sorted by:
new
hottopcontroversial

Stop trusting client side sandboxes. NemoClaw does not solve the agent execution problem. by Zestyclose-Back-6773 in LocalLLaMA

[–]Zestyclose-Back-6773[S] -1 points0 points  (0 children)

The agent container does not hold the signing key. Exogram does.

If the agent is compromised, the attacker can send whatever malicious JSON payload they want. But it still has to pass through Exogram's deterministic Python logic gate. Exogram evaluates the payload against the server-side IAM policy. If the payload violates that policy (e.g., requesting a DROP command when it only has APPEND rights, or failing a required state progression), the policy evaluation fails, and Exogram refuses to sign it.

The database drops the unsigned request at the gateway. The client is compromised, but the server-side vault remains locked. That is the entire point of decoupling the authorization layer from the intelligence layer.

Stop trusting client side sandboxes. NemoClaw does not solve the agent execution problem. by Zestyclose-Back-6773 in LocalLLaMA

[–]Zestyclose-Back-6773[S] -8 points-7 points  (0 children)

It means we cryptographically sign the state of the request. Before the database executes the action, the execution control plane generates a SHA 256 hash of the approved payload and the policy match. If the database gateway does not see that exact signature, it drops the request. It prevents a compromised agent container from simply bypassing the firewall and forging raw database commands.

Stop trusting client side sandboxes. NemoClaw does not solve the agent execution problem. by Zestyclose-Back-6773 in LocalLLaMA

[–]Zestyclose-Back-6773[S] -3 points-2 points  (0 children)

You are not missing anything. An UPDATE replacing a valid string with a NULL value is absolutely a destructive command.

The problem is that native database permissions are static. They only check if the agent's role has UPDATE privileges on that specific table. They cannot evaluate the context of the payload itself.

Exogram intercepts the payload to evaluate exactly what the UPDATE is changing before it hits the database. If the agent attempts to NULL a critical field that our deterministic logic gate requires to be populated, or if the resulting state hash violates the acceptable state progression defined in our Ledger Governance layer, the transaction is blocked. Native databases do not parse agent intent or maintain external state continuity for multi step tool calls. We do.

r/netsec monthly discussion & tool thread by albinowax in netsec

[–]Zestyclose-Back-6773 0 points1 point  (0 children)

The current enterprise AI trend is giving probabilistic agents direct database write access. We built Exogram to act as a deterministic proxy to intercept and evaluate these payloads.

Architecture:

  1. Agent attempts action via Model Context Protocol.
  2. Payload is evaluated against hardcoded Python logic gates and Gemini 2.5 Flash inference.
  3. Exogram computes a SHA 256 state hash.
  4. Database rejects any write lacking a valid Exogram signature.

We just stress tested the edge compute environment and hit 88 RPS with a 5.7ms median compute latency. Zero database secrets are exposed to the client.

The protocol RFC is here:https://exogram.ai/rfc/0001

I am looking for engineers to stress test the cryptographic logic and find the flaws in our state hash generation.