Vectimus

Cedar policies for every AI agent action. Coding tools and agentic frameworks. Every evaluation under 5ms. Zero config.

<p align="center"> <img src="demo.gif" alt="Claude Code session with Vectimus blocking rm -rf, terraform destroy and force push while allowing safe commands" width="720"> </p>

Install

pipx install vectimus
vectimus init

That's it. Cedar policies evaluate every tool call — whether from a coding agent in your terminal or a framework agent in production. Dangerous commands, secret access, infrastructure changes and supply chain attacks blocked before execution.

Why this exists

AI coding agents and agentic frameworks run shell commands, write files, install packages and call APIs. Without a policy layer, nothing stands between a prompt injection and rm -rf /.

These are not hypothetical risks:

• Clinejection (Feb 2026) — A prompt injection in a GitHub issue title caused an AI agent to publish backdoored npm packages. 4,000 developer machines compromised in 8 hours.
• Terraform destroy incident (Feb 2026) — An AI agent unpacked old Terraform configs and ran terraform destroy, wiping a production VPC, RDS database and ECS cluster.
• IDEsaster (Dec 2025) — Researchers found 30+ vulnerabilities across Cursor, Windsurf and GitHub Copilot. 24 CVEs assigned.

Vectimus is a defense-in-depth layer. Whatever permission setup your team uses, Vectimus adds deterministic policy evaluation underneath. Same input, same decision, every time.

What it catches

Every policy references the real-world incident that motivated it. No "best practice" filler.

| Pack | What it blocks | Example | |------|---------------|---------| | Destructive Ops | rm -rf, terraform destroy, docker system prune | Production wipe prevention | | Secrets | Credential file access, env variable exposure | .env, AWS keys, SSH keys | | Supply Chain | npm publish, pip install from URLs, registry tampering | Clinejection-class attacks | | Infrastructure | terraform apply, kubectl delete, cloud CLI mutations | Unreviewed infra changes | | Code Execution | eval(), exec(), unsafe interpreter invocations | Code injection via agents | | Data Exfiltration | curl to external hosts, file upload, data piping | Credential theft, data leakage | | File Integrity | Writes to .vectimus/, sensitive config paths | Governance tampering | | Database | Direct database CLI access, credential harvesting | Unauthorized data access | | Git Safety | git push --force, history rewriting, credential commits | Repository damage | | MCP Safety | Unapproved MCP servers, dangerous tool parameters | MCP server supply chain | | Agent Governance | Unchecked agent spawning, goal hijacking, rogue agents | Multi-agent control |

11 packs. Browse all policies →

Maps to OWASP Agentic Top 10 (all 10 categories), SOC 2, NIST AI RMF, NIST CSF 2.0, ISO 27001 and EU AI Act. Full compliance mappings →

Example policy

@id("vectimus-supchain-001")
@description("Block npm publish to prevent supply-chain attacks")
@incident("Clinejection: malicious npm packages published by compromised AI agent, Feb 2026")
@controls("SLSA-L2, SOC2-CC6.8, NIST-AI-MG-3.2, EU-AI-15")
forbid (
    principal,
    action == Vectimus::Action::"package_operation",
    resource
) when {
    context.command like "*npm publish*"
};

Every rule has an @incident annotation linking it to the attack it prevents and @controls mapping it to compliance frameworks. Governance rules backed by real attacks are compelling. Rules that exist "because best practice" are not.

Policies that stay current

Vectimus checks for policy updates in the background every 24 hours. New rules ship when new threats appear.

vectimus policy update    # Pull latest now
vectimus policy status    # Check version and sync info

Behind the scenes, Sentinel runs a three-agent pipeline daily:

• Threat Hunter scans the agentic AI security landscape for new incidents -- MCP vulnerabilities, tool poisoning, agent exploitation -- and classifies them against OWASP, NIST and CIS frameworks
• Security Engineer drafts Cedar policies and replays the incident in a sandbox to prove the policy catches the attack before opening a PR
• Threat Analyst writes the advisory and incident analysis for the public threat feed

A human reviews every PR. The policy ships. The package is updated and users can either run vectimus policy update manually or enable auto policy updates.

The entire pipeline is governed by Vectimus itself. The agents that write governance rules operate under the same governance system.

Live threat dashboard → | Incident blog posts →

Works with

Coding tools

| Claude Code | Cursor | GitHub Copilot | Gemini CLI | |:-----------:|:------:|:--------------:|:----------:| | ✅ | ✅ | ✅ | ✅ |

Agent frameworks

| LangGraph | Google ADK | Claude Agent SDK | |:---------:|:----------:|:----------------:| | ✅ | ✅ | ✅ |

Same Cedar policies govern both. One install.

<details> <summary><strong>LangGraph / LangChain integration</strong></summary>

Agent middleware

from vectimus.integrations.langgraph import VectimusMiddleware

middleware = VectimusMiddleware(
    policy_dir="./policies",   # Optional, defaults to bundled policies
    observe_mode=False,        # Optional, defaults to False
)

agent = create_agent(
    model="openai:gpt-4.1",
    tools=my_tools,
    middleware=[middleware],
)

MCP interceptor

from vectimus.integrations.langgraph import create_interceptor

interceptor = create_interceptor(
    policy_dir="./policies",
    observe_mode=False,
)

client = MultiServerMCPClient(
    {...},
    tool_interceptors=[interceptor],
)

Both support observe mode for trialling without enforcement.

</details> <details> <summary><strong>Google ADK integration</strong></summary>

Runner plugin (recommended)

from vectimus.integrations.adk import VectimusADKPlugin

plugin = VectimusADKPlugin(
    policy_dir="./policies",   # Optional, defaults to bundled policies
    observe_mode=False,        # Optional, defaults to False
)

runner = Runner(
    agent=my_agent,
    app_name="my-app",
    session_service=session_service,
    plugins=[plugin],
)

Per-agent callback

from vectimus.integrations.adk import create_before_tool_callback

callback = create_before_tool_callback(
    policy_dir="./policies",
    observe_mode=False,
)

agent = LlmAgent(
    name="MyAgent",
    model="gemini-2.0-flash",
    before_tool_callback=callback,
)

</details>

How it works

┌─────────────┐     ┌───────────────┐     ┌──────────────┐     ┌──────────┐
│  AI Agent   │────▶│   Vectimus    │────▶│ Cedar Policy │────▶│ allow /  │
│ (tool call) │     │  Normaliser   │     │   Engine     │     │ deny /   │
│             │◀────│               │◀────│              │◀────│ escalate │
└─────────────┘     └───────────────┘     └──────────────┘     └──────────┘
                           │
                           ▼
                    ┌──────────────┐
                    │  Audit Log   │
                    │  (JSONL)     │
                    └──────────────┘

• Normaliser translates tool-specific payloads (Claude Code, Cursor, Copilot, Gemini CLI) into a unified Cedar request format
• Cedar Engine evaluates all loaded policies deterministically. No LLM in the loop. Same input, same decision.
• Audit Log records every decision with full context for compliance evidence and incident investigation

Evaluation is entirely local. Zero telemetry. The only network call is a background policy update check every 24 hours (disable with vectimus policy auto-update off). Cedar is the same policy language used by AWS AgentCore Policy and Amazon Verified Permissions.

MCP server governance

Vectimus blocks all MCP tool calls by default. During vectimus init it reads your existing tool configs and offers to approve the MCP servers you already use:

MCP servers detected:
  Claude Code:  posthog, slack
  Cursor:       github

Allow all 3 servers? [y/N]:

Manage the allowlist at any time:

vectimus mcp allow github
vectimus mcp allow slack
vectimus mcp list

Approved servers still go through input inspection rules that check for credential paths, CI/CD tampering and dangerous commands in tool parameters.

Observe mode

Trial Vectimus without blocking anything. Observe mode logs all decisions but always allows actions.

vectimus observe on       # Log only, no