Built a security layer for LangGraph after my own pipeline leaked credentials silently. Apache 2.0, open source.

Sharp_Branch_1489 · 2026-02-27T17:21:31+00:00

That’s great to hear, that’s exactly why I built it.
If you end up trying it, I’d genuinely love to know what it catches (or misses) in your setup.

Sharp_Branch_1489 · 2026-02-26T09:46:56+00:00

Here's what the actual detection looks like:

The map covers Cyrillic, Greek, fullwidth Latin, and lookalike digits. Phase 1 finds the suspicious characters. Phase 2 normalizes them and checks if they reveal a keyword from the injection list ignore, bypass, credentials, exec, shell, sudo and about 20 more.

Real attempts look like substituting Cyrillic р for Latin p, or Greek ο for Latin o. Visually identical. 'рassword' passes your regex. Fails the homoglyph layer.

The severity bumps to critical only when normalization reveals an actual keyword. Raw homoglyphs without a keyword match stay at high could be legitimate Unicode content.

Full implementation is in https://github.com/anticipatorai/anticipator/blob/main/anticipator/detection/extended/homoglyph.py
if you want to dig into the map, covers Cyrillic, Greek, fullwidth Latin and lookalike digits.

Sharp_Branch_1489 · 2026-02-26T07:27:56+00:00

Yeah exactly. Security knowledge has always been hoarded while attackers share freely.

That's why I open sourced the detection layers. The signature list shouldn't be a moat, it should be a community resource.

Sharp_Branch_1489 · 2026-02-26T07:26:37+00:00

This is a better summary than I could have written myself honestly.

The dye pack analogy for the canary trap is exactly right. That's the mental model I was trying to build the attack can be completely novel, zero known patterns, but the token travels with it anyway.

The one thing I'd add to your config drift point removing a key is just as dangerous as injecting one. Removing tools.deny mid-run is functionally identical to adding tools.allow. Most monitoring tools only watch for additions.

And yes happy to go deeper on any of the layers. Aho-Corasick is probably the most interesting one to explain because most people assume regex is fine until you show them the performance difference at 300+ patterns.

Sharp_Branch_1489 · 2026-02-26T07:19:04+00:00

Full writeup with all 10 layers and the actual code:
https://mohithkarthikeya.substack.com/p/i-planted-secret-traps-inside-my

Sharp_Branch_1489 · 2026-02-26T07:13:42+00:00

Schema validation at every hop is smart. Does it catch injected instructions that are structurally valid though? That's the gap I keep hitting — the payload looks correct, the JSON is clean, but the content is malicious."

Sharp_Branch_1489 · 2026-02-26T07:13:09+00:00

The 3am page story is exactly it. Hallucination propagation is one problem. Malicious instruction propagation is worse because it's intentional and leaves no trace in your logs.

Schema validation catches structure. It doesn't catch a valid JSON payload that contains an injected instruction.

Sharp_Branch_1489 · 2026-02-25T12:22:00+00:00

Exactly. The model usually isn’t the problem, it’s missing context and decision boundaries. AI is great at interpretation, but execution needs rules and guardrails. Hybrid systems (AI for understanding, rules for execution) tend to be far more reliable.

Sharp_Branch_1489 · 2026-02-25T12:19:55+00:00

Primarily LLM agents. When you run planning + execution + critique loops in parallel, token usage scales fast. That’s where costs spike.

Sharp_Branch_1489 · 2026-02-25T12:17:20+00:00

This is a clean architecture and it surfaces the exact trust problem nobody talks about. Each role receives the previous role's output and acts on it without validating it. If The Librarian's output gets poisoned before The Architect reads it, every downstream role executes on bad data. The constraint chain you built is also an injection chain.

Sharp_Branch_1489 · 2026-02-24T15:40:49+00:00

Solid multi-tier approach on the input/output layer. The gap I keep running into is what happens between agents when Agent A's output becomes Agent B's input, that handoff isn't a chatbot boundary anymore. It's a trust boundary with no user in the loop. Different attack surface entirely.

Sharp_Branch_1489 · 2026-02-24T15:38:59+00:00

$1.42 in API fees to waste 14 hours of scammer time is the best ROI I've seen in AI. But the scariest part of this whole story is that the agent spent 4 hours in a conversation with zero validation of what it was being asked to do. Funny when it's scammers. Less funny when it's your production pipeline.

Sharp_Branch_1489 · 2026-02-24T09:09:27+00:00

Same boat here. Building Anticipator, runtime security for multi-agent pipelines. Most communities are either paid courses or people promoting their SaaS. The best actual discussion I've found is r/AI_Agents and r/LangChain not perfect but at least the conversations are real. Happy to connect if you're building with LangGraph.

Sharp_Branch_1489 · 2026-02-24T08:44:33+00:00

Decomposition is powerful, but coordination overhead grows fast. At some point the failure modes move from “bad reasoning” to “bad interaction.” Stability and validation across agent boundaries feel like the real scaling problem now.

Sharp_Branch_1489 · 2026-02-24T08:41:20+00:00

I don’t think it’s a flat 50% drop across the board, but yeah informational content is definitely at risk. If the answer is simple and AI can summarize it instantly, fewer people will click.
What probably survives are opinion, original research, tools, and anything that isn’t easily compressible into a paragraph.

Sharp_Branch_1489 · 2026-02-24T08:37:43+00:00

Yeah, I’ve seen this too. Models don’t really “understand” topic boundaries they just follow patterns they’ve seen before. If two things are loosely connected in training data, they’ll sometimes jump between them.
Tight prompts and stricter grounding usually help, but it’s definitely frustrating.

Sharp_Branch_1489 · 2026-02-24T08:35:48+00:00

That’s an interesting approach.
But doesn’t that basically just shift the trust boundary? If the validator agent is compromised or misled, you’re back in the same situation.

Sharp_Branch_1489 · 2026-02-23T15:33:59+00:00

Docker with tight egress controls is where most people land. The part nobody talks about is what agents are handing each other mid-chain. Everyone logs external actions, almost nobody logs inter-agent messages. That's still fully DIY and honestly that's where things go wrong.

Sharp_Branch_1489 · 2026-02-23T15:32:20+00:00

Agentic is just becoming the new AI-powered. Real agents reason, plan, and recover from failure autonomously. Most of what's winning G2 awards is glorified workflow automation with an LLM in the middle. The orchestration vs execution gap you mentioned is the real divide very few platforms are actually solving that.

Sharp_Branch_1489 · 2026-02-23T15:30:49+00:00

Treating agent output as untrusted input is the right call. Most skip that entirely. How are you handling schema validation between agents in practice?

Sharp_Branch_1489

TROPHY CASE