VaultSudo

• 

  The VaultSudo dashboard starts in a clean state with all write permissions locked by default.

• 

  The AI agent investigates logs and commits autonomously, requiring zero human intervention

• 

  VaultSudo detects a `revert_commit` attempt and automatically blocks the request

• 

  A push notification (CIBA) presents the human user with exactly what the agent is attempting

• 

  After approval, a short-lived (5-minute), scope-bound write session is minted for the agent

• 

  A malicious `delete_repo` command is caught by the unconditional blocklist

• 

  Every tool call, approval, and denial is logged with action intent hashes in an immutable trail

Inspiration

We're entering the era of autonomous AI agents — but there's a massive security problem. Today, when you give an AI agent a GitHub token with repo scope, it can read your code, deploy it, delete branches, and revert commits — all with zero human oversight.

There is no equivalent of sudo for AI agents. No runtime permission gate. No "are you sure?" for autonomous systems.

When a prompt injection attack hijacks an agent, it can delete your entire repository in milliseconds. Organizations face an impossible choice: give agents full access (risky) or restrict them to uselessness (wasteful).

We thought: what if AI agents had to earn their write access, just like Unix processes need sudo?

What it does

VaultSudo is a zero-trust authorization middleware for AI agents, modeled after Unix sudo. It enforces a 4-layer defense-in-depth model:

1. Read-Only by Default — Agents operate freely with read-only scopes (view repos, read CI logs, analyze commits). Zero friction for safe operations.

2. Step-Up Authentication for Writes — When an agent attempts a write action (deploy, delete, modify), VaultSudo intercepts the request and triggers a CIBA push notification to the human operator. The notification includes a full Action Intent Diff — showing exactly what the agent is attempting — so the human makes an informed approval, not a blind tap.

3. Sudo Sessions (Anti-Alert-Fatigue) — Like real sudo caches your password for 15 minutes, VaultSudo grants time-bound, scope-bound write sessions. Approve once for a batch of related writes — not 10 separate push notifications.

4. Dangerous Action Blocklist — Destructive actions like delete_repo, force_push, and delete_branch are blocked unconditionally — even if a valid Sudo Session exists. This is the last line of defense against compromised agents.

Every action — allowed, escalated, approved, denied, or blocked — is written to an immutable audit trail, providing the SOC2-compliant record enterprises require.

How we built it

Stack:

• Next.js 16 (App Router) with React 19
• Vercel AI SDK for simulated tool-calling agent
• vaultSudoGate() — Custom middleware that intercepts every tool call at the execution layer
• CIBA simulation — Client-Initiated Backchannel Authentication flow (Auth0-ready architecture)
• Tailwind CSS v4 + Framer Motion for the real-time dashboard
• Server-Sent Events (SSE) for streaming agent actions to the UI

Architecture: The LLM agent never holds API credentials directly. VaultSudo operates as middleware at the tool-calling layer:

• Agent calls tool → vaultSudoGate() intercepts → classifies scope (read/write) → checks for dangerous actions → validates Sudo Session → allows or blocks
• Unknown tools default to "write" scope (fail-closed design)
• The dashboard streams every decision in real-time via SSE with color-coded severity

Key engineering challenges solved:

• LLM Wait-State: Pausing the agent mid-thought while waiting for human approval, then resuming seamlessly
• Fail-Closed Security: Unknown tools are treated as write operations to prevent privilege escalation via tool injection
• Alert Fatigue: Sudo Sessions batch related writes under a single approval, preventing notification overload

Challenges we ran into

• Pausing an LLM mid-thought: The agent needs to stop, wait for human approval (potentially minutes), then resume with full context. We solved this with a pending state that returns { status: "pending_human_approval" } to the agent context, with SSE-based webhook resumption.
• Scope classification for unknown tools: An attacker could inject a new tool name to bypass the scope map. We solved this with a fail-closed default — if a tool isn't explicitly mapped, it's treated as a write operation.
• Making security feel fast: Zero-friction reads must feel instant, while write blocks must feel protective, not annoying. The real-time dashboard with color-coded actions and the Action Intent Diff banner solve this UX challenge.

Accomplishments that we're proud of

• The prompt injection demo is real: We built a working attack simulation where the agent gets hijacked into attempting delete_repo — and VaultSudo catches it instantly. The demo writes itself.
• Defense-in-depth actually works: 4 independent security layers means even if one fails, the system stays safe.
• The sudo metaphor landed: Every developer immediately understands what VaultSudo does. Zero explanation needed.
• Solo build in under a week: Full Next.js 16 app with real-time streaming, simulated CIBA auth flow, immutable audit trail, and a polished dashboard — built by one developer.

What we learned

• Fail-closed is non-negotiable: The moment you default unknown tools to "read" scope, you've created a privilege escalation attack surface. Security must be restrictive by default.
• Alert fatigue kills security products: Without Sudo Sessions (batched approvals), users would disable VaultSudo within a day. The sudo password-caching metaphor from Unix is genuinely brilliant design.
• The "failure demo" is the feature: Most hackathon demos show things working. VaultSudo's hero moment is things failing gracefully — an agent being blocked by a security wall is more compelling than an agent completing a task.

What's next for VaultSudo

• Production Auth0 CIBA integration — Replace simulated approval buttons with real push notifications to mobile devices
• Supabase PostgreSQL audit trail — Migrate from in-memory store to persistent, RLS-protected database with tamper detection
• Real GitHub API integration — Connect to live GitHub APIs via Vercel AI SDK tool calling
• npm package — Publish @vaultsudo/middleware so any AI agent framework can integrate VaultSudo in one line
• SHA-256 action intent hashing — Cryptographic tamper detection to verify approved actions match executed actions

Built With

• auth0-ciba
• framer-motion
• next.js
• react
• server-sent-events
• supabase
• tailwind-css
• typescript
• vercel-ai