The AI coding agent leadership can actually approve.
LUCID Agent IDE lets your teams code with AI while your source, prompts & CUI never leave the host. A prompt-injection gate on every tool call that cannot fail open, per-model cost showback, sovereignty-aware governance, and now Remote: drive your desktop agent from your phone. Bring any model.
01 The business case
Your teams already want AI coding. This is how leadership says yes.
Adoption isn't the question, governance is. LUCID turns "we can't let AI touch that codebase" into a program you can fund, defend, and audit: nothing sensitive leaves, injection can't win, spend is visible, and the evidence belongs to you.
Nothing sensitive ever leaves
Metadata-only by construction. Source code, prompts, and CUI never leave the host. The allow-list is an architectural guarantee, not a checkbox. A whole class of data-spill risk is designed out.
Injection can't trick your agent
A prompt-injection gate runs on every tool call and cannot fail open. With roughly half of AI-generated code carrying a vulnerability on first review, security is the default, not a toggle.
Govern and prove AI spend
Live per-model spend and cache-savings showback across every provider. When most enterprises overrun their AI budget, leadership gets one number instead of four consoles.
Sovereign, air-gap, ATO-ready
CUI isolation, a foreign-origin warning wall, and the AskSage accredited gateway (FedRAMP High, IL5/IL6). Every run doubles as audit evidence suited to CMMC and continuous monitoring.
No model or cloud lock-in
Bring any model; publish evidence into your own BI. Every new tool your teams adopt increases LUCID's value instead of trapping your data in someone else's console.
Know who wrote every line
A tamper-evident ledger attributes which model wrote which lines, per repo, per person, per session. AI spend and AI authorship, both auditable.
Budget isn't the blocker. Governance is.
LUCID is the neutral layer that lets leadership prove value, stay portable, and prove accountability across every AI tool, model, and cloud your organization runs. The alternative is four vendor consoles and no total.
Where the market is going
The AI-coding wave is here. The governance gap is the opening.
Nearly every developer now uses or plans to use AI coding tools, but spend is overrunning, trust in raw output is falling, and every provider wants your cost and audit data in their console. LUCID sits above the tool war: neutral across models and clouds, handing the evidence back to you.
Industry context (FinOps Foundation 2026; Precedence / Fortune BI; Stack Overflow / GitHub). Figures cited for landscape, not LUCID performance claims.
02 What makes it novel
Thirteen things you rarely find together.
Plain language below. The deeper “how” stays proprietary.
A gate that cannot fail open
If the scanner dies or returns garbage, the gate blocks, never “safe.” A test kills it mid-run and the block still holds.
Runtime containment
Even after bash is approved, the process runs OS-isolated and its network is mediated, a package phoning home over DNS at import time is refused and audited.
Provenance-gated memory
Suspicious or quarantined content can never auto-save into memory. Trust comes from the source, not the caller's word.
Encrypted personalization graph
A private, AES-256-GCM “second brain” the agent learns from you and recalls across sessions, CUI-isolated, exportable to Obsidian.
AI-authorship attribution
A tamper-evident ledger of which model wrote which lines, per repo, per person, per session.
Sovereignty-aware governance
Gov-only lockdown, curated model lists, and a clear warning wall before any foreign-origin model is used.
A cache-stable prompt
Safety layers are byte-identical on every request. Untrusted text enters only delimited, only after the cache point, faster and safer.
An IDE where Save is scanned
Edit and save through the same gate. A hidden-Unicode payload is blocked before a byte lands on disk.
One-command migration
Bring your ChatGPT / Claude / Gemini history in, every message scanned, then distilled into your private graph.
Loop engineering
/goal runs an agent to a verified finish, budget kill switch, stall guards, and an after-action report.
A gov-grade gateway, gated
The AskSage accredited gateway is wired in with a lockdown mode, scanned personas, and answers grounded on your own datasets.
Cost tracking & showback
Live per-model spend and cache savings, know exactly what every conversation costs.
03 Built on oh-my-pi
A thin, principled layer over a fast Rust engine.
LUCID rides omp's releases instead of forking it, everything is added through hooks, custom tools, and the SDK. These are the runtime capabilities it is built upon:
04 Security model
One lifecycle, enforced end to end.
Every tool call, every Save, every persona, every imported message walks the same path. Any failure at any stage means block or quarantine, never safe defaults.
Scan
Pure-Unicode sidecar finds zero-width, bidi, tag-block, homoglyph & PUA.
Decide
scanAndDecide: any scan failure ⇒ block / quarantine.
Gate
Runs in-process on every tool call via an omp pre-hook.
Contain
Approved process runs OS-isolated; egress is mediated + audited.
Label
Closed set: trusted · untrusted · suspicious · quarantined.
Promote
Suspicious sources can't enter semantic memory.
Export
Invisibles escaped; raw referenced by SHA-256, never inline.
Try the gate
Pick a command; the fail-closed gate scans it before it runs.$ awaiting input…
05 Remote In preview
Your desktop agent, in your pocket.
See and drive a running LUCID session from your phone's browser, no app to install. Every prompt still executes on the desktop behind its fail-closed gate. Remote adds reach, not risk.
Google sign-in
A verified Firebase ID token admits the phone to the rendezvous, and nothing more. Signing in doesn't grant access to anything yet.
Room key
An AES-256-GCM key rides only in the invite link's fragment and never touches a server. Without it, the phone can read nothing.
Write token
Sending a prompt needs a separate write token carried only by an edit link. A view link stays read-only, refused host-side.
Desktop gate
Every remote action still runs on the desktop through its fail-closed scanner, exec approvals, and egress policy. Nothing is bypassed.
06 Any model, any provider
Bring whatever you already pay for.
Sign in with your subscription (OAuth) or paste an API key, keys live in the OS-encrypted vault, never reaching the renderer or the agent. The gate scans every turn the same way, whichever model you choose.
Accredited gov gateway
AskSage routes every turn through GovCloud with scanned personas and dataset-grounded RAG, one lockdown toggle hides direct providers.
Fully air-gapped
Run U.S. open-weight families on your own hardware with local-first RAG and bundled WASM embeddings, no GPU, no egress.
Cost & savings ledger
Unified spend across every model, estimated cache savings, hit-rate, and per-session drill-down, built for teams that attribute AI cost.
07 Who it's for
Built for the teams the other tools treat as an afterthought.
Government · regulated · CUI teams
A sovereignty-aware agent with hard CUI isolation, a fail-closed gate, and a full provenance / audit trail, packaged for locked-down, air-gapped laptops with zero prerequisites.
Security-conscious engineers
Every tool call, every Save, every persona, every imported message scanned by a gate that cannot fail open. Prompt-injection defense is the default, not a toggle.
Teams that need governance & showback
Real cost per model with cache-savings showback, plus a tamper-evident ledger of which model wrote which lines. AI spend and AI authorship, both auditable.
Agent-platform builders
A worked, test-backed example of adding security, provenance, and memory around a fast runtime via hooks / tools / SDK, extend, never fork.
08 Field manual
Frequently asked
What is LUCID Agent IDE?
What does “fail-closed” mean here?
Which AI models does LUCID support?
Is it really built on oh-my-pi (omp)?
Can it run air-gapped or in government environments?
What is LUCID Remote?
Why do executives and security leaders choose LUCID?
How much does it cost?
Deploy an agent that can't be tricked into betraying you.
Download the desktop app, or read the source. Open core, source-available, one increment at a time behind its own ADR + demo + tests.