Heimdall

Heimdall is a runtime governance layer for AI agent delegation chains — the air-traffic-control gap that opened up when agent stacks started ending with one agent calling another to finish a task. The architecture is two layers, deliberately separate. Layer 1 is cryptographic capability attenuation: a child credential's scope must be a subset of its parent's, enforced by the JWT signing function itself. A compromised agent cannot forge a permission it was never granted — the credential simply does not exist. There is no rule to bypass. Layer 2 is a YAML policy engine with six primitives: chain_pattern, chain_depth, value_threshold, agent_state, intent_mismatch, and behavioral_drift. Hot-reloadable, mappable to HIPAA / SOC 2 / EU AI Act sections via the shipped compliance packs. The integration surface is one HTTP call before every agent-to-agent hop: POST /api/v1/delegate. The SDK is five methods (pip install heimdall-sdk or npm i @heimdall/sdk). Self-host via docker compose up. Built on Veea Lobster Trap — Lobster Trap inspects what an agent says to its model; Heimdall inspects what agents say to each other. Two boundaries, no overlap. The Step Finance class of attack (Jan 2026, 261K SOL moved by compromised AI trading agents) crosses both. Ships with three verticals: DeFi (end-to-end, real Sepolia wallet), Healthcare (HIPAA pack, mock EHR), and Customer Service (SOC 2 pack, policy-only). Use Gemini to generate instant incident reports too. MIT licensed. One builder, seven days.