The AlgoVoi Security Suite protects an agentic payment stack in two layers over one verifiable evidence spine. Layer 1 secures input integrity: it stops malformed and resource hostile payloads before they reach canonicalization. Layer 2 is runtime edge defence: it decides who, and what, may reach the service at all.
What sets the suite apart from a conventional gateway or WAF is the spine. Every allow and deny is a Falcon-1024 (optionally hybrid ML-DSA-65) signed, content addressed, hash linked decision that the Compliance Command Center ingests. So you can prove, offline and after the fact, what your defences admitted, what they refused, and under exactly which policy. The geo and rate mechanics are commodity. The verifiable, post quantum signed, no PII evidence is not.
| Tool | Layer | Tier | Package | What it does |
|---|
| Substrate Guard | 1, input integrity | Open (Apache 2.0) | algovoi-substrate-guard | Deterministic input bounds run before canonicalization: size, depth, object keys, array length, string length, total nodes, number safety. The limits in force are content addressed (profile_ref). |
| Substrate Guard Pro | 1, input integrity | Commercial | algovoi-substrate-guard-pro | Everything in the open tier, plus a UTF-8 string safety bound (rejects lone surrogates and non scalar code units), and every admit or reject recorded as a signed, content addressed admission decision. |
| Edge Sentinel | 2, runtime edge | Commercial | algovoi-edge-sentinel | IP, geo and ASN blocking; rate and velocity limiting; identity allow and deny; replay, nonce and freshness. First block wins, fail closed. Every decision signed, with a no PII subject. |
Open foundation, commercial depth. Substrate Guard is open source (pip install algovoi-substrate-guard, npm install @algovoi/substrate-guard), Python and TypeScript byte for byte identical. Substrate Guard Pro and Edge Sentinel are commercial products under the AlgoVoi Commercial Licence; the open guard composes straight into the Pro tier.
Substrate Guard (open)
A deterministic, structural input bounds gate. Every bound is a pure property of the parsed value (depth, count, length), so independent implementations enforce it identically. The bounds in force are content addressed by profile_ref, so a record can prove which limits admitted it. See the full Substrate Guard page.
Substrate Guard Pro (commercial)
Substrate Guard Pro keeps every bound of the open tier and adds a string safety bound: a string (value or object key) that is not valid UTF-8, such as a lone surrogate, is rejected with REJECT_INVALID_UTF8 before canonicalization, so every conforming canonicalizer behaves identically on it. Each evaluation is then recorded as a Falcon-1024 (optionally hybrid ML-DSA-65) signed, hash linked admission decision, bound to the profile_ref in force and, on admit, to the value’s canonical content address (subject_ref). A rejected value is never canonicalized and never carried, so the record is no PII.
| Reject code | Bound exceeded |
|---|
REJECT_OVER_SIZE | canonical UTF-8 size |
REJECT_OVER_DEPTH | nesting depth |
REJECT_TOO_MANY_KEYS | object keys |
REJECT_OVER_ARRAY | array length |
REJECT_OVER_STRING | string or key length |
REJECT_OVER_NODES | total nodes |
REJECT_UNSAFE_NUMBER | integer outside the safe range, or non finite |
REJECT_INVALID_UTF8 | lone surrogate or non scalar code unit (Pro) |
Layer 2: runtime edge defence
Edge Sentinel (commercial)
Edge Sentinel runs four runtime checks ahead of the service, first block wins, fail closed. It is deliberately a runtime layer: it is stateful (rate counters, a nonce cache) and environment aware (the client IP, a geo dataset, a clock). It is not claimed as a substrate or byte parity property; that determinism guarantee lives in Layer 1. What Edge Sentinel adds over a commodity WAF is that every allow and deny is offline verifiable, signed evidence bound to a content addressed policy (policy_ref), with a no PII subject (the IP, agent DID, key and wallet are hash folded; country and ASN stay in the clear for audit).
| Check | Blocks on | Reject codes |
|---|
| IP, geo, ASN | country, ASN, IP range (allow list or deny list) | BLOCK_GEO_COUNTRY, BLOCK_GEO_ASN, BLOCK_IP_CIDR, BLOCK_GEO_NOT_ALLOWLISTED |
| Rate, velocity | sliding window request count per IP or key | BLOCK_RATE_EXCEEDED |
| Identity | agent DID, key id, wallet | BLOCK_DID_DENIED, BLOCK_KEY_DENIED, BLOCK_WALLET_DENIED, BLOCK_DID_NOT_ALLOWLISTED |
| Replay, freshness | replayed nonce, stale or unparseable timestamp, missing nonce | BLOCK_REPLAY, BLOCK_STALE, BLOCK_MISSING_NONCE |
One verifiable spine
Both layers emit the same decision shape: a Falcon-1024 (optionally hybrid ML-DSA-65) signed envelope, hash linked into an append only chain (prev_entry_hash), exported as the no PII evidence pack the Compliance Command Center verifies offline. Altering or dropping one decision breaks the chain from that point. In the Command Center the two chains surface as:
| Chain | Entry type | Posture label |
|---|
| Substrate Guard Pro admission decisions | guard_decision | Substrate Guard, admission decisions |
| Edge Sentinel allow and deny decisions | edge_decision | Edge Sentinel, allow and deny decisions |
Honest scope
Layer 1 is a deterministic, structural property of the payload, reproducible byte for byte across independent implementations: that is what makes it a substrate guarantee. Layer 2 is runtime: stateful and environment aware, and presented as such, never as a byte parity claim. Keeping that line sharp is what keeps the substrate claims credible. Neither layer adds a new cryptographic primitive over the frozen Layer 1 substrate; both reuse the RFC 8785 JCS canonicalisation, SHA-256, and the Falcon and ML-DSA signing already in the platform. 
