One clarification: MVAR is not a prompt filter and not a model judge.
The enforcement happens at the execution boundary. If model output reaches a critical sink (shell, filesystem, credentials, etc.) with untrusted provenance, the runtime blocks the call deterministically.
The repo includes the full attack corpus and proof pack if anyone wants to test the enforcement model locally.. Cheers - Shawn
One clarification: MVAR is not a prompt filter and not a model judge.
The enforcement happens at the execution boundary. If model output reaches a critical sink (shell, filesystem, credentials, etc.) with untrusted provenance, the runtime blocks the call deterministically.
The repo includes the full attack corpus and proof pack if anyone wants to test the enforcement model locally.. Cheers - Shawn
[dead]