OPEN SOURCE SECURITY MIDDLEWARE

Chitin Shell

The missing security layer for AI agents. LLMs never see credentials. Every action is verified before execution.

View on GitHubHow It Works

The Problem

Every major AI agent framework stores API keys as environment variables in the same process as the LLM. When prompt injection tricks the LLM—and it will—the attacker gets everything.

Current AI Agent Architecture
LLM + API Keys + Untrusted Input
= All in the same process
= One prompt injection away from leaking everything

Researchers from OpenAI, Anthropic, and Google DeepMind confirmed that all 12 published prompt injection defenses can be bypassed with >90% success. The only viable mitigation is architectural separation.

INTENT-VERIFY-EXECUTE

How It Works

Chitin Shell Architecture — Intent Layer, Verify Layer, Execute Layer
LAYER 1

Intent

The LLM produces structured, signed requests—not raw API calls. It never has access to secrets, keys, or tokens. Ever.

LAYER 2

Verify

A 4-tier policy engine checks every Intent against deterministic rules. No LLM involved in the decision. Policies can live on-chain for tamper-proof enforcement.

LAYER 3

Execute

The Secure Proxy holds all credentials in an isolated vault. It executes verified Intents and sanitizes the response before returning it to the LLM.

Think of It Like a Restaurant

Restaurant analogy — Dining Room (Intent Layer), Kitchen Window (Policy Engine), Kitchen (Secure Proxy)

The waiter (LLM) takes orders in the dining room but never enters the kitchen. The chef (Secure Proxy) has the knives, ingredients, and cash register behind a reinforced barrier. Orders pass through a kitchen window where policy is checked before cooking begins. Even if a malicious customer tricks the waiter, the chef verifies every order against the rules.

DEFENSE IN DEPTH

What Happens When Attacks Hit

Attack scenarios and how Chitin Shell defends against them

API Key Leakage

Frameworks: Keys in LLM process

Shell: Keys exist only in the Secure Proxy—physically inaccessible to the LLM.

Prompt Injection

Frameworks: Hope the LLM doesn't comply

Shell: LLM can only produce Intents. Policy Engine rejects unauthorized actions regardless of what the LLM “wants.”

Data Exfiltration

Frameworks: No output filtering

Shell: Network isolation + output sanitization. LLM can only communicate with the proxy.

Policy Tampering

Frameworks: Config files editable by agent

Shell: On-chain policies are immutable without multisig + timelock governance.

Quick Start

Install

npm install @chitin-id/shell-core

Use

import { ChitinShell } from '@chitin-id/shell-core';

// Define policy — deterministic rules, no LLM involved
const shell = await ChitinShell.create({ policy });
shell.registerMapper(new SlackMessenger());

// Store credentials in the vault — the LLM NEVER sees these
await shell.vault.set('slack-token', {
  type: 'bearer', value: 'xoxb-your-token'
});

// LLM produces an Intent, not a raw API call
const intent = shell.createIntent({
  action: 'send_message',
  params: { to: 'alice@example.com', body: 'Done!' },
});

// Policy Engine verifies → Secure Proxy executes
const result = await shell.execute(intent);

Prerequisites

  • Node.js 20+
  • Zero external dependencies—uses only Node.js built-in modules

Key Features

Process Isolation

LLM runs in a network-isolated container with zero access to credentials.

Structured Intents

LLM output is constrained to typed, signed Intent structures.

4-Tier Policy Engine

From auto-approved reads to human-approval-required fund transfers.

Credential Vault

AES-256-GCM encrypted storage. Supports TEE-backed sealing.

Output Sanitization

Auto-detects and masks API keys, JWTs, PII in proxy responses.

On-Chain Policies

Immutable policy enforcement via Solidity contracts with multisig governance.

Audit Logging

Every action logged. Optionally anchored on-chain via Merkle trees.

Framework Agnostic

Works with LangChain, MCP, CrewAI, or any custom agent setup.

Packages

@chitin-id/shell-core561 tests

Core SDK — Intent, Policy, Proxy, Audit, ZKP, Trust, A2A, TEE

@chitin-id/shell-langchainadapter

LangChain callback handler & tool wrapper

@chitin-id/shell-mcpadapter

MCP security gateway

@chitin-id/shell-cliCLI

CLI for policy management & diagnostics

Smart Contracts

Optional on-chain modules for immutable policy enforcement and audit logging. Deploy them yourself with Foundry.

AgentPolicy.sol

UUPS proxy — 4-tier policy, action mapping, whitelist/blacklist, rate limits

PolicyGovernor.sol

Multisig + 24h timelock governance for policy changes

AuditLog.sol

Merkle root on-chain anchoring for tamper-proof audit trails

ProofVerifier.sol

SHA-256 commitment & provenance verification

APACHE-2.0 LICENSE

Open Source. Free Forever.

Chitin Shell is open-source and free to use. Contributions, red team testing, and security audits are welcome.

GitHubDocumentation