HN 표시: Vectimus – AI 코딩 에이전트를 위한 Cedar 정책 시행

Cedar policies for every AI agent action. Coding tools and agentic frameworks. Every evaluation under 10ms. Zero config. pipx install vectimus vectimus init That's it. Cedar policies evaluate every tool call - whether from a coding agent in your terminal or a framework agent in production. Dangerous commands, secret access, infrastructure changes and supply chain attacks blocked before execution. Every policy references the real-world incident that motivated it. No "best practice" filler. | Pack | What it blocks | Example | |---|---|---| | Destructive Ops | rm -rf , terraform destroy , docker system prune | Production wipe prevention | | Secrets | Credential file access, env variable exposure | .env , AWS keys, SSH keys | | Supply Chain | npm publish , pip install from URLs, registry tampering | Clinejection-class attacks | | Infrastructure | terraform apply , kubectl delete , cloud CLI mutations | Unreviewed infra changes | | Code Execution | eval() , exec() , unsafe interpreter invocations | Code injection via agents | | Data Exfiltration | curl to external hosts, file upload, data piping | Credential theft, data leakage | | File Integrity | Writes to .vectimus/ , sensitive config paths | Governance tampering | | Database | Direct database CLI access, credential harvesting | Unauthorized data access | | Git Safety | git push --force , history rewriting, credential commits | Repository damage | | MCP Safety | Unapproved MCP servers, dangerous tool parameters | MCP server supply chain | | Agent Governance | Unchecked agent spawning, goal hijacking, rogue agents | Multi-agent control | 11 packs. Browse all policies → Maps to OWASP Agentic Top 10 (all 10 categories), SOC 2, NIST AI RMF, NIST CSF 2.0, ISO 27001 and EU AI Act. Full compliance mappings → AI coding agents and agentic frameworks run shell commands, write files, install packages and call APIs. Without a governance layer, every agent you deploy is an unmonitored service account with production access and no audit trail. These are not hypothetical risks: - Clinejection (Feb 2026) - A prompt injection in a GitHub issue title caused an AI agent to publish backdoored npm packages. 4,000 developer machines compromised in 8 hours. - Terraform destroy incident (Feb 2026) - An AI agent unpacked old Terraform configs and ran terraform destroy , wiping a production VPC, RDS database and ECS cluster. - IDEsaster (Dec 2025) - Researchers found 30+ vulnerabilities across Cursor, Windsurf and GitHub Copilot. 24 CVEs assigned. - Trivy/LiteLLM cascade (Mar 2026) - Compromised security scanner cascaded credentials to LiteLLM (3.4M daily PyPI downloads). 5 ecosystems affected, 36% of cloud environments impacted. Vectimus is a defense-in-depth layer. Whatever permission setup your team uses, Vectimus adds deterministic policy evaluation underneath. Same input, same decision, every time. @id("vectimus-supchain-001") @description("Block npm publish to prevent supply-chain attacks") @incident("Clinejection: malicious npm packages published by compromised AI agent, Feb 2026") @controls("SLSA-L2, SOC2-CC6.8, NIST-AI-MG-3.2, EU-AI-15") forbid ( principal, action == Vectimus::Action::"package_operation", resource ) when { context.command like "*npm publish*" }; Every rule has an @incident annotation linking it to the attack it prevents and @controls mapping it to compliance frameworks. Governance rules backed by real attacks are compelling. Rules that exist "because best practice" are not. Vectimus checks for policy updates in the background every 24 hours. New rules ship when new threats appear. vectimus policy update # Pull latest now vectimus policy status # Check version and sync info Behind the scenes, Sentinel runs a three-agent pipeline daily: - Threat Hunter scans the agentic AI security landscape for new incidents -- MCP vulnerabilities, tool poisoning, agent exploitation -- and classifies them against OWASP, NIST and CIS frameworks - Security Engineer drafts Cedar policies and replays the incident in a sandbox to prove the policy catches the attack before opening a PR - Threat Analyst writes the advisory and incident analysis for the public threat feed A human reviews every PR. The policy ships. The package is updated and users can either run vectimus policy update manually or enable auto policy updates. The entire pipeline is governed by Vectimus itself. The agents that write governance rules operate under the same governance system. Live threat dashboard → | Incident blog posts → | Claude Code | Cursor | GitHub Copilot | Gemini CLI | |---|---|---|---| | ✅ | ✅ | ✅ | ✅ | | LangGraph | Google ADK | Claude Agent SDK | |---|---|---| | ✅ | ✅ | ✅ | Same Cedar policies govern both. One install. Works on macOS, Linux and Windows. LangGraph / LangChain integration from vectimus.integrations.langgraph import VectimusMiddleware middleware = VectimusMiddleware( policy_dir="./policies", # Optional, defaults to bundled policies observe_mode=False, # Optional, defaults to False