§ 00·Runtime Security · Published April 19 2026

An agent acts.
The runtime decides.
Trust is earned. Never assumed.

Lupid is the runtime security plane for AI agents. Every call, every credential, every consequential action is verified, brokered, and notarized in the microseconds before it happens, and for the centuries after.

View on GitHub Read the brief
Live record · lupid.audit SEQ 0x7A3F·0142
claude code ~/acme/core · on main v1.7.3
Welcome back, edwards. Session resumed · 3 tools allowed, 2 leases active
> deploy v2.4.1, clean the build dir first, then ship.
Thinking… I'll clear the stale build output before rebuilding.
Bash(rm -rf ./dist/*)
Denied by lupid runtimeprod.destructive
Destructive filesystem op on a production-tagged path. No leased capability covered this scope. The call never left the device; the attempt is on the record.
agent halted · no retry path · security notified on #sec-ops
> Ask claude to propose a safer deploy path…
● paused · rule denied ? for shortcuts enter to send · shift+tab for normal mode
Ⓟ prev···Ⓝ next
sha256: c4b1 9ed7 8f31 21a0 · tamper-seal ok
§ 01·The Developing Record

Your developers are running agents you cannot see.

Claude Code on a laptop in Mumbai. Cursor on a workstation in Berlin. A homegrown Python agent in your production pipeline. Each one is calling models, running tools, spending budget, and moving data. Nobody is keeping a record.

Security teams spent ten years building identity for humans. Then agents showed up, and the ledger went blank.

+89%1
Year-over-year increase in AI-enabled adversary activity
Attackers got there first. The same models writing your pull requests are writing phishing kits, and they're running autonomously inside environments they were never provisioned for.
[1] CrowdStrike Global Threat Report, 2026
82%2
of detections contained no malware whatsoever
Most modern incidents look completely legitimate from the outside: real credentials, real tools, real authorisation. The question isn't what was run. It's whether this actor should have been allowed to run it.
[2] Behavioral detection, CrowdStrike 2026
> 80%3
of the Fortune 500 now runs unsupervised agents in production
Low-code builders shipped the agents before governance was ready. The C-suite owns the strategy; the CISO owns the blast radius.
[3] Microsoft Cyber Pulse, Feb 2026
§ 02·A Ledger That Writes Itself

One runtime,
one record of truth.

Lupid sits on the hot path between every agent and the systems it touches. Identity checks, rule evaluation, leased secrets, guardrails, and the audit log all run inside one daemon. Decisions are sub-millisecond and hot-reloadable, and every stage writes to the same tamper-evident record. Click a stage to see what it looks like.

01 · IDENTITY
Cryptographic identity for every agent
Ed25519 workload passports. Delegation chain from device to operator to agent, signed at every hop. No shared keys, no ambiguous actors.
02 · RULES
Rule evaluation on every action
Per-tenant, hot-reloadable guardrails. Sub-millisecond decisions. The same rule primitives you already write for humans, now applied to the agents acting on their behalf.
03 · SECRETS
Credential brokering, never custody
Agents request capabilities. Lupid issues short-lived, tightly-scoped credentials and revokes them the instant the action completes.
04 · BLOCK
Stop the action before it happens
When an agent crosses a red line, the call never leaves the device. The rule that blocked it, the arguments it tried, and the reasoning are all attached to the record.
05 · AUDIT
Hash-chained ledger of everything
Every call, decision, and credential use is notarised, streamed to your SIEM, and stays verifiable years later.
lupid://runtime /identity/verify?agent=a7c3e9
DEVICEmbp-edwards-7f2 / TPM-bounded25519:1a4f…
OPERATORe.edwards@acme.com / SSO / mfaed25519:c82d…
AGENTa7c3e9 / claude-code · session 014ed25519:7a9c…
TARGETproduction.deploy / resource-scopeded25519:b19e…
ATTEST · OK Chain verified in 412 µs. Every actor in the call graph is cryptographically accountable.
// rule: prod.destructive · tenant: acme deny( agent in "tenant/acme", action == "shell.exec", target in "env/production" ) when { target.destructive == true && agent.lease.covers(target) == false };
MATCHED RULE
prod.destructive
1 of 847 rules evaluated · fast-path hit
DECISION
BLOCKED · action refused
resolved in 412 µs · hot-reload ready
openai.api.completions scope=read,complete ttl 4m 51s ACTIVE
github.repo.acme/core scope=read · branches:* rotating · in 12s ROTATING
postgres.prod (ro-replica) scope=select · rows≤10k ttl 58s ACTIVE
stripe.api.v2.payments scope=read · tenant=acme revoked 14:01:33 REVOKED
Agents never hold raw secrets. Lupid leases capabilities, mediates every use, and revokes at session close. If a laptop disappears, the blast radius is already sealed.
BLOCKED #EVT-2026-0419-441f 14:02:21.033 · agent halted
Agent a7c3e9 attempted to execute a destructive shell command on a production-tagged path. Lupid stopped the call before it left the device.
$ rm -rf ./dist/* ← refused
Matched rule prod.destructive. The agent held no leased capability scoped to env/production. No retry path; no partial execution; the block is on the record. Security leads were notified on #sec-ops.
View full event Open rule in editor Quarantine agent alert dispatched · #sec-ops
§ 03·The Doctrine

Software is starting to act without asking. The record it leaves behind is the only thing left to hold it accountable.

TENET · I
Identity gets proved on every call.
An agent isn't trusted because someone trustworthy deployed it. It earns trust by proving, on every single call, that it is who it claims to be. Continuous verification, not one-time enrollment.
TENET · II
Not every action is equal.
A read isn't a write. A staging action isn't a production action. A $12 API call isn't a $120,000 one. Good governance isn't about blocking everything; it's about pausing the right things for the right person at the right moment.
TENET · III
Secrets belong to systems, not to agents.
Once an agent holds a long-lived credential, your security perimeter moves with the agent. That's a problem when the agent is running on a laptop outside your VPN. Lease capabilities instead. Issue them when they're needed, revoke them when they're not.
TENET · IV
The audit log is part of the product.
Rule hits, blocks, rotations, leases, denials. All of it gets hash-chained, exported on demand, and stays queryable for years. This is what auditors and regulators will ask for, and what you'll wish you had when something goes wrong.
LUPID / Research / Brief 004 FILED · April 2026
§ 04·From the brief
The runtime stands between the agent and the consequence. Identity is verified, the rule is checked, and the call is either refused or sealed, all before the action leaves the device. Nothing happens that the runtime didn't see, and nothing the runtime saw can be edited later.
Lupid Research
Brief 002 · Standing between
FILED · APRIL 2026
§ 05·Deploy in an afternoon

Open source.
Self-hostable.
No vendor lock-in.

Apache 2.0. PostgreSQL for control plane, ClickHouse for audit, Redis for hot path. Ships as a single container. Your data never leaves your cluster.

View on GitHub ★ Star on GitHub
tty · zsh acme-admin@prod
# install the shield daemon on every developer laptop $ lupid shield install --gateway https://lupid.acme.corp ✓ daemon installed · 2.1 MB · signed by lupid inc. ✓ managed settings pushed to Claude Code, Cursor, Zed # all agents on the device are now governed. that's it. $ lupid agents list --device this a7c3e9 claude-code active leases:3 b4f1ad cursor active leases:1 c9e7dc custom/py quarantined policy:shadow