Skip to content

edycutjong/vaultsudo

BranchesTags

Repository files navigation

VaultSudo Icon

VaultSudo

Zero-Trust sudo for AI Agents

Read freely. Write never β€” unless you prove you're human.


CI Next.js 16 React 19 Tailwind v4 Framer Motion TypeScript License: MIT

πŸ›‘ The Problem

We are entering the era of Autonomous AI Agents. These agents are given access to production databases, cloud infrastructure, and GitHub repositories to "do work" for us.

However, the current security paradigm is broken: Agents are given permanent, over-privileged API keys. If an agent gets hit with a prompt injection attack or hallucinates, it can delete a repository, push bad code, or drop a database β€” in milliseconds β€” before a human can stop it.

🟒 The Solution: VaultSudo

VaultSudo acts as a middleware interception layer between an AI agent and its tools, modeled after the Unix sudo command.

Principle How It Works
Zero-Trust by Default Agents get permanent READ access β€” investigate bugs, read docs, analyze data. Zero friction.
Step-Up Authentication The millisecond an agent attempts a WRITE action (e.g., merge_pull_request, drop_table), VaultSudo blocks the request.
Action Intent Auth A push notification (Out-of-Band CIBA) shows the human the exact "Action Intent Diff" β€” what the agent wants to do, in plain English.
Sudo Sessions If approved, VaultSudo mints a short-lived (5-minute), scope-bound token for that specific action only.

🎬 Demo

VaultSudo Demo β€” Read, Write Auth, Prompt Injection Blocked

Asset: video.gif β€” Full end-to-end walkthrough: Read access β†’ Write request intercepted β†’ Human approval β†’ Prompt injection attack blocked.

Gallery & Walkthrough

Feature Preview Caption
Zero-Trust Dashboard Dashboard Clean Initial Security State: The VaultSudo dashboard starts in a clean state with all write permissions locked by default.
Safe Read β€” No Auth Read Results Zero-Friction Read: The AI agent investigates logs and commits autonomously, requiring zero human intervention.
Write Intercepted Write Blocked Action Intercepted: VaultSudo detects a revert_commit attempt and automatically blocks the request.
Step-Up Auth UI Step-Up Banner Action Intent Diff: A push notification (CIBA) presents the human user with exactly what the agent is attempting.
Sudo Authorized Approved Session Granted: After approval, a short-lived (5-minute), scope-bound write session is minted for the agent.
Attack Blocked Attack Blocked Prompt Injection Blocked: A malicious delete_repo command is caught by the unconditional blocklist.
Immutable Audit Final Dashboard Compliance-Ready Logs: Every tool call, approval, and denial is logged with action intent hashes in an immutable trail.

πŸ›  Features

  • Cybersecurity Dashboard β€” Dark-themed glassmorphism UI with real-time agent monitoring
  • Agent Terminal β€” Chat with the agent. Watch it execute reads and hit the sudo wall on writes
  • Permission Scopes Panel β€” Live R/W badge visualization with pulsing amber on write attempts
  • Step-Up Auth Banner β€” Full Action Intent Diff with approve/deny controls
  • Prompt Injection Demo β€” Built-in attack button demonstrating VaultSudo blocking delete_repo
  • Immutable Audit Trail β€” Every tool call, approval, and denial logged with action intent hashes
  • Mock Mode β€” Zero-config demo environment β€” no API keys, no database, full security logic

πŸ— Architecture

graph TB
    subgraph Dashboard["VaultSudo Dashboard (Next.js 16)"]
        AT["Agent Terminal<br/>(Chat + Tool Results)"]
        SP["Permission Scopes Panel<br/>(R/W Badges)"]
        AuditUI["Audit Trail<br/>(Immutable Log Viewer)"]
        Banner["Step-Up Auth Banner<br/>(Action Intent Diff + Approve/Deny)"]

        AT --> Banner
        SP --> Banner
        AuditUI --> Banner
    end

    subgraph API["API Routes"]
        R1["POST /api/agent"]
        R2["GET /api/audit"]
        R3["POST /api/demo/attack"]
        R4["POST /api/webhook/ciba"]
    end

    subgraph Gate["VaultSudo Gate (vault-sudo.ts)"]
        G1["1. Classify Scope"]
        G2["2. Dangerous Action Block"]
        G3["3. Sudo Session Check"]
        G4["4. Gate Result"]

        G1 --> G2 --> G3 --> G4
    end

    subgraph Session["Session Manager (session.ts)"]
        S1["Agent Sessions"]
        S2["Sudo Sessions"]
        S3["Pending Actions"]
        S4["Audit Log"]
    end

    Banner --> API
    API --> Gate
    Gate --> Session
Loading

Request Flows

flowchart LR
    subgraph Read["βœ… Read Path β€” Zero Friction"]
        RA["'Investigate CI'"] --> RB["classifyScope()"] --> RC["'read'"] --> RD["allowed βœ…"] --> RE["execute β†’ audit"]
    end

    subgraph Write["πŸ›‘ Write Path β€” Gated"]
        WA["'Revert commit'"] --> WB["classifyScope()"] --> WC["'write'"] --> WD["no sudo β†’ blocked πŸ›‘"]
        WD --> WE["Step-Up Banner"] --> WF["Human approves"] --> WG["CIBA webhook"] --> WH["mintSudoSession(5min)"]
    end

    subgraph Attack["🚫 Attack Path β€” Unconditional Block"]
        AA["'Delete the repo'"] --> AB["DANGEROUS_ACTIONS"] --> AC["blocked 🚫"]
    end
Loading

πŸ“– Full architecture diagrams β†’ docs/ARCHITECTURE.md

πŸ”’ Security Model β€” Defense-in-Depth

VaultSudo implements a 4-layer security model where each layer is independent β€” compromising one layer cannot bypass another:

Layer Mechanism Key Property
Layer 1: Scope Classification Every tool mapped to read or write. Unknown tools default to write. Fail-closed β€” hallucinated tools can't bypass
Layer 2: Dangerous Action Blocklist delete_repo, force_push, delete_branch β€” checked before session eval Unconditional β€” no session can override
Layer 3: Sudo Session Validation Glob pattern matching + TTL expiry + approved_actions[] list Scope-bound β€” can't reuse for different actions
Layer 4: Immutable Audit Trail Every gate evaluation logged with action intent hashes Tamper-evident β€” SOC2/ISO 27001 ready

Threat Vectors Defended

Vector Defense
Prompt Injection Dangerous Action Blocklist (unconditional)
Indirect Prompt Injection Dangerous Action Blocklist + Scope Classification
Privilege Escalation Unknown tools β†’ write scope + __blocked__/unknown pattern
Session Hijacking approved_actions[] list enforcement
Temporal Abuse TTL expiry (default 10min, recommended 5min)
Tool Invention Unknown tools fail-closed to write

Compliance Mapping

Standard VaultSudo Feature
SOC 2 (CC6.1) Immutable audit trail with action intent hashes
SOC 2 (CC6.3) Scope-bound, time-limited authorization tokens
ISO 27001 (A.9.2) Least privilege via read/write scope classification
OWASP AI Security Prompt injection defense via dangerous action blocklist
NIST AI RMF Human-in-the-loop approval for consequential actions

πŸ“– Full security model β†’ docs/SECURITY_MODEL.md

πŸš€ Getting Started

Quick Start (Mock Mode β€” Zero Config)

git clone https://github.com/edycutjong/vaultsudo.git
cd vaultsudo
npm install
cp .env.example .env.local   # NEXT_PUBLIC_USE_MOCK=true is already set
npm run dev

Open http://localhost:3000 and follow the demo scenes below.

Demo Walkthrough

Step Action What Happens
1 Click "Safe Read β€” No Auth Needed" Agent reads CI + commits autonomously. All green.
2 Click "Write Blocked β€” Step-Up Auth Required" Agent tries revert_commit β†’ VaultSudo blocks β†’ Step-Up Banner appears
3 Click "Approve" on the banner Sudo Session minted (5min, scope-bound)
4 Click "πŸ”΄ Prompt Injection Attack" Agent hijacked β†’ tries delete_repo β†’ BLOCKED instantly

πŸ“– Full demo script with voiceover cues β†’ docs/DEMO_SCRIPT.md

Environment Variables

Variable Required Default Description
NEXT_PUBLIC_USE_MOCK Yes true Enable mock mode
OPENAI_API_KEY If mock=false β€” LLM API key
AUTH0_* If mock=false β€” Auth0 CIBA configuration
NEXT_PUBLIC_SUPABASE_URL If mock=false β€” Supabase project URL
SUPABASE_SERVICE_ROLE_KEY If mock=false β€” Supabase service role key

πŸ“– Full deployment guide β†’ docs/DEPLOYMENT.md

πŸ”Œ API Reference

POST /api/agent β€” Agent message handler

Handles user messages, tool call simulation, and VaultSudo gating.

# Read operation (allowed)
curl -X POST http://localhost:3000/api/agent \
  -H "Content-Type: application/json" \
  -d '{"message": "Investigate the failing CI pipeline"}'

# Write operation (blocked β†’ step-up auth)
curl -X POST http://localhost:3000/api/agent \
  -H "Content-Type: application/json" \
  -d '{"message": "Revert the bad commit"}'

GET /api/audit β€” Immutable audit trail

curl http://localhost:3000/api/audit?limit=10

POST /api/demo/attack β€” Attack simulation

curl -X POST http://localhost:3000/api/demo/attack \
  -H "Content-Type: application/json" \
  -d '{"sessionId": "session-id"}'

POST /api/webhook/ciba β€” CIBA approval callback

curl -X POST http://localhost:3000/api/webhook/ciba \
  -H "Content-Type: application/json" \
  -d '{"sessionId": "session-id", "action_id": "act_...", "approved": true}'

πŸ“– Full API reference with types β†’ docs/API_REFERENCE.md

πŸ“ Project Structure

src/
β”œβ”€β”€ agent/
β”‚   β”œβ”€β”€ vault-sudo.ts      # πŸ”’ Core middleware (scope, gate, session matching)
β”‚   β”œβ”€β”€ session.ts          # πŸ’Ύ In-memory session + audit store
β”‚   β”œβ”€β”€ tools.ts            # πŸ›  Tool definitions (read + write)
β”‚   └── system-prompt.ts    # πŸ€– Agent system prompt
β”œβ”€β”€ app/
β”‚   β”œβ”€β”€ page.tsx            # πŸ–₯ Main dashboard page
β”‚   β”œβ”€β”€ layout.tsx          # πŸ“ Root layout + fonts
β”‚   β”œβ”€β”€ globals.css         # 🎨 Design system (cybersec theme)
β”‚   └── api/
β”‚       β”œβ”€β”€ agent/route.ts       # POST β€” Agent message handler
β”‚       β”œβ”€β”€ audit/route.ts       # GET β€” Audit trail retrieval
β”‚       β”œβ”€β”€ demo/attack/route.ts # POST β€” Attack simulation
β”‚       └── webhook/ciba/route.ts # POST β€” CIBA approval callback
β”œβ”€β”€ components/
β”‚   β”œβ”€β”€ agent-terminal.tsx  # πŸ’» Terminal UI (messages + interaction)
β”‚   β”œβ”€β”€ scope-panel.tsx     # πŸ”‘ Permission scope visualization
β”‚   β”œβ”€β”€ audit-trail.tsx     # πŸ“‹ Audit log viewer
β”‚   β”œβ”€β”€ step-up-banner.tsx  # ⚑ Step-up auth overlay (approve/deny)
β”‚   └── attack-button.tsx   # πŸ’€ Prompt injection demo trigger
└── lib/
    └── types.ts            # πŸ“ TypeScript type definitions

πŸ—Ί Roadmap

Phase Milestone Status
Phase 1 Hackathon MVP β€” full security model with mock data βœ… Complete
Phase 2 Supabase audit trail, Auth0 CIBA, persistent sessions, real LLM agent πŸ”œ Q2 2026
Phase 3 Multi-tenant, policy engine, advanced session management, alerting πŸ“‹ Q3 2026
Phase 4 @vaultsudo/middleware npm package, multi-agent support, 3rd-party integrations πŸ“‹ Q4 2026

πŸ“– Full roadmap with technical details β†’ docs/ROADMAP.md

πŸ— Tech Stack

Layer Technology Role
Frontend Next.js 16 (App Router) SSR, API routes, React 19
Styling Tailwind CSS v4 Utility-first styling
Animation Framer Motion 12 Step-up banner, terminal animations
Auth (planned) Auth0 CIBA Out-of-band push authentication
Agent (planned) Vercel AI SDK LLM orchestration
Database (planned) Supabase (PostgreSQL + RLS) Immutable audit trail
Testing Vitest Unit and coverage testing

πŸ“š Documentation

Document Description
Architecture System design, request flows, core components
Security Model Threat model, 4-layer defense, CIBA, compliance
API Reference All endpoints, types, examples
Demo Script Scene-by-scene Loom recording guide
Deployment Setup, environment variables, Docker, production
Roadmap Phase 1–4 product evolution

πŸ† Hackathons

Built for:

  • HackVision 2026
  • Auth0 "Authorized to Act"

πŸ“„ License

MIT β€” see LICENSE file.

About

Zero-trust sudo middleware for AI agents β€” read freely, write never unless you prove you're human. πŸ”

devpost.com/software/vaultsudo?ref_content=my-projects-tab&ref_feature=my_projects

Topics

middleware hackathon nextjs sudo ai-agents zero-trust audit-trail ai-security ciba prompt-injection

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0: Zero-Trust "sudo" for AI Agents (HackVision 2026 MVP) πŸš€ Latest
Apr 1, 2026

Packages

 
 
 

Contributors

Languages