Security-first agentic coding · built on oh-my-pi

The AI coding agent leadership can actually approve.

LUCID Agent IDE lets your teams code with AI while your source, prompts & CUI never leave the host. A prompt-injection gate on every tool call that cannot fail open, per-model cost showback, sovereignty-aware governance, and now Remote: drive your desktop agent from your phone. Bring any model.

1,900+ testsmetadata-only by constructionsovereignty-aware & air-gappableany model, no lock-in
0
Tests passing
0
Bytes of code that leave
0
Models in the picker
0
Ways to fail open
Raw models & clouds at the bottom, one neutral fail-closed gate in the middle, only metadata-only evidence rising to your BI at the top.

01 The business case

Your teams already want AI coding. This is how leadership says yes.

Adoption isn't the question, governance is. LUCID turns "we can't let AI touch that codebase" into a program you can fund, defend, and audit: nothing sensitive leaves, injection can't win, spend is visible, and the evidence belongs to you.

Data protection

Nothing sensitive ever leaves

Metadata-only by construction. Source code, prompts, and CUI never leave the host. The allow-list is an architectural guarantee, not a checkbox. A whole class of data-spill risk is designed out.

Threat defense

Injection can't trick your agent

A prompt-injection gate runs on every tool call and cannot fail open. With roughly half of AI-generated code carrying a vulnerability on first review, security is the default, not a toggle.

Cost governance

Govern and prove AI spend

Live per-model spend and cache-savings showback across every provider. When most enterprises overrun their AI budget, leadership gets one number instead of four consoles.

Compliance

Sovereign, air-gap, ATO-ready

CUI isolation, a foreign-origin warning wall, and the AskSage accredited gateway (FedRAMP High, IL5/IL6). Every run doubles as audit evidence suited to CMMC and continuous monitoring.

Portability

No model or cloud lock-in

Bring any model; publish evidence into your own BI. Every new tool your teams adopt increases LUCID's value instead of trapping your data in someone else's console.

Accountability

Know who wrote every line

A tamper-evident ledger attributes which model wrote which lines, per repo, per person, per session. AI spend and AI authorship, both auditable.

Budget isn't the blocker. Governance is.

LUCID is the neutral layer that lets leadership prove value, stay portable, and prove accountability across every AI tool, model, and cloud your organization runs. The alternative is four vendor consoles and no total.

Four consoles and no total → one pane, consolidated into your own BI.

Where the market is going

The AI-coding wave is here. The governance gap is the opening.

Nearly every developer now uses or plans to use AI coding tools, but spend is overrunning, trust in raw output is falling, and every provider wants your cost and audit data in their console. LUCID sits above the tool war: neutral across models and clouds, handing the evidence back to you.

$27B
AI coding-tools market by 2030 (~28% CAGR)
73%
of enterprises exceeded their AI budget
~48%
of AI-generated code has a vuln on first review
84%
of developers use or plan to use AI tools

Industry context (FinOps Foundation 2026; Precedence / Fortune BI; Stack Overflow / GitHub). Figures cited for landscape, not LUCID performance claims.

02 What makes it novel

Thirteen things you rarely find together.

Plain language below. The deeper “how” stays proprietary.

A gate that cannot fail open

If the scanner dies or returns garbage, the gate blocks, never “safe.” A test kills it mid-run and the block still holds.

Runtime containment

Even after bash is approved, the process runs OS-isolated and its network is mediated, a package phoning home over DNS at import time is refused and audited.

Provenance-gated memory

Suspicious or quarantined content can never auto-save into memory. Trust comes from the source, not the caller's word.

Encrypted personalization graph

A private, AES-256-GCM “second brain” the agent learns from you and recalls across sessions, CUI-isolated, exportable to Obsidian.

AI-authorship attribution

A tamper-evident ledger of which model wrote which lines, per repo, per person, per session.

Sovereignty-aware governance

Gov-only lockdown, curated model lists, and a clear warning wall before any foreign-origin model is used.

A cache-stable prompt

Safety layers are byte-identical on every request. Untrusted text enters only delimited, only after the cache point, faster and safer.

An IDE where Save is scanned

Edit and save through the same gate. A hidden-Unicode payload is blocked before a byte lands on disk.

One-command migration

Bring your ChatGPT / Claude / Gemini history in, every message scanned, then distilled into your private graph.

Loop engineering

/goal runs an agent to a verified finish, budget kill switch, stall guards, and an after-action report.

A gov-grade gateway, gated

The AskSage accredited gateway is wired in with a lockdown mode, scanned personas, and answers grounded on your own datasets.

Cost tracking & showback

Live per-model spend and cache savings, know exactly what every conversation costs.

03 Built on oh-my-pi

A thin, principled layer over a fast Rust engine.

LUCID rides omp's releases instead of forking it, everything is added through hooks, custom tools, and the SDK. These are the runtime capabilities it is built upon:

ARCHITECTURE · LUCID OVER OH-MY-PILUCID · security · provenance · memoryfail-closed gateprovenanceencrypted memoryAI-authorshipcost showbackomp runtime capabilitiessubagentsplan modeLSPDAPsessionssandboxingtool-callingmodel routingoh-my-pi (omp)NATIVE RUST ENGINEthin, principled layer · heavy lifting stays in omp's Rust engine · upgrades with omp, no fork
LUCID clamps onto omp through hooks, custom tools & the SDK. The heavy lifting stays in omp's Rust engine.
The architecture in one line: TypeScript on Bun, in-process with omp. The only Python is a pure-Unicode scanner sidecar behind a narrow NDJSON contract, so the fail-closed gate that consumes it can never fail open. Provenance & memory live in an append-only DuckDB store.

04 Security model

One lifecycle, enforced end to end.

Every tool call, every Save, every persona, every imported message walks the same path. Any failure at any stage means block or quarantine, never safe defaults.

01

Scan

Pure-Unicode sidecar finds zero-width, bidi, tag-block, homoglyph & PUA.

02

Decide

scanAndDecide: any scan failure ⇒ block / quarantine.

03

Gate

Runs in-process on every tool call via an omp pre-hook.

04

Contain

Approved process runs OS-isolated; egress is mediated + audited.

05

Label

Closed set: trusted · untrusted · suspicious · quarantined.

06

Promote

Suspicious sources can't enter semantic memory.

07

Export

Invisibles escaped; raw referenced by SHA-256, never inline.

Try the gate

Pick a command; the fail-closed gate scans it before it runs.
lucid, agent shell gate active

$ awaiting input…

05 Remote In preview

Your desktop agent, in your pocket.

See and drive a running LUCID session from your phone's browser, no app to install. Every prompt still executes on the desktop behind its fail-closed gate. Remote adds reach, not risk.

Remote reach, not risk · four independent gates
Phone → four independent gates → desktop, over an end-to-end encrypted channel. The relay only ever sees ciphertext.
1

Google sign-in

A verified Firebase ID token admits the phone to the rendezvous, and nothing more. Signing in doesn't grant access to anything yet.

2

Room key

An AES-256-GCM key rides only in the invite link's fragment and never touches a server. Without it, the phone can read nothing.

3

Write token

Sending a prompt needs a separate write token carried only by an edit link. A view link stays read-only, refused host-side.

4

Desktop gate

Every remote action still runs on the desktop through its fail-closed scanner, exec approvals, and egress policy. Nothing is bypassed.

The guarantee: a compromised host, CDN, or relay sees ciphertext and metadata, never your session content. Watch the whole turn live (thinking, tool chips, subagents, and the streamed answer) on a mobile-first, installable web app that runs the exact same collab core as the desktop, so remote is never a separate, weaker path. In preview under ADR-0226 / ADR-0227.

06 Any model, any provider

Bring whatever you already pay for.

Sign in with your subscription (OAuth) or paste an API key, keys live in the OS-encrypted vault, never reaching the renderer or the agent. The gate scans every turn the same way, whichever model you choose.

Anthropic Claude OpenAI GPT Google Gemini xAI Grok Perplexity Sonar AskSage gov gateway Ollama · llama.cpp · vLLM local
Government

Accredited gov gateway

AskSage routes every turn through GovCloud with scanned personas and dataset-grounded RAG, one lockdown toggle hides direct providers.

Offline

Fully air-gapped

Run U.S. open-weight families on your own hardware with local-first RAG and bundled WASM embeddings, no GPU, no egress.

Showback

Cost & savings ledger

Unified spend across every model, estimated cache savings, hit-rate, and per-session drill-down, built for teams that attribute AI cost.

07 Who it's for

Built for the teams the other tools treat as an afterthought.

Government · regulated · CUI teams

A sovereignty-aware agent with hard CUI isolation, a fail-closed gate, and a full provenance / audit trail, packaged for locked-down, air-gapped laptops with zero prerequisites.

Security-conscious engineers

Every tool call, every Save, every persona, every imported message scanned by a gate that cannot fail open. Prompt-injection defense is the default, not a toggle.

Teams that need governance & showback

Real cost per model with cache-savings showback, plus a tamper-evident ledger of which model wrote which lines. AI spend and AI authorship, both auditable.

Agent-platform builders

A worked, test-backed example of adding security, provenance, and memory around a fast runtime via hooks / tools / SDK, extend, never fork.

08 Field manual

Frequently asked

What is LUCID Agent IDE?
A security-first agentic coding harness. It wraps the oh-my-pi (omp) coding runtime with a fail-closed layer that scans every tool call, contains the runtime, tracks provenance, remembers across sessions, and attributes which model wrote which lines, added entirely through omp hooks, custom tools, and the SDK, never a fork.
What does “fail-closed” mean here?
Any failure to get a valid, clean result (a dead scanner, a malformed response, a timeout, an unknown field) is treated as block or quarantine, never as safe defaults. If the Unicode scanner dies mid-run, the gate still blocks. A test kills it on purpose to prove the block holds.
Which AI models does LUCID support?
Any model omp exposes: Anthropic Claude, OpenAI GPT, Google Gemini, xAI Grok, Perplexity Sonar, the AskSage accredited government gateway, and local open-weight models via Ollama, llama.cpp, or vLLM. Authenticate with your subscription (OAuth) or an API key; every turn passes the same gate.
Is it really built on oh-my-pi (omp)?
Yes. omp is a fast agentic coding runtime with subagents, plan mode, LSP, DAP, hindsight memory, hashline edits, and time-traveling rules, driven by a native Rust engine. LUCID adds its security, provenance, and memory through omp's hooks, custom tools, and SDK, riding omp's releases instead of forking.
Can it run air-gapped or in government environments?
Yes. It ships as a desktop app with zero prerequisites (Bun and the Python scanner sidecar are bundled), runs fully offline with local models and local-first RAG, isolates CUI, and integrates the AskSage accredited gateway with a lockdown mode, designed for locked-down, air-gapped laptops.
What is LUCID Remote?
Remote (in preview) lets you see and drive a running desktop LUCID agent from your phone's browser, with no app to install. It's end-to-end encrypted (AES-256-GCM) and guarded by four independent gates: Google sign-in for rendezvous admission, a room key that rides only in the invite link and never touches a server, a write token required to send prompts, and the desktop's own fail-closed gate that re-checks every action. A compromised host or relay sees ciphertext and metadata, never your session content.
Why do executives and security leaders choose LUCID?
Because it lets leadership say yes to AI-assisted coding. Nothing sensitive leaves the host (metadata-only by construction), prompt injection can't fail the gate open, AI spend is governed with per-model cost showback, and every run produces audit evidence suited to CMMC and continuous monitoring. It stays neutral across models and clouds, so the cost and governance data belong to you, not a vendor console.
How much does it cost?
The source-available core is free. An enterprise add-on tier (executive BI rollups, SIEM audit export, central policy) is separately licensed and optional, nothing in the core depends on it.

Deploy an agent that can't be tricked into betraying you.

Download the desktop app, or read the source. Open core, source-available, one increment at a time behind its own ADR + demo + tests.

FAIL-CLOSEDMETADATA-ONLYSOVEREIGNTY-AWAREAIR-GAPPABLENO FORK