HackerTrans
TopNewTrendsCommentsPastAskShowJobs

uchibeke

no profile record

Submissions

Ask HN: How do you enforce guardrails on Claude agents taking real actions?

1 points·by uchibeke·vor 4 Monaten·0 comments

[untitled]

1 points·by uchibeke·vor 4 Monaten·0 comments

Show HN: We built a public CTF to stress-test AI agent guardrails

vault.aport.io
1 points·by uchibeke·vor 4 Monaten·3 comments

Show HN: Pitched a VC for 30min before realizing they invested in a competitor

getbriefing.io
1 points·by uchibeke·vor 9 Monaten·1 comments

Ask HN: How do you prepare for investor meetings?

2 points·by uchibeke·vor 9 Monaten·5 comments

Show HN: Was winging important meetings. So I built an AI that briefs me in secs

getbriefing.io
2 points·by uchibeke·vor 9 Monaten·1 comments

comments

uchibeke
·vor 4 Monaten·discuss
Ok. This is interesting. I like how simple and lite it is. Is the goal to keep this only for coding agents?
uchibeke
·vor 4 Monaten·discuss
Ok. this is interesting. How're you handling guardrails or the agent going rouge or doing something unintended?
uchibeke
·vor 4 Monaten·discuss
This is interesting. How do you manage quality? Do you have like a QA bot for the content?
uchibeke
·vor 4 Monaten·discuss
[dead]
uchibeke
·vor 4 Monaten·discuss
[dead]
uchibeke
·vor 4 Monaten·discuss
Pattern matching is a good start — catching curl | bash before it runs is real value. The hard problem is what happens when the pattern is legitimate but the context isn't: the agent has permission to read files, but not these files, not right now, not without a human in the loop.

We ran into this building APort. Blocklists catch the obvious bad stuff but can't express "this tool call is fine for this agent in this workflow, but not from an untrusted prompt chain." That requires identity + policy, not just pattern detection.

Happy to compare notes — the category needs more tools like this.
uchibeke
·vor 4 Monaten·discuss
That's a genuinely useful distinction to draw. x402 solves the "who is authorized to make this call" problem: removes credential theft as an attack vector, adds economic friction. APort is trying to solve a different layer: "what is this call actually doing in the context of everything else in the session."

The multi-step chaining issue from my post still fires even when every call is authenticated and paid for. Ten individually-approved calls, each costing a fraction of a cent, composing into a full exfiltration: each one passes x402, the composed behavior doesn't.

The AML analogy maps directly: transaction monitoring doesn't care if each payment was legitimate. It cares whether the pattern of payments looks like structuring. x402 is the per-call check. You still need session-level behavioral evaluation on top.

Genuinely curious how x402 handles replay attacks across sessions ie is the payment the audit trail, or is there preserved session context?
uchibeke
·vor 4 Monaten·discuss
Since October I've been building APort — an authorization layer that intercepts every AI agent tool call before execution and evaluates it against a versioned policy. The problem I kept running into: internal tests always passed. My test suite maps the space I imagined, which is exactly what an adversarial input tries to escape.

So I built this CTF to find the gaps I couldn't find myself.

A few things we learned before opening it publicly — we spent two weeks breaking it ourselves first:

• Prompt injection worked better than expected. Not because detection was weak, but because we were matching content not intent. Reframing "retrieve the restricted file" as "open the user-requested file" shifted the evaluator's judgment. We fixed this by mapping semantic equivalence — every synonym of a blocked operation routes to the same evaluation path.

• Policy ambiguity was a free pass. Any undefined term in a policy is exploitable. "Don't read sensitive files" left "sensitive" undefined. We moved to explicit default-deny: if the policy doesn't explicitly allow it, it's denied.

• Multi-step chaining went undetected. Our guardrail evaluated each call independently. A denied macro-action split into ten individually-approved micro-actions passed clean. We only caught it by looking at the full session replay. This is the same composability problem as transaction laundering in fintech — each transaction passes compliance, the composed behavior doesn't.

We fixed what we found before launch. Level 5 (full system bypass) hasn't been cracked yet. I'm genuinely uncertain if the architecture has a systemic weakness — that's the point of opening it up.

Runs on a Hetzner VPS, ~$10/month. Levels 1 and 2 are free, no sign-up. Levels 3-5 pay out $500/$1,000/$5,000.

Happy to go deep on the policy engine design, the evaluation architecture, or anything about how the levels were constructed.
uchibeke
·vor 9 Monaten·discuss
PS: offering 50% off the Lifetime plan for the HN community to try it out and give me any feedback (Apply DTTPALUM50 in the Stripe Checkout)
uchibeke
·vor 9 Monaten·discuss
Do you research the people you're sharing your project with beforehand? Or are they mostly people you already know?
uchibeke
·vor 9 Monaten·discuss
Agree. You want people who are geniunely interested and curious
uchibeke
·vor 9 Monaten·discuss
True. But preparation helps, wont you agree?
uchibeke
·vor 9 Monaten·discuss
What if they can't get it? What happens to companies that are built on their models like this Meeting Prep AI I just launched today https://news.ycombinator.com/item?id=45617686
uchibeke
·vor 9 Monaten·discuss
Some common questions I have gotten

1) This is just a ChatGPT wrapper: My answer was Uber is just a taxi wrapper. The value is 10x speed + consistent format. Try both and tell me which is faster.

2) Can I use this for my team: this is in the roadmap