78 policies. 369 rules. Zero config.
Two commands. 78 policies.
Your agents governed before they execute.
Govern your AI agents in under a minute.
Open source. Zero config.
Open source governance for AI agents. Developer first. Enterprise ready.
Deterministic. Local. Under 5 ms.
Browse all 78 policiesApache 2.0. No telemetry. No account required.
Works with your tools
vectimus init detects installed tools and configures hooks automatically. Agent frameworks get native Python integrations.
AI Coding Tools
Claude Code
Shell commands, file writes, MCP calls and web fetches — all intercepted before execution.
Full supportCursor
Shell commands, file reads and writes, and MCP tool calls governed at the editor level.
Full supportGitHub Copilot
Terminal commands, file edits, deletes and git pushes intercepted before execution.
Full supportGemini CLI
Shell commands, file reads and writes governed through Gemini's native hook system.
Full supportAgent Frameworks
Claude Agent SDK
Agents built with the Claude Agent SDK are governed through the same hook system as Claude Code. Zero extra config.
Full supportGoogle ADK
Runner plugin or per-agent callback governs every tool call in Google Agent Development Kit agents.
Full supportLangGraph
Middleware wraps ToolNode to evaluate every LangChain tool call. MCP interceptor governs external servers.
Full supportTwo commands. Immediate guardrails.
78 policies active out of the box. Disable or override per project when you need to.
Governance you can't inspect isn't governance
Vectimus is open source because security tooling should be auditable by the people who rely on it.
Readable and auditable
Every policy is a plain Cedar file you can read, fork and modify. No proprietary rule engines, no black boxes.
No vendor lock-in
Apache 2.0 licensed. Use it, extend it, contribute back; or don't. Your governance layer belongs to you.
Everything stays local
All evaluation happens on your machine. No telemetry, no cloud calls, nothing leaves your environment.
Show your CISO the source
When your security team asks how agent governance works, show them the Cedar policies line by line.
This is already happening
AI agents with unrestricted tool access have caused real damage. These incidents motivated every policy in the base pack.
Clinejection
February 2026 | 4,000+ developers compromised
A malicious MCP server instructed AI coding agents to publish backdoored npm packages. No governance layer existed between the agent's intent and npm publish.
Terraform destroy
January 2026 | 6-hour production outage
An AI agent ran terraform destroy -auto-approve against production state. The command completed in 30 seconds, destroying databases and compute instances.
Cursor .env leak
November 2025 | AWS credentials exposed
An AI agent in Cursor read .env to 'check the config' and included AWS keys in its response context. The keys were visible in the conversation history and potentially sent to third-party logging.
drizzle-kit push
February 2026 | 60+ production tables dropped
An AI agent ran drizzle-kit push against a production database on Railway. The ORM bypassed interactive confirmation, dropping 60+ tables in seconds.
Your agents skipped permissions. Vectimus didn't.
Claude Code's --dangerously-skip-permissions,
Cursor's yolo mode, Copilot's auto-run. You use them because confirmation prompts break your flow.
But when you skip the agent's built-in checks, nothing sits between the model and your shell.
Vectimus does.
Every tool call still passes through 78 deterministic Cedar policies containing 369 rules, whether the agent asked for your permission or not. Credential access, destructive commands, MCP exfiltration patterns and dangerous content hidden in scripts. All caught at the hook layer before execution.
You get the speed of unrestricted mode. You lose the risk of an unmonitored agent running rm -rf /,
leaking .env files or pushing to production without you noticing.
Skip permissions. Not governance.
The agent's permission model is optional. Vectimus policies are not.
Hooks fire on every tool call regardless of what mode your agent is running in.
You were going to skip permissions anyway.
We'd rather you did it with 78 policies watching your back than with nothing at all.
Full audit trail, even in fast mode.
Every evaluated action is logged with the tool call, the policy result and a timestamp. When something goes wrong you can trace exactly what happened.
What you get
A safety net between the agent and the shell. Deterministic. Auditable. Yours.
Try before you enforce
Observe mode logs what would be blocked without stopping anything. Review the audit log, tune your policies, then flip the switch when you are ready.
Under 5ms. Every time.
Evaluates 78 Cedar policies in under 5ms. No network, no daemon, no waiting. Or point clients at a shared server for team-wide policies.
Lock down MCP servers
Every MCP tool call is blocked by default. Approve servers one by one. Input inspection catches credential leaks and CI/CD tampering on approved servers.
Sees inside scripts too
When an agent writes a file or runs a script, Vectimus inspects the content line by line. Your shell policies catch dangerous commands whether they are typed directly or hidden in a script.
Override per project
Disable or change enforcement per project in .vectimus/config.toml. The directory is policy-protected so agents cannot tamper with overrides.
Nothing leaves your machine
Zero telemetry. All evaluation happens locally. Audit logs stay on disk. The optional server is self-hosted on your infrastructure.
Policies backed by real incidents
Every built-in rule references the incident that made it necessary.
10 of 10 OWASP Agentic categories. Covered.
Policies across all domain packs map to the OWASP Top 10 for Agentic Applications.
Active rules
Exfiltration patterns intercepted
Destructive commands blocked
Credential access detected
Lockfile and registry tampering blocked
Reverse shells and eval patterns caught
Agent config file writes blocked
Parameter checks locally; session tracking in server mode
Spawn floods and action rate spikes detected in server mode
Privilege delegation and dangerous spawn patterns blocked
Log tampering and persistence blocked
Your team is already using it. Now make it official.
Already running Vectimus locally? Server mode gives your security team the same policies, centralised.
- Team-wide policy enforcement — same Cedar policies, centrally managed
- Shared audit logs with session tracking
- API key auth with OAuth/OIDC planned
Join the waitlist to shape what comes next.
Compliance evidence built in
Every rule maps to real compliance controls via @controls annotations.
When audit time comes, the evidence is already there.
SOC 2
6 criteriaLogical access, boundary protection, change management
NIST AI RMF
3 functionsBehaviour monitoring, risk mitigation, third-party risk
EU AI Act
5 articlesRecord-keeping, transparency, human oversight, cybersecurity
Vectimus is the enforcement and audit layer for AI agent actions. It does not replace a full compliance programme. Each mapping is transparent about what is and is not covered.
How it works
Every tool call passes through Vectimus before execution. Run locally for zero-setup individual use, or point your clients at a shared server for team-wide policy enforcement.
- Works with coding agents and Python agent frameworks
- Stateless. No network. Under 5ms.
- Parameter-level Cedar policy checks
- Governs developers and AI applications from a single server
- Stateful session tracking detects spawn floods and rate spikes
- Shared policies and audit log across the whole team
Start governing your AI agents today
Two commands. Under a minute. No account required.