GitHub Repository

Pasport like identity for AI agents anchored to the TPM chip and the Intent-Bound Ephemeral Visa for AI agents

1 starsRust

Raypher–eBPF-based runtime security and hardware identity for AI agents

Name: Raypher–eBPF-based runtime security and hardware identity for AI agents
Availability: InStock
Author: Kidiga

by Kidiga·Feb 21, 2026·2 points·1 comment

Visit Project View on HN

AI Analysis

●●●BangerBig BrainBold BetWizardry

eBPF kernel hooks enforce agent boundaries at <0.05ms latency; no API polling tax.

Strengths

•Kernel-level interception (eBPF XDP + TC) eliminates API polling latency that legacy tools suffer from
•TPM-anchored identity and Intent-Bound Ephemeral Visa is a novel cryptographic angle for agent auth
•Offline-first, no cloud dependencies; emergency brake CLI to freeze agents instantly

Weaknesses

•Requires Linux kernel eBPF support; no Windows/macOS native support limits adoption
•eBPF ecosystem is young; long-term debuggability and production hardening unproven at scale

Post Description

Hey HN,

I’m the founder of Raypher . We are building a kernel-level execution guard and cryptographic identity layer specifically designed for autonomous AI agents(opencalw). curent AI agents(open claw) are big security risks our Mission is to make a security feture that will enable developers to make agents and ship them faster without worrying about security risks The Problem: Right now, the agentic ecosystem (OpenClaw, LangChain, MCPs) is giving LLMs "hands" with almost zero runtime boundaries. Legacy cybersecurity tools are completely failing here for two reasons:

API Latency: They rely on API polling to check if an agent's SaaS integration is misconfigured. If an agent enters an infinite loop and hallucinates a command to drop a production database, a 2-second API polling delay is an eternity.

Identity Fallacy: They use software tokens (OAuth/API keys) to track agent identity. If an attacker tricks an agent into leaking its config.json, the attacker becomes the agent.

How Raypher Works: We realized securing probabilistic AI required moving out of the application layer and into the OS kernel.

The eBPF Network Guillotine: We run a lightweight Rust daemon locally that hooks into the Linux kernel via eBPF. We don’t poll logs. We intercept the system calls and network sockets. If an agent violates its policy.yaml (e.g., trying to access a restricted subnet or execute rm -rf), we drop the veth packet in microseconds before it leaves the machine.

Silicon-Bound Identity (TPM): We bind the agent’s cryptographic identity directly to the physical hardware (TPM 2.0 on motherboards or AWS Nitro Enclaves). You cannot phish or copy-paste silicon.

Zero Latency (IBEV): Security tools that require a cloud round-trip kill agent performance. We built "Intent-Bound Ephemeral Visas" (IBEV) using gRPC ring buffers. The agent mints its permission visa locally and offline. If our cloud goes down, your agents keep running safely on the cached policy.

Raypher gives you a local dashboard to track exactly what your agents are doing and hard-caps their OpenAI API spend so a rogue loop doesn't bankrupt you.

I’d love to hear your thoughts on our eBPF architecture, how we are handling the TPM attestation, or just the state of AI agent security in general. I’ll be in the comments all day to answer technical questions!