Skip to main content

79 policies. 380 rules. Zero config.

Two commands. 79 policies. Your agents governed before they execute.

Open source policy enforcement for AI agents. Developer first. Enterprise ready.

Deterministic. Local. Under 10 ms.

How it works

Works with Claude Code, Cursor, GitHub Copilot and Gemini CLI.

Browse all 79 policies

Apache 2.0. No telemetry. No account required.

Works with your tools

vectimus init detects installed tools and configures hooks automatically. Agent frameworks get native Python integrations.

AI Coding Tools

Claude Code

Shell commands, file writes, MCP calls and web fetches — all intercepted before execution.

Full support

Cursor

Shell commands, file reads and writes, and MCP tool calls governed at the editor level.

Full support

GitHub Copilot

Terminal commands, file edits, deletes and git pushes intercepted before execution.

Full support

Gemini CLI

Shell commands, file reads and writes governed through Gemini's native hook system.

Full support

Codex CLI

Bash shell commands intercepted via PreToolUse hooks. File and MCP coverage limited by Codex upstream.

Experimental

Agent Frameworks

Claude Agent SDK

Agents built with the Claude Agent SDK are governed through the same hook system as Claude Code. Zero extra config.

Full support

Google ADK

Runner plugin or per-agent callback governs every tool call in Google Agent Development Kit agents.

Full support

LangGraph

Middleware wraps ToolNode to evaluate every LangChain tool call. MCP interceptor governs external servers.

Full support

Two commands. Immediate guardrails.

79 policies active out of the box. Disable or override per project when you need to.

1.
$ pipx install vectimus
2.
$ vectimus init

Governance you can't inspect isn't governance

Vectimus is open source because security tooling should be auditable by the people who rely on it.

Readable and auditable

Every policy is a plain Cedar file you can read, fork and modify. Every evaluation produces a cryptographically signed receipt you can verify offline. No proprietary rule engines, no black boxes.

No vendor lock-in

Apache 2.0 licensed. Use it, extend it, contribute back; or don't. Your governance layer belongs to you.

Everything stays local

All evaluation happens on your machine. No telemetry, no cloud calls, nothing leaves your environment.

Show your CISO the source

When your security team asks how agent governance works, show them the Cedar policies line by line. Hand them the signed receipts as proof it ran.

This is already happening

AI agents with unrestricted tool access have caused real damage. These incidents motivated every policy in the base pack.

Clinejection

February 2026 | 4,000+ developers compromised

A malicious MCP server instructed AI coding agents to publish backdoored npm packages. No governance layer existed between the agent's intent and npm publish.

Terraform destroy

January 2026 | 6-hour production outage

An AI agent ran terraform destroy -auto-approve against production state. The command completed in 30 seconds, destroying databases and compute instances.

Cursor .env leak

November 2025 | AWS credentials exposed

An AI agent in Cursor read .env to 'check the config' and included AWS keys in its response context. The keys were visible in the conversation history and potentially sent to third-party logging.

drizzle-kit push

February 2026 | 60+ production tables dropped

An AI agent ran drizzle-kit push against a production database on Railway. The ORM bypassed interactive confirmation, dropping 60+ tables in seconds.

Read all incident analyses

When permissions get skipped. Vectimus doesn't.

Claude Code's --dangerously-skip-permissions, Cursor's yolo mode, Copilot's auto-run. Confirmation prompts get turned off. When the agent's built-in checks are removed, nothing sits between the model and your shell.

Vectimus does.

Claude Code session with Vectimus blocking rm -rf, terraform destroy, DROP TABLE, force push and curl pipe to bash while allowing safe commands. Terraform destroy includes a suggested alternative to use terraform plan.

Every tool call still passes through 79 deterministic Cedar policies containing 380 rules, whether the agent asked for your permission or not. Credential access, destructive commands, MCP exfiltration patterns and dangerous content hidden in scripts. All caught at the hook layer before execution.

You get the speed of unrestricted mode. You lose the risk of an unmonitored agent running rm -rf /, leaking .env files or pushing to production without you noticing.

Skip permissions. Not governance.

The agent's permission model is one layer of defence. Vectimus is another.

When the first layer is removed, the second still holds. Hooks fire on every tool call regardless of what mode the agent runs in.

Permissions get skipped.

Whether by choice, by configuration, or by a team that needs to move fast. Vectimus is the layer that's still evaluating every tool call when that happens.

Full audit trail, even in yolo mode.

Every evaluated action is logged with the tool call, the policy result and a timestamp. When something goes wrong you can trace exactly what happened.

What you get

A safety net between the agent and the shell. Deterministic. Auditable. Yours.

Try before you enforce

Observe mode logs what would be blocked without stopping anything. Review the audit log, tune your policies, then flip the switch when you are ready.

Under 10ms. Every time.

Evaluates 79 Cedar policies in under 10ms end-to-end via the persistent daemon. ~3ms Cedar evaluation plus socket overhead. Or point clients at a shared server for team-wide policies.

Lock down MCP servers

Every MCP tool call is blocked by default. Approve servers one by one. Input inspection catches credential leaks and CI/CD tampering on approved servers.

Sees inside scripts too

When an agent writes a file or runs a script, Vectimus inspects the content line by line. Your shell policies catch dangerous commands whether they are typed directly or hidden in a script.

Override per project

Disable or change enforcement per project in .vectimus/config.toml. The directory is policy-protected so agents cannot tamper with overrides.

Nothing leaves your machine

Zero telemetry. All evaluation happens locally. Audit logs stay on disk. The optional server is self-hosted on your infrastructure.

Signed proof for every decision

Every evaluation produces a cryptographically signed receipt. Ed25519 signature over canonical JSON. If anyone tampers with the receipt, the signature breaks. No trust required.

  • Trace every deny. Every deny message includes a receipt ID. Look up exactly which policy fired and why.
  • Verify offline. vectimus verify receipt.json checks the Ed25519 signature without network access.
  • Tamper-evident. The signature covers the entire receipt including the policy set hash. Change one byte and verification fails.
  • Auto-managed. 7-day retention by default. The daemon cleans up old receipts automatically.
.vectimus/receipts/2026-03-22/vtms-bf387670.json 
{
  "receipt_id": "vtms-bf387670-6abb-...",
  "timestamp": "2026-03-22T14:30:26Z",
  "action": {
    "tool": "Bash",
    "normalised_tool": "shell_command",
    "command_summary": "terraform destroy -auto-approve",
    "context_hash": "sha256:3d53dd78..."
  },
  "policy": {
    "policy_set_hash": "sha256:44c5a662...",
    "policy_pack_version": "0.2.0"
  },
  "decision": {
    "outcome": "DENY",
    "reason": "vectimus-infra-001",
    "evaluation_time_ms": 2.0
  },
  "signature": {
    "algorithm": "Ed25519",
    "public_key_id": "vtms-key-73ae52",
    "value": "base64:79rhTFMGNGi3fY..."
  }
}
Looking for team-wide enforcement? Join the enterprise waitlist

Policies backed by real incidents

Every built-in rule references the incident that made it necessary.

10 of 10 OWASP Agentic categories. Covered.

Policies across all domain packs map to the OWASP Top 10 for Agentic Applications.

Active rules

ASI01 Agent Goal Hijack

Exfiltration patterns intercepted

ASI02 Tool Misuse & Exploitation

Destructive commands blocked

ASI03 Identity & Privilege Abuse

Credential access detected

ASI04 Supply Chain Vulnerabilities

Lockfile and registry tampering blocked

ASI05 Unexpected Code Execution

Reverse shells and eval patterns caught

ASI06 Memory & Context Poisoning

Agent config file writes blocked

ASI07 Inter-Agent Communication

Parameter checks locally; session tracking in server mode

ASI08 Cascading Failures

Spawn floods and action rate spikes detected in server mode

ASI09 Human-Agent Trust Exploitation

Privilege delegation and dangerous spawn patterns blocked

ASI10 Rogue Agents

Log tampering and persistence blocked

Read the full mapping with detailed analysis | Browse OWASP policies

Your team is already using it. Now make it official.

Already running Vectimus locally? Server mode gives your security team the same policies, centralised.

  • Team-wide policy enforcement — same Cedar policies, centrally managed
  • Shared audit logs with session tracking
  • API key auth with OAuth/OIDC planned

Join the waitlist to shape what comes next.

Compliance evidence built in

Every rule maps to real compliance controls via @controls annotations. When audit time comes, the evidence is already there.

OWASP Agentic Top 10

10 of 10
ASI01 ASI02 ASI03 ASI04 ASI05

All 10 categories enforced across 11 policy packs

Mapping Policies

SOC 2

6 criteria
CC6.1 CC6.6 CC6.8 CC7.2 CC7.3 CC8.1

Logical access, boundary protection, change management

Mapping Policies

NIST AI RMF

3 functions
GOVERN MEASURE MANAGE

Behaviour monitoring, risk mitigation, third-party risk

Mapping Policies

NIST CSF 2.0

8 subcategories
PR.DS PR.PS DE.CM GV.SC

Data security, platform security, continuous monitoring

Mapping Policies

EU AI Act

5 articles
Art. 9 Art. 12 Art. 13 Art. 14 Art. 15

Record-keeping, transparency, human oversight, cybersecurity

Mapping Policies

ISO 27001

8 controls
A.5.23 A.8.2 A.8.3 A.8.9 A.8.25

Organisational and technology controls for information security

Mapping Policies

SLSA

Level 2
L2

Supply chain integrity for build and distribution

Mapping Policies

CIS Controls

1 control
CIS-16

Application software security

Mapping Policies

Vectimus is the enforcement and audit layer for AI agent actions. It does not replace a full compliance programme. Each mapping is transparent about what is and is not covered.

How it works

Every tool call passes through Vectimus before execution. Run locally for zero-setup individual use, or point your clients at a shared server for team-wide policy enforcement.

Local mode pipx install vectimus
Developer (Claude Code) AI Application (LangGraph) Vectimus Cedar Policy Engine Decision allow / deny Audit Log (JSONL) Signed Receipt (Ed25519)
  • Works with coding agents and Python agent frameworks
  • Persistent daemon. No network. Under 10ms.
  • Ed25519-signed receipt for every evaluation
Server mode vectimus init --server-url https://...
Developer 1 Agent + Client (hooks forward) Developer 2 Agent + Client (hooks forward) AI Application (Google ADK) HTTPS Vectimus Server Shared Cedar policies Session tracking API key auth (OAuth/OIDC planned) Audit log + signed receipts Decision allow / deny / escalate
  • Governs developers and AI applications from a single server
  • Stateful session tracking detects spawn floods and rate spikes
  • Signed receipts and shared audit log across the whole team

Start governing your AI agents today

Two commands. Under a minute. No account required.

Read the docs