§ 00Runtime Security · Published April 19 2026

An agent acts.
A record is written.
Trust is earnednever assumed.

Lupid is the runtime security plane for AI agents. Every call, every credential, every consequential action is verified, brokered, and notarized — in the microseconds before it happens, and for the centuries after.

Request access Read the brief
uptime99.999% p50 verify410 µs agents under record1.4M rule enginehot-reload · 412 µs
Live record · lupid.audit SEQ 0x7A3F·0142
claude code ~/acme/core · on main v1.7.3
Welcome back, edwards. Session resumed · 3 tools allowed, 2 leases active
> deploy v2.4.1 — clean the build dir first, then ship.
Thinking… I'll clear the stale build output before rebuilding.
Bash(rm -rf ./dist/*)
Denied by lupid runtimeprod.destructive
Destructive filesystem op on a production-tagged path. No leased capability covered this scope. The call never left the device; the attempt is on the record.
agent halted · no retry path · security notified on #sec-ops
> Ask claude to propose a safer deploy path…
● paused · rule denied ? for shortcuts enter to send · shift+tab for normal mode
Ⓟ prev···Ⓝ next
sha256: c4b1 9ed7 8f31 21a0 · tamper-seal ok
§ 01The Developing Record

Your developers are running agents you cannot see.

Claude Code on a laptop in Mumbai. Cursor on a workstation in Berlin. A homegrown agent in your production pipeline. Each one calls models, invokes tools, spends budget, and moves data — and nobody has a record of any of it.

Security teams spent ten years building identity for humans. Agents arrived, and the ledger went blank.

+89%1
Year-over-year increase in AI-enabled adversary activity
Attackers moved first. The same model that writes your pull request also writes their phishing kit — and operates autonomously inside environments where it was never provisioned.
[1] CrowdStrike Global Threat Report, 2026
82%2
of detections contained no malware whatsoever
Modern incidents are behavioral: legitimate credentials, legitimate tools, consequential actions. The question isn't what was run. It's should this actor have been allowed to run it.
[2] Behavioral detection, CrowdStrike 2026
> 80%3
of the Fortune 500 now runs unsupervised agents in production
Low-code builders shipped the agents before governance was ready. The C-suite owns the strategy; the CISO owns the blast radius.
[3] Microsoft Cyber Pulse, Feb 2026
§ 02A Ledger That Writes Itself

One runtime,
one record of truth.

Lupid sits on the hot path between every agent and every system it acts on. Identity, rules, leased secrets, guardrails, and ledger — hot-reloadable, sub-millisecond, and every stage writes to the same tamper-evident record. Click a stage to see what it looks like.

01 · IDENTITY
Cryptographic identity for every agent
Ed25519 workload passports. Delegation chain from device to operator to agent, signed at every hop. No shared keys, no ambiguous actors.
02 · RULES
Rule evaluation on every action
Per-tenant, hot-reloadable guardrails. Sub-millisecond decisions. The same rule primitives you already write for humans — extended to the agents that act on their behalf.
03 · SECRETS
Credential brokering, never custody
Agents request capabilities. Lupid leases short-lived, tightly-scoped credentials — and revokes them the instant the action completes.
04 · BLOCK
Stop the action before it happens
When an agent crosses a red line, the call never leaves the device. The rule that blocked it, the arguments it tried, and the reasoning are all attached to the record.
05 · AUDIT
Hash-chained ledger of everything
Every call, every decision, every credential use — notarized, streamed to your SIEM, and verifiable years after the fact.
lupid://runtime /identity/verify?agent=a7c3e9
DEVICEmbp-edwards-7f2 / TPM-bounded25519:1a4f…
OPERATORe.edwards@acme.com / SSO / mfaed25519:c82d…
AGENTa7c3e9 / claude-code · session 014ed25519:7a9c…
TARGETproduction.deploy / resource-scopeded25519:b19e…
ATTEST · OK Chain verified in 412 µs. Every actor in the call graph is cryptographically accountable.
// rule: prod.destructive — tenant: acme deny( agent in "tenant/acme", action == "shell.exec", target in "env/production" ) when { target.destructive == true && agent.lease.covers(target) == false };
MATCHED RULE
prod.destructive
1 of 847 rules evaluated · fast-path hit
DECISION
BLOCKED — action refused
resolved in 412 µs · hot-reload ready
openai.api.completions scope=read,complete ttl 4m 51s ACTIVE
github.repo.acme/core scope=read · branches:* rotating · in 12s ROTATING
postgres.prod (ro-replica) scope=select · rows≤10k ttl 58s ACTIVE
stripe.api.v2.payments scope=read · tenant=acme revoked 14:01:33 REVOKED
Agents never hold raw secrets. Lupid leases capabilities, mediates every use, and revokes at session close. If a laptop disappears, the blast radius is already sealed.
BLOCKED #EVT-2026-0419-441f 14:02:21.033 · agent halted
Agent a7c3e9 attempted to execute a destructive shell command on a production-tagged path. Lupid stopped the call before it left the device.
$ rm -rf ./dist/* ← refused
Matched rule prod.destructive. The agent held no leased capability scoped to env/production. No retry path; no partial execution; the block is on the record. Security leads were notified on #sec-ops.
View full event Open rule in editor Quarantine agent alert dispatched · #sec-ops
§ 03The Doctrine

We are entering a decade in which software acts without asking. The record it leaves behind is the only remaining form of accountability.

TENET · I
Every actor earns its name.
An agent is not trusted because it was deployed by a trusted person. It is trusted because it proves, at every single call, that it is who it claims to be. Identity is a continuous verb — not a one-time noun.
TENET · II
Consequence is not a cost. It is a threshold.
A read is not a write. A staging action is not a production action. A $12 API call is not a $120,000 one. Governance isn't blocking everything — it's pausing the right things for the right humans, at the right moment.
TENET · III
Secrets belong to systems. Not to agents.
The moment an agent holds a long-lived credential, the security perimeter shifts to wherever that agent is running — which is increasingly a laptop on the wrong side of the VPN. Capabilities are leased, not given.
TENET · IV
The ledger is the product.
Rule hits, blocks, rotations, leases, denials — all of it is hash-chained, all of it is exportable, all of it is queryable in fifteen years. The runtime record is what auditors, regulators, and your future self will ask for. Build it now.
— LUPID / Research / Brief 004 FILED · April 2026
§ 04Operators on the record
"We had seventeen agents running in production. We could name six of them. After a single week with Lupid, we had an identity for every single one — and a shutoff valve for the three we didn't want."
Priya Ranganathan
Director of Platform Security
Midwestern Health · 48,000 staff · HIPAA
More voices on the record
§ 05Deploy in an afternoon

Open source.
Self-hostable.
No vendor lock-in.

Apache 2.0. PostgreSQL for control plane, ClickHouse for audit, Redis for hot path. Ships as a single container. Your data never leaves your cluster.

Request access ★ Star on GitHub · 14.2k
tty · zsh acme-admin@prod
# install the shield daemon on every developer laptop $ lupid shield install --gateway https://lupid.acme.corp ✓ daemon installed · 2.1 MB · signed by lupid inc. ✓ managed settings pushed to Claude Code, Cursor, Zed # all agents on the device are now governed. that's it. $ lupid agents list --device this a7c3e9 claude-code active leases:3 b4f1ad cursor active leases:1 c9e7dc custom/py quarantined policy:shadow