Project Story

Inspiration

Over the last nine months we researched AI agents and built prototypes across many frameworks. During this process we discovered recurring security gaps, particularly prompt injection vulnerabilities, in some of the most widely used LLM products. We found exploitable pathways in systems like Canva AI, Snapchat AI, and Vercel's v0. These issues revealed a core problem. Current LLM deployments are confined to restrictive sandboxes. While those sandboxes reduce risk, they also prevent agents from operating as autonomous systems with meaningful tool access.

This challenge led us to build Conduit, a way to let agents call tools safely without giving up flexibility.


What it does

Conduit acts as a gateway between AI agents and the external tools they use. Instead of agents invoking APIs directly, every request is routed through Conduit. Within this system, Conduit:

  • Authenticates the agent with Ed25519 signatures and short-lived credentials
  • Validates requests against policies that can allow, deny, or require human approval
  • Runs prompt injection checks before and after tool calls
  • Provides a human-in-the-loop console where people can review and approve or deny requests

The result is a system that supports safe, auditable, and flexible agent behavior without being tied to any specific model provider or orchestration framework.


How we built it

  • Server: Node.js with Express, connected to Supabase through Prisma
  • Security: All agent requests are signed with Ed25519. Conduit verifies signatures, enforces timestamp and nonce replay protection, and uses short-lived tokens
  • Policy engine: A JSON-based DSL that lets teams define guardrails for agents or tenants
  • Injection detection: Pre-call and post-call checks for adversarial instructions or sensitive data leakage
  • Human approval UI: A React application that lists pending approvals, shows redacted arguments and results, and allows approval or denial
  • SDK: A lightweight Node package that helps developers register agents, sign requests, and send tool calls through Conduit

Challenges we ran into

  • Designing an authentication model that is secure while remaining easy for developers to adopt
  • Balancing strict policy enforcement with human overrides so agents are not blocked unnecessarily
  • Building prompt injection checks that run quickly enough for inline use but still catch real threats
  • Keeping Conduit agnostic to model providers and orchestration frameworks so it works with OpenAI, Anthropic, Gemini, LangGraph, CrewAI, MCP, and others

Accomplishments that we are proud of

  • Showing that a gateway can enable flexible agent behavior while maintaining strong safety guarantees
  • Creating a policy system that is expressive but still practical for developers and security teams
  • Building a human-in-the-loop workflow that connects directly to the gateway for real-time interventions

What we learned

  • Agent security cannot rely only on model providers and needs infrastructure-level enforcement
  • Developers prefer simplicity in SDKs and APIs, and value clear defaults over unnecessary flexibility
  • Prompt injection is a real barrier to safe deployment and must be addressed at the system level

What's next for Conduit

  • Expanding policy rules to cover richer conditions such as time limits, cost ceilings, and resource quotas
  • Adding enterprise integrations like Slack and Teams approvals, SOC dashboards, and compliance reporting
  • Building a larger set of pre-vetted tool adapters that connect seamlessly through Conduit
  • Continuing research on post-call sanitization so outputs can be safely redacted before reaching agents

Built With

  • bcrypt
  • ed25519-certificates
  • elevenlabs
  • express.js
  • json-canonicalization-scheme
  • jwts
  • lucide-react
  • mcp
  • ndjson-streaming
  • noble/ed25519
  • node-fetch
  • node.js
  • openai
  • postgresql
  • prisma
  • react-18
  • stripe
  • supabase
  • tailwind-css
  • tenant-api-keys
  • ts-node
  • tsx
  • typescript
  • vite
  • zod
Share this project:

Updates