropic Computer Use, Google Mariner) |
OSS agent frameworks (LangChain, AutoGen, CrewAI) |
|
|---|---|---|---|
| Where it runs | Your hardware | Their hardware | Your hardware |
| Where your data sits | Your PostgreSQL | Their database (opaque) | Wherever you wire it |
| Tool-call security | 7-check deterministic pipeline on every call (enforced) | Their internal checks (you don't see them) | Whatever you wire (often nothing) |
| Prompt-injection detection | 29 patterns, two tiers, at trust boundary | Vendor-defined | Not bundled |
| Audit trail | SHA-256 hash-chained audit_log |
Their logs (you don't get them) | Not bundled |
| HITL on destructive actions | Enforced via approval gate | Sometimes | You wire it |
| Tool signing | Ed25519 on every registered tool | Internal | Not bundled |
| License | AGPL-3.0 (commercial available) · Guardian MIT | Proprietary | MIT / Apache 2.0 |
What we defend against
Threat model
INJECTION_DETECTED.rm -rf /, DROP TABLE, fork bombs, pipe-to-shell, metadata endpoints.What we don't claim to catch
Honest limits
- A malicious human operator with gateway credentials. Bearer auth gates entry; access control inside the gateway assumes the operator is authorized.
- Side-channel attacks on local LLM weights. Model integrity is checked at load, but not at every inference.
- Physical access to the machine.
- Threats specific to platforms we don't run on (we run local-first; cloud-specific threats aren't our model).
Listing the limits matters as much as listing the wins. A threat model that claims to defend against everything is a threat model nobody has actually walked.
Reporting vulnerabilities
Coordinated disclosure
Do not open a public issue for security vulnerabilities. Email security@legionforge.org.
We respond within 5 business days. After a fix is in place and users have had a chance to update, we publish a security advisory in the affected repo with the coordinated CVE if one was assigned.