vectimus

# Vectimus

**Cedar policies for every AI agent action. Coding tools and agentic frameworks. Every evaluation under 10ms. Zero config.**

[![PyPI](https://img.shields.io/pypi/v/vectimus)](https://pypi.org/project/vectimus/)
[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
[![CI](https://github.com/vectimus/vectimus/actions/workflows/ci.yml/badge.svg)](https://github.com/vectimus/vectimus/actions)
[![Python](https://img.shields.io/badge/python-3.12%2B-blue.svg)](https://pypi.org/project/vectimus/)

<p align="center">
  <img src="demo.gif" alt="Claude Code session with Vectimus blocking rm -rf, terraform destroy and force push while allowing safe commands" width="720">
</p>

## Install

```bash
pipx install vectimus
vectimus init
```

That's it.  Cedar policies evaluate every tool call - whether from a coding agent in your terminal or a framework agent in production.  Dangerous commands, secret access, infrastructure changes and supply chain attacks blocked before execution.

## What it catches

Every policy references the real-world incident that motivated it.  No "best practice" filler.

| Pack | What it blocks | Example |
|------|---------------|---------|
| **Destructive Ops** | `rm -rf`, `terraform destroy`, `docker system prune` | Production wipe prevention |
| **Secrets** | Credential file access, env variable exposure | `.env`, AWS keys, SSH keys |
| **Supply Chain** | `npm publish`, `pip install` from URLs, registry tampering | Clinejection-class attacks |
| **Infrastructure** | `terraform apply`, `kubectl delete`, cloud CLI mutations | Unreviewed infra changes |
| **Code Execution** | `eval()`, `exec()`, unsafe interpreter invocations | Code injection via agents |
| **Data Exfiltration** | `curl` to external hosts, file upload, data piping | Credential theft, data leakage |
| **File Integrity** | Writes to `.vectimus/`, sensitive config paths | Governance tampering |
| **Database** | Direct database CLI access, credential har