Agent Security: From Fingerprinting to Credential Vaults

Agent Security: From Fingerprinting to Credential Vaults

A researcher decrypted 377 Cloudflare Turnstile programs from ChatGPT network traffic and found something that goes well beyond standard browser fingerprinting. Each program collects 55 properties across three layers: the browser (GPU, screen, fonts), the Cloudflare edge network (city, IP, region from edge headers), and -- the part that matters -- the ChatGPT React application itself. The program checks internal React Router v6+ data structures, route loader results, and SSR hydration state. A bot that spoofs browser fingerprints but doesn't actually render and hydrate the full ChatGPT single-page application will fail. This is bot detection at the application layer, not the browser layer. (more: https://www.buchodi.com/chatgpt-wont-let-you-type-until-cloudflare-reads-your-react-state-i-decrypted-the-program-that-does-it/)

The encryption was supposed to hide this. The outer layer is XOR'd with a token from the prepare request -- both travel in the same HTTP exchange. Inside those 89 VM instructions sits a 19KB encrypted blob containing the actual fingerprinting program. The inner key? A float literal embedded in the bytecode itself, verified across 50 requests, 50 out of 50. The "encryption" prevents casual inspection but not analysis. Alongside the fingerprint, Turnstile runs a behavioral biometric layer (keystroke timing, mouse velocity, scroll patterns, idle time across 36 properties) and a SHA-256 hashcash proof-of-work challenge. The privacy boundary between user and system operator is a policy decision, not a cryptographic one.

If Cloudflare has to fingerprint entire React application state to keep bots out of ChatGPT, it tells you something about the arms race on the other side. ClawShield takes the inverse approach: instead of detecting bots trying to reach an AI, it secures AI agents trying to reach the world. This open-source Go proxy sits between users and any OpenAI-compatible gateway, scanning every message for prompt injection, PII leaks, secrets, and vulnerability patterns before they reach the model or leave the network. The architecture uses defense-in-depth across three layers -- application-level content scanning with a YAML deny-by-default policy engine, iptables-based egress firewalling restricting which domains agents can reach, and optional eBPF kernel-level syscall monitoring for detecting privilege escalation and fork bombs. The layers communicate via a Unix socket event bus, enabling adaptive responses: if eBPF detects a port scan, the proxy elevates injection sensitivity for ten minutes; if the proxy blocks three injections in sixty seconds, the default action forces to deny. Production hardening includes Go-native eBPF replacing a Python dependency, graceful degradation to /proc polling when eBPF is unavailable, and streaming response scanning with a sliding 200-character overlap window that catches patterns spanning chunk boundaries. (more: https://github.com/SleuthCo/clawshield-public)

NanoClaw is approaching this from the platform level. Eight weeks after launch, the project has crossed 25,000 GitHub stars and shipped what it calls the first agent vault -- adopting OneCLI's Agent Vault as the default credential and proxying layer. Every agent now accesses external services through a vault gateway; the agent never sees raw API keys. Rate limiting is live: if the widely-reported Meta incident (an alignment director's email agent mass-deleting messages despite explicit instructions not to) had happened with a rate limit of three deletions per hour, the damage would have been three emails, not an entire inbox. Container isolation was step one, credential isolation is step two. The harder question, raised in the thread itself: the vault governs access, but the agent can still exfiltrate data it retrieves through those keys. Credential leakage and data exfiltration are two different trust boundaries, and NanoClaw hasn't publicly addressed the second one yet. (more: https://www.linkedin.com/posts/gavrielco_two-huge-milestones-in-24-hours-nanoclaw-activity-7442256231559270400-OL2N)

The Specialist Agent Stack

The argument for a single omniscient agent is losing ground. As one practitioner puts it: everyone is chasing the perfect agent -- one model, one stack, one personality supposedly crushing every task. The counter-thesis for 2026 is unbundling and rebundling. Not one mega-agent, but specialists: context retrieval that finds the needle and ignores the haystack, code edit prediction at sub-200ms, domain reasoning that thinks in your stack, verification that catches the bug you'd ship at 2am. The proof is already shipping: Chroma's Context-1 built purely for retrieval, Zed's Zeta-2 predicting edits at under 200 milliseconds, NVIDIA's ProRL fine-tuning a single step of the reinforcement loop. You optimize accuracy, latency, cost, privacy, and context quality independently. (more: https://www.linkedin.com/posts/ownyourai_everyones-chasing-the-perfect-agent-one-share-7443557857037537280-VM7Y)

The most entertaining proof of concept is an AI agent running on a $7/month VPS with IRC as its transport layer. George Larson's "nullclaw" is a 678KB Zig binary using about 1MB of RAM, connected to a self-hosted Ergo IRC server. Visitors hit a gamja web client embedded in his portfolio site; the agent handles greetings and project questions using Haiku for the hot path and Sonnet for tool use when it needs to clone a repo and actually read test files. A second agent, "ironclaw," runs on a separate box via Tailscale with access to email and calendar, connected through Google's A2A protocol. The security model is deliberate: the public box has no access to private data, the blast radius of compromise is an IRC bot with a $2/day inference budget, and prompt injection is mitigated by strict routing -- only scheduling, availability, and contact requests get escalated to ironclaw. Total footprint: under 10MB of binaries, under 5MB RAM at idle. The deeper point: model selection is a design decision, not a settings toggle. Using Opus for a concierge would signal the opposite of model understanding. (more: https://georgelarson.me/writing/2026-03-23-nullclaw-doorman/)

oh-my-claudecode (OMC) formalizes multi-agent orchestration as a first-class primitive with a five-stage pipeline: plan, PRD, execute, verify, fix. The framework supports three worker types -- native Claude teams, tmux-spawned CLI workers for Codex and Gemini, and a tri-model synthesis mode. Each worker is a real CLI process in its own tmux pane, not simulated concurrency. The deep interview mode uses Socratic questioning to expose hidden assumptions before any code is written, measuring requirement clarity across weighted dimensions. Cost optimization claims 30-50% token savings through smart model routing. The caveats are real: the native teams feature depends on an unstable Claude Code flag, the tmux dependency kills Windows compatibility outside WSL2, and version 4.4.0 removed Codex/Gemini MCP servers entirely, forcing migration to CLI workers. (more: https://starlog.is/articles/ai-agents/yeachan-heo-oh-my-claudecode)

Eyes for Claude gives coding assistants a webcam. The tool streams video at 1 FPS via WebSocket to Google's Gemini Live API, which builds visual context over time -- answering questions about things that happened minutes ago, not just what's on screen now. The motivation: iterating on hardware projects with Claude Code meant a screenshot loop that got old fast. Now the camera stays pointed at the workspace and Claude queries it via bash whenever needed. (more: https://github.com/hholen/eyes-for-claude) Meanwhile, notebooklm-py ships a full unofficial Python API to NotebookLM, exposing capabilities the web UI doesn't -- batch downloads, quiz/flashcard export, mind map JSON extraction, slide deck as editable PPTX, and programmatic sharing. It integrates as a skill for Claude Code, Codex, and OpenClaw agents, making research automation a composable building block rather than a walled garden. (more: https://github.com/teng-lin/notebooklm-py)

Pushing the Efficiency Frontier

The Mamba-3 paper from Carnegie Mellon, Princeton, Together AI, and Cartesia introduces three core improvements to the SSM lineage. First, exponential-trapezoidal discretization provides a more expressive recurrence that empirically replaces the short causal convolution previously considered essential for recurrent models. Second, a complex-valued state update -- equivalent to a data-dependent rotary embedding -- enables state tracking that Mamba-2 simply cannot do. The authors demonstrate this concretely: Mamba-3 near-perfectly solves arithmetic tasks where Mamba-2 performs no better than random guessing. Third, a multi-input multi-output (MIMO) formulation increases decoding FLOPs by up to 4x at fixed state size while maintaining similar wall-clock decode latency. At 1.5B scale, Mamba-3 MIMO improves average downstream accuracy by 2.2 points over Transformers, 1.9 over Mamba-2, and 1.8 over Gated DeltaNet. Perhaps more telling: Mamba-3 MIMO with state size 64 matches Mamba-2's perplexity at state size 128 -- same performance at half the memory. (more: https://arxiv.org/pdf/2603.15569)

At the other end of the parameter scale, TinyLoRA demonstrates that LoRA training works with as few as 13 parameters. A researcher replicated the paper's results on Qwen 3.5 and found that separating the 13 parameters between MLP and attention layers (26 total) outperformed increasing the global parameter count -- suggesting these layers benefit from separate optimization spaces since they handle fundamentally different operations. The practical hypothesis: TinyLoRA won't memorize facts, but it's effective at altering behavior, making it potentially useful for per-user behavioral adapters. Combined with DeepSeek's Engram concept, this could enable lookup tables for behaviors made of tiny LoRA adapters -- far more varied than mixture-of-experts, trainable with minimal memory. (more: https://www.reddit.com/r/LocalLLaMA/comments/1s6z9f8/tinylora_shows_lora_training_works_at_13/) Related: a KV rotation PR for llama.cpp found that existing q8 KV quantization tanks performance on AIME25, but applying rotation largely recovers it -- a useful datapoint for anyone running quantized inference and wondering why their math benchmarks look worse than expected. (more: https://www.reddit.com/r/LocalLLaMA/comments/1s720r8/in_the_recent_kv_rotation_pr_it_was_found_that/)

Taalas is taking a more radical approach to inference efficiency: burning language models directly into silicon. Their ASIC card reportedly processes Llama 3.1 8B at 17,000 tokens per second -- compare that to an RTX 4090 at roughly 150 tok/s or Groq at around 1,000. A new medium-sized PCIe card will burn Qwen 3.5 27B into silicon: standard PC slot, 10x less power than a GPU, no VRAM, no weights loading, no inference framework. The model is the hardware. The tradeoffs are obvious and acknowledged in the comments: you can't swap models on a burned chip, every revision requires a new mask spin, and the model is outdated the moment the card leaves the factory line. For regulated industries operating under HIPAA, ITAR, or CMMC, the deployment model -- air-cooled, 250W, no cloud dependency, no data leaving the building -- might matter more than flexibility. (more: https://www.linkedin.com/posts/joseph-benguira-28264b2_ai-asic-llm-activity-7443979533805944832-UbaU)

Heretic automates censorship removal from language models using directional ablation with a TPE-based parameter optimizer. The tool finds high-quality abliteration parameters by co-minimizing refusals and KL divergence from the original model, producing decensored models that retain as much original intelligence as possible. On Gemma 3 12B, the Heretic version achieves the same refusal suppression as expert manual abliterations (3/100 refusals) but at a KL divergence of 0.16 versus 0.45-1.04 for other approaches -- less damage to the model's capabilities. The community has published over 1,000 Heretic models on Hugging Face. Key innovations include float-valued refusal direction indices (interpolating between layer directions unlocks a vast space beyond those identified by difference-of-means) and separate ablation weights for MLP versus attention components, since MLP interventions tend to be more damaging. (more: https://github.com/p-e-w/heretic)

On Apple Silicon, mlx-snn delivers a spiking neural network library for the MLX framework that benchmarks at 2.6-3.7x faster training than Tesla V100 at one-seventh the power -- an estimated 17-25x better energy efficiency. The library ships 9 neuron models, 6 surrogate gradients, 8 spike encodings, 5 neuromorphic datasets, and a liquid state machine implementation with configurable topology. For researchers working on neuromorphic computing, the unified memory architecture eliminates the CPU-GPU transfer bottleneck that makes recurrent spiking dynamics painful on discrete GPUs. (more: https://github.com/D-ST-Sword/mlx-snn)

AI Governance and the Follow-Through Problem

An essay on CEO accountability for AI makes an argument that cuts deeper than the usual "leaders need to understand the technology" advice. The real divide is not between companies with AI pilots and companies without them. It's between firms generating AI motion and firms producing board-grade proof that the economics hold once the system becomes real. The author draws a sharp distinction between ownership (a claim about accountability) and control (an operating condition): a CEO can find themselves answerable for a system whose effective shape is still being determined across product teams, IT, procurement, prompt layers, data pipelines, permissions, and vendor configurations. The first serious AI disappointment at executive level is rarely cinematic -- more often the promised savings don't quite land, the workflow needs more review than expected, exceptions pile up in places never properly priced, and the team is busier than before though nominally more productive. The prescription: pick a small number of workflows that genuinely matter to the board, put a mixed team with real operating authority around them, and prove the case under live conditions before broader expansion. Price supervision, reversals, rework, and exception handling into the economics instead of treating them as temporary noise. (more: https://unhypedai.substack.com/p/ceo-accountability-for-ai-is-not)

The companion piece on AI and work argues that smoothness is not the same as relief. AI lowers the cost of starting, shortens the path from rough material to plausible output, and carries context further across boundaries. But once friction falls, more gets started because starting is easier. More gets sent because drafting is easier. People widen scope because the tools make stretching feel possible, and then that extra range hardens into the new normal. The work may ask less of our hands while asking more of our name -- less time producing, more time endorsing, approving, checking, standing behind. The author invokes Donald Schon: much of real practice is discovering what the problem actually is while you're still inside it, and AI help may arrive too quickly, giving form to thought before thought has finished finding its own shape. The day becomes more capable and less recoverable. (more: https://unhypedai.substack.com/p/when-ai-makes-work-easier-to-move)

A data-driven post on Claude Code's open bug count finds 5,021 bugs with the gap between raised and closed growing at a consistent percentage -- meaning Anthropic is permanently running behind at a steady rate with no sign of catching up. The author's point isn't that AI tools are bad (his team uses Claude Code daily and ships aggressively with it), but that the bounded nature of the product -- essentially a while-loop, an LLM connection, and four filesystem tools -- makes 5,000 open bugs harder to excuse. The quadratic projection (R²=0.986) is concerning. If Anthropic, with unlimited access to its own AI for triage and fixes, can't control quality on its own codebase, what does that say about the "AI writes all our code" thesis? The commenters push back: many bugs are likely duplicates, feature requests mislabeled, or edge cases from non-technical users. Fair enough. But one reply cuts to it: "Either the tool cannot do what it says and creates a lot of bugs, or it cannot effectively triage and classify its own bugs. No matter which way you slice it, it looks bad for a company selling an AI dream." (more: https://www.linkedin.com/posts/denton-david_after-observing-it-increasing-for-a-while-activity-7443943044803952640-8ueR)

An essay on leadership availability -- the practice of being reachable, present, engaged, and following through -- lands differently when read alongside the AI governance pieces. The author breaks availability into four habits: making time, making space, making decisions, and closing loops. Chronic unavailability teaches teams to think smaller, route around their leader, and stop surfacing problems. The compounding effect is corrosive: a "no" is at least a decision, but silence is a tax on everyone else's time. The connection to AI governance is implicit but real: the boards asking "does AI work?" are often led by executives whose follow-through problem predates their AI strategy. Governance requires the exact trait -- closing loops, making decisions when decisions are needed, pricing messy reality into the story -- that too many leaders have already outsourced to calendar protection and empowerment rhetoric. (more: https://open.substack.com/pub/runthebusiness/p/the-12th-of-never?r=v5uaz)

The Cognitive Dark Forest

A developer essay adapts Liu Cixin's Dark Forest hypothesis to the AI era. The original: every civilization that reveals itself gets annihilated, so they all hide. The cognitive version: the earlier internet rewarded signaling -- your value multiplied by connections, and execution was the moat. Two things changed. The web got consolidated by corporations extracting information to advertise and governments killing privacy to control. And execution got cheap. Now a large platform with cash can incorporate your innovations by throwing compute at the problem, generating variations every few days until your uniqueness is absorbed. Every prompt flows through centralized platforms. Every prompt is a signal revealing intent. The platform doesn't need to spy on you specifically -- it just needs to see where the questions cluster. A demand curve made of human interests. The true horror: the cognitive dark forest doesn't kill you. It lets you live and feeds on you. Your innovation becomes its capabilities. Your differentiation becomes its median. Resistance isn't suppressed -- it's absorbed. (more: https://ryelang.org/blog/posts/cognitive-dark-forest/)

The pharmacovigilance weekend build is both a case study in what AI enables and what the dark forest predicts. A developer used Claude Code to build a free tool that runs signal detection across 2.9 million FDA adverse event reports -- disproportionality statistics (PRR, ROR, chi-squared) that commercial platforms charge $50K-500K/year for. The data is free, the methods are published, the barrier was always the engineering. The community response was brutal: the first outside user typed "ibuprofen" and got a Python stack trace. Comments ranged from "vibecoded garbage" to "have a think about the consequences to real people when pharmacovigilance processes fail -- that's why the software is expensive." The author acknowledged it's a proof of concept, not a replacement. But the pattern is instructive: AI compresses the distance between "I can build this" and "I shipped this" while doing nothing about the distance between "I shipped this" and "this works reliably under production conditions." (more: https://www.reddit.com/r/ClaudeAI/comments/1s7habk/built_with_claude_a_500kyear_pharmacovigilance/)

Google Stitch is generating similar reactions in the design space -- users following a guide and producing functional UI outputs in minutes, prompting comments like "my job is officially cooked." (more: https://www.reddit.com/r/GeminiAI/comments/1s4hjqf/google_stitch_is_insane/) The enterprise take is more nuanced. A practitioner describes arriving at a client with 20-year-old code nobody wants to touch and argues that 2026 is when legacy modernization stops being outsourced to contractors who charge by the hour and starts being understood by agents who charge by the token. But the caveat matters: bigger doesn't equal better, RAG is for documents but code is a graph, structured traversal beats naive chunk retrieval, and that 1998 codebase isn't semantically similar to anything -- it's connected. Same harness, same policies, and Qwen 3.5 beat Kimi-K2.5, GLM-5, and DeepSeek-V3.2. Vibe coding doesn't have a place in an enterprise. (more: https://www.linkedin.com/posts/ownyourai_i-just-time-traveled-from-frontier-ai-straight-activity-7443970366999535616-tGLB)

The ambient intelligence editorial pushes toward a more philosophical register, arguing that intelligence may not be rare or centralized but exists as ambient pattern across systems, waiting for alignment to become observable. The WiFi DensePose work -- extracting breath, posture, and presence from what looked like noise -- made this tangible. What seemed like signal noise became structured information once the geometry to read it was available. Whether you find this compelling depends on your tolerance for extrapolation from signal processing to metaphysics, but the core observation about latent structure in environments is grounded in real engineering. (more: https://www.linkedin.com/posts/reuvencohen_ambient-intelligence-is-not-something-we-activity-7444084603684044800-9z0s)