{"version": 2, "width": 98, "height": 42, "timestamp": 1781308800, "title": "Vigil: stop your AI agent leaking a secret (all local)", "env": {"TERM": "xterm-256color", "SHELL": "/bin/bash"}}
[0.4, "o", "$ vigil-hub demo\r\n"]
[1.16, "o", "\r\n"]
[1.3199999999999998, "o", "  ============================================================\r\n"]
[2.7800000000000002, "o", "  VIGIL DEMO - in-memory, planted scenario, NOT guarding real yet\r\n"]
[2.9400000000000004, "o", "  ============================================================\r\n"]
[3.1000000000000005, "o", "  Real Vigil runtime code paths (firewall / redaction / audit).\r\n"]
[3.2600000000000007, "o", "  Only the external model/tool provider is simulated - no LLM is contacted.\r\n"]
[3.420000000000001, "o", "\r\n"]
[3.580000000000001, "o", "  A demo secret - freshly generated locally for this run (never leaves this process):\r\n"]
[3.740000000000001, "o", "    github_pat = ghp_3d7490346b9c31edfdd842618f7129bb857d\r\n"]
[3.9000000000000012, "o", "  Watch: it reaches the tool, but the model & audit never see it.\r\n"]
[4.060000000000001, "o", "\r\n"]
[5.520000000000001, "o", "  [1] default-deny: agent puts the RAW secret in the tool call\r\n"]
[5.6800000000000015, "o", "    tool=github.create_issue  -> Vigil firewall: DENY  (rule=github_token)  decision_id=e4d8541c-aaa\r\n"]
[5.840000000000002, "o", "    -> Vigil refuses to forward a raw secret to a tool/upstream.\r\n"]
[6.000000000000002, "o", "\r\n"]
[7.460000000000002, "o", "  [2] the Vigil way: the agent passes a PLACEHOLDER instead\r\n"]
[7.620000000000002, "o", "    firewall: needs approval -> [you approve once] -> ALLOW\r\n"]
[7.780000000000002, "o", "    What the REMOTE MODEL saw (args, as sent to the model boundary):\r\n"]
[7.940000000000002, "o", "      {\"token\":\"secret://github_pat\"}\r\n"]
[8.100000000000001, "o", "          plaintext secret? NO\r\n"]
[8.260000000000002, "o", "      [no LLM is contacted in this demo - this is the exact payload Vigil would forward]\r\n"]
[8.420000000000002, "o", "\r\n"]
[8.580000000000002, "o", "    What the LOCAL TOOL received (detokenized, in-memory only):\r\n"]
[8.740000000000002, "o", "      {\"token\":\"ghp_3d7490346b9c31edfdd842618f7129bb857d\"}\r\n"]
[8.900000000000002, "o", "          contains real value? YES\r\n"]
[9.060000000000002, "o", "\r\n"]
[9.220000000000002, "o", "    The tool's result LEAKED a credential; Vigil re-redacted it (Slice 1):\r\n"]
[9.380000000000003, "o", "      {\"debug_trace\":\"authenticated with [REDACTED github_token] (internal)\",\"issue_url\":\"[REDACTED generic_url]\",\"ok\":true}\r\n"]
[9.540000000000003, "o", "          plaintext secret back to model? NO\r\n"]
[9.700000000000003, "o", "\r\n"]
[11.160000000000004, "o", "  [3] tamper-evident audit ledger (no plaintext secrets stored)\r\n"]
[11.320000000000004, "o", "      0001 sha256:5ca2837f55f3  decision.recorded\r\n"]
[11.480000000000004, "o", "      0002 sha256:2c3a4a5dfa41  raw_secret_attempt_detected\r\n"]
[11.640000000000004, "o", "      0003 sha256:722a74ad0279  approval.created\r\n"]
[11.800000000000004, "o", "      0004 sha256:c502469de8b6  approval.resolved\r\n"]
[11.960000000000004, "o", "      0005 sha256:d097c355db92  decision.recorded\r\n"]
[12.120000000000005, "o", "      0006 sha256:8012b9e9c96e  tool_call.opened\r\n"]
[12.280000000000005, "o", "      0007 sha256:d6b2c5c82e4f  tool_call.decided\r\n"]
[12.440000000000005, "o", "      0008 sha256:f7de44930882  secret.leak_detected\r\n"]
[12.600000000000005, "o", "      0009 sha256:8099fc43459d  tool_call.executed\r\n"]
[12.760000000000005, "o", "    hash chain valid: YES        plaintext secret in audit: NO\r\n"]
[12.920000000000005, "o", "\r\n"]
[13.080000000000005, "o", "    (run `vigil-hub demo --tamper` to alter a ledger row and watch verification FAIL)\r\n"]
[13.240000000000006, "o", "\r\n"]
[13.400000000000006, "o", "  ============================================================\r\n"]
[14.860000000000007, "o", "  What just happened\r\n"]
[15.020000000000007, "o", "  ============================================================\r\n"]
[15.180000000000007, "o", "    Remote model saw:     secret://github_pat\r\n"]
[15.340000000000007, "o", "    Local tool received:  the real secret, only at the execution boundary\r\n"]
[15.500000000000007, "o", "    Tool result returned: re-redacted (no secret back to the model)\r\n"]
[15.660000000000007, "o", "    Firewall:             default-deny + explicit approval\r\n"]
[15.820000000000007, "o", "    Audit ledger:         hash-chain valid, no plaintext secrets\r\n"]
[15.980000000000008, "o", "\r\n"]
[16.140000000000008, "o", "    The agent did useful work with a real secret - while the model,\r\n"]
[16.300000000000008, "o", "    logs, and audit never received the real value.\r\n"]
[16.460000000000008, "o", "\r\n"]
[16.620000000000008, "o", "    Philosophy:  local control plane / no token passthrough / fail-closed\r\n"]
[16.78000000000001, "o", "                 / audit everything / you stay in control\r\n"]
[16.94000000000001, "o", "\r\n"]
[17.10000000000001, "o", "    This was a planted scenario with a locally-generated fixture. The redaction,\r\n"]
[17.26000000000001, "o", "    firewall, and audit above are Vigil's real runtime code - only the model/tool\r\n"]
[17.42000000000001, "o", "    provider was simulated.\r\n"]
[17.58000000000001, "o", "\r\n"]
[17.74000000000001, "o", "    Protect your real agent:\r\n"]
[17.90000000000001, "o", "      vigil-hub serve --stdio      # point Claude Code / Codex / Cursor at it\r\n"]
[19.90000000000001, "o", ""]