6 Governance Pillars

All 6 pillars operate bidirectionally โ€” they inspect both outbound requests (what the agent sends to tools) and inbound responses (what comes back from tools/LLMs). This catches indirect prompt injection delivered via emails, documents, and web pages.

P1 Loop Breaker P2 Firewall P3 PII Redaction P4 OTEL P5 Forensic P6 EU AI Act
P1

Loop Breaker

Rust + Python

Detects and breaks infinite reasoning loops in AI agents. Uses TF-IDF vectorization with cosine similarity on a sliding window of recent requests to identify when an agent is repeating itself. Automatically circuit-breaks the session before runaway API costs or deadlocks occur.

How it works

  1. Maintains a sliding window of the last N requests per session (default: 10)
  2. Computes TF-IDF vectors for each request text
  3. Calculates cosine similarity between the current request and all window entries
  4. If similarity exceeds the threshold, increments a consecutive-match counter
  5. When consecutive matches exceed the limit, returns a JSON-RPC error and logs the circuit break

Configuration

# .env
LOOP_WINDOW_SIZE=10           # Number of past requests to compare
LOOP_SIMILARITY_THRESHOLD=0.85 # Cosine similarity threshold (0.0โ€“1.0)

Response on detection

{
  "jsonrpc": "2.0",
  "error": {
    "code": -32001,
    "message": "Loop detected: request similarity 0.92 exceeds threshold 0.85",
    "data": {"pillar": "loop_breaker", "action": "CIRCUIT_BREAK"}
  },
  "id": 1
}
P2

Anti-Injection Firewall

Rust RegexSet

Blocks prompt injection attacks in both requests and responses. Uses a two-path approach: a fast regex path for known patterns and a deep heuristic path for novel attacks.

Fast path โ€” 15 compiled patterns

The Rust engine compiles all 15 patterns into a single RegexSet for single-pass matching. Patterns cover: role overrides (ignore previous instructions), system prompt leaks, DAN jailbreaks, base64/rot13 obfuscation, token smuggling, and context switching.

Deep path โ€” heuristic scoring

Scores each request across multiple signals: imperative verb density, special character density, context switch markers, encoding markers, and instruction override phrases. Combines signals into a risk level: LOW / MEDIUM / HIGH / CRITICAL.

Risk levels and actions

LOWLogged, allowed through
MEDIUMLogged with warning, allowed through
HIGHBlocked, JSON-RPC error returned
CRITICALBlocked, session flagged, forensic record written
P3

PII Redaction

Rust + spaCy NER

Automatically redacts Personally Identifiable Information from both requests and responses. Protects users from accidental data leakage to external MCP servers and LLM APIs.

Patterns detected

EMAILuser@example.com โ†’ [EMAIL]
PHONE+39 055 123456 โ†’ [PHONE]
CREDIT_CARD4111 1111 1111 1111 โ†’ [CREDIT_CARD]
SSN123-45-6789 โ†’ [SSN]
IBANIT60X0542811101000000123456 โ†’ [IBAN]
IP_ADDRESS192.168.1.1 โ†’ [IP_ADDRESS]
PERSONJohn Smith โ†’ [PERSON] (NER)
ORGAcme Corp โ†’ [ORG] (NER)
GPE / LOCPisa, Italy โ†’ [GPE] (NER)

NER (Named Entity Recognition) uses spaCy en_core_web_sm (English only). Regex-based patterns work for all languages. Multilingual NER is on the roadmap.

Per-category configuration

Individual PII categories can be enabled/disabled via environment variables (see Configuration).

P4

OTEL Native

Python (OpenTelemetry SDK)

Emits structured OpenTelemetry spans for every governance decision โ€” automatically, with no code changes required in your agent. Every pillar decision is recorded as a span attribute.

Span attributes

event_id:      UUID per governed event
agent_id:      From X-Agent-Id header
session_id:    From X-Session-Id header
action:        ALLOW | BLOCK | REDACT | CIRCUIT_BREAK
risk_level:    LOW | MEDIUM | HIGH | CRITICAL
pillar:        loop_breaker | firewall | pii | forensic | eu_ai_act
latency_us:    Governance overhead in microseconds
method:        MCP method name (tools/call, resources/read, โ€ฆ)
upstream:      Target MCP server URL

Export destinations

Admina exports to OTLP gRPC on port 4317 (configurable). Compatible with:

  • Grafana (included in the Docker Compose stack on port 3001)
  • Datadog, Honeycomb, Jaeger, Zipkin
  • Any OpenTelemetry Collector
  • Langfuse (for LLM-specific tracing)

Prometheus metrics are also exposed on port 8889.

P5

Forensic Black Box

Rust (sha2)

Creates a tamper-proof audit trail of every governed interaction. Uses a SHA-256 hash chain: each record includes the hash of the previous record, making any modification immediately detectable.

Record structure

{
  "seq": 1024,
  "timestamp": "2026-03-06T14:23:01.442Z",
  "timestamp_ms": 1741270981442,
  "session_id": "sess_abc123",
  "agent_id": "openclaw-agent",
  "method": "tools/call",
  "action": "ALLOW",
  "risk_level": "LOW",
  "pillar": "firewall",
  "hash": "sha256:a3f8...",
  "prev_hash": "sha256:9c12..."
}

Storage

Records are stored in MinIO (S3-compatible) under the path forensic-blackbox/YYYY/MM/DD/HH/<seq>.json. The hash chain persists across restarts via Redis.

Chain verification

# Verify chain integrity programmatically
curl http://localhost:8080/api/forensic/verify \
  -H "X-API-Key: $ADMINA_API_KEY"
# {"valid": true, "records": 1024, "last_hash": "sha256:a3f8..."}

Enterprise note: DebugABot adds eIDAS-qualified timestamps (legally admissible in EU courts) and S3 Object Lock (WORM, up to 7-year retention).

P6

EU AI Act Compliance

Python

Built-in compliance with the EU AI Act. Enforcement deadline: 2 August 2026. Covers risk classification (Art. 6) and gap analysis against the 7 high-risk system requirements (Art. 9โ€“15).

Risk classification (Art. 6)

UNACCEPTABLEBanned systems (e.g., social scoring, real-time biometrics in public)
HIGHCritical infrastructure, employment, education, law enforcement
LIMITEDChatbots, emotion recognition โ€” transparency obligations apply
MINIMALSpam filters, games โ€” no additional requirements

Gap analysis (Art. 9โ€“15)

Admina checks your deployment against 7 requirements for high-risk AI systems:

  • Art. 9 โ€” Risk management system in place
  • Art. 10 โ€” Data governance and quality
  • Art. 11 โ€” Technical documentation
  • Art. 12 โ€” Record-keeping and logging (Admina P5 covers this)
  • Art. 13 โ€” Transparency and information provision
  • Art. 14 โ€” Human oversight mechanisms
  • Art. 15 โ€” Accuracy, robustness, cybersecurity (Admina P1โ€“P2 cover this)

API usage

curl -X POST http://localhost:8080/api/compliance/classify \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $ADMINA_API_KEY" \
  -d '{
    "description": "AI credit scoring for loans",
    "use_case": "financial risk",
    "data_types": ["financial", "personal"]
  }'