interposed
Hardware-rooted approval for AI agent actions. A per-host security daemon that gates every dangerous action your agents take behind a FIDO2 hardware-key touch.
Visit project →The challenge
An AI agent that can run shell commands can also delete your repo, exfiltrate your SSH keys, or wipe a database—a misconfigured prompt or an injection buried in a tool result is enough. Sandboxes break workflows, config files are plain text the agent can rewrite, and allow-lists rely on the agent's cooperation.
Our approach
A small daemon hooks the kernel (LSM-BPF on Linux), a broker enforces a policy sealed with your hardware key, and approvals go through any FIDO2 key. Catch the syscall, check it against your sealed trust list, and block until you tap to approve—once, or always. Anything not on the list waits; adding a path takes a physical touch, not a file edit.
Roadmap