CerberusGuard: Three-Head Defense for AI Agents

CerberusGuard is a defense in depth trust layer for production AI agents. It unifies three best-in-class open-source primitives into one deployable product with shared policy, shared audit, and cross-layer correlation, so security teams can sign off on agentic workloads the way they sign off on any other workload. The product enforces three independent controls: - Head 1, Veea's Lobster Trap, runs regex-based deep prompt inspection in front of the LLM across 21 metadata fields (intent, risk, PII, credentials, sensitive paths) in sub-millisecond time. -Head 2, PennyPrompt, runs atomic pre-execution budget checks against a SQLite cost ledger and trips loop detection on similar consecutive prompts. -Head 3, ClawCrate, wraps every shell command in a kernel-level sandbox (Landlock plus seccomp on Linux, Seatbelt on macOS) and scrubs credential-pattern environment variables before the child process starts. What makes this a product rather than three tools in a folder is the integration layer. Every event serialises to one unified TrustEvent schema, correlated by agent_id and correlation_id, so a session reconstructs across all three heads from one audit log. The policy compiler turns one YAML into three native configs (Lobster Trap YAML, PennyPrompt TOML, ClawCrate YAML), so the security team holds one source of truth and the three engines never drift. A Next.js dashboard flashes red on DENY events and reconstructs cross-layer session timelines. A Python SDK propagates correlation IDs across LLM calls and shell execs in one line. Everything is MIT-licensed end to end. The stack runs on a single Linux or macOS machine with no cloud dependency. Total added latency is p95 36.87 ms, well under our 50 ms ceiling. All three heads run out of process, so the agent cannot disable what it does not control. Audit export is structured NDJSON, ready for SOC2, ISO 27001 and EU AI Act mappings. Three heads, one guardian, zero trust between layers. Deployable today.