Engineering notes, research briefs, and field reports from the team building Lupid. We write when we have something we'd want to read ourselves — rarely, slowly, with the work in front of us.
How a governance plane in the agent's path turns the lethal trifecta from inevitable into observable.
On April 24, 2026, Google shipped emergency releases of gemini-cli after Pillar Security demonstrated that a single public GitHub issue could compromise the supply chain of a 101k-star repository. Pillar's analysis named the bug Trust Issues. This is a step-by-step reading of the same chain through an enforcement layer that sits in the agent's network and tool path.
A walkthrough of an autonomous agent incident, the runtime that caught it, and what the record looks like twenty-four hours later.
Field EngineeringWhy the audit log is not an artifact of security work. It is the work. A short essay on what changes when the record becomes the product.
ManifestoNothing on file matches that query. Try a shorter term, or .