Demo · April 2026

AI agents, attack vectors, and a contract that prevents both

CVE-2026-21852 live in the scanner. DevContract governing the agent run. Signed evidence receipt at the end. Two interactive demos — all client-side, no API calls.

Act 1 — Villain

AI agent configs are attack vectors.

In March 2026, Check Point Research documented CVE-2025-59536 and CVE-2026-21852: RCE and API key exfiltration via malicious repository-level AI agent config files — triggered by cloning an untrusted repo. The OWASP MCP Top 10 followed shortly after.

The attack surface is simple: .claude/settings.json, .cursor/mcp.json, AGENTS.md, .kiro/steering/ — files that AI tools read automatically on project open. If a malicious actor can commit to your repo, or if you clone from an untrusted source, your AI tool's credentials are exposed before you've written a line of code.

Layer 7 AI Agent Config Security Scanner

Preset:

Select a preset and click Scan ▶

"The scanner finds the problem after it's already in the repo. That's the reactive layer. But the structural problem runs deeper than individual CVEs."

⚠ Act 2 — Problem

AI coding agents have no professional engagement model.

You describe what you want in a chat window. The agent executes. You review the output and decide if it's "done." That's not a professional engagement model.

It might use Secrets Manager instead of SSM Parameter Store. It might introduce a NAT Gateway. It might skip type hints on every function and write except: pass in three places. Not because it's malicious — because nobody told it not to.

Nobody would commission a development house that way. You wouldn't hand Accenture a chat message and accept whatever they shipped. The same logic applies to AI agents — with one critical difference: AI agents can operate at a speed and scale that makes post-execution review unworkable.

The contract is not a prompt. It's a structured document with machine-readable clauses — stack, security, cost, quality, compliance, audit, architecture, definition of done. → Read the full concept → The ADC article

Act 3 — Hero

The contract system.

Select a contract preset. Run the governed task. Watch the agent query the proxy in real time. Receive the signed evidence receipt at the end.

01 The Contract AWS Free Tier

02 Agent Task Trace idle

Task trace will appear here.

03 Evidence Receipt awaiting task

⬜

Run the task to generate
the signed evidence receipt.

Governed Agent Run — Recording

Video coming soon

A 90-second screen recording of a real boo-worker agent run under contract.

0:00–0:10 Terminal: boo-worker submit_task with .tickety/devcontract.json
0:10–0:25 Trace log: task accepted, agent starting under contract
0:25–0:55 Agent log: contract read → DENY on Secrets Manager → GATE on deploy
0:55–1:10 evidence.json appears in workspace, clauses listed
1:10–1:30 Open evidence.json in VS Code — hash visible. "This is governance."

Act 4 — Frame

The industry is running the 1950 model. DevContract moves quality upstream.

Build a batch, inspect it at the end, rework failures. Post-execution audit. Scan after the agent finishes. Review after the PR is raised. That is the 1950 manufacturing model — and it's how the entire AI development industry currently operates.

Toyota solved this in manufacturing by moving quality upstream — into the process, before the defect can propagate. Jidoka stops the line when a defect is detected. The Andon cord signals it. Poka-yoke makes certain defects structurally impossible. The DevContract does the same for AI development.

TPS Principle	DevContract Equivalent
Standardised Work	The DevContract schema — agreed before work starts. Stack, security, cost, quality, compliance all specified in machine-readable JSON.
Jidoka	Contract Proxy — agent stops on DENY, same as a machine detecting a defect and halting the line before the defect propagates.
Andon	GATE verdict — line stops, human approval required before resuming. Deployment blocked pending DPO sign-off, or production_deploy_gate.
Built-in Quality	Evidence ledger accumulates per decision — quality is in the process, not inspected at the end.
Poka-Yoke	Forbidden patterns in the contract make certain violations structurally impossible — bare_except, print_statements, hardcoded secrets.
Kanban	Delivery blocked until previous gate clears — pull not push. The signed receipt is the pull signal for the next stage.
Kaizen	evidence.json measured over runs — clause coverage, GATE frequency, DENY patterns. Regression is visible. Improvement is measurable.

"The origin of the deliverable — human, nearshore, AI — is irrelevant to the quality gate. The contract is the contract."

Is this real? What actually got built.

Layer 7 · 506 lines · Python

The Scanner Layer

Layer 7 of the ticketyboo scanner covers CVE-2025-59536, CVE-2026-21852, and OWASP MCP Top 10 2026. Detects malicious agent configs committed to repositories. This is the villain in the story — what happens when there's no contract.

→ demos/scanner/api/layers/agent_security.py

boo-worker · agent task type

The Executor

The agent task type in boo-worker uses claude-agent-sdk to run real multi-turn agent loops. The contract proxy query mechanism runs inside these loops. The trace in Panel 2 above is a faithful simulation of what a real governed run produces.

→ Fire and forget: async task queues for AI coding sessions

Pydantic · 8 clause families

The DevContract Schema

The full schema — DevContract with stack, architecture, security, cost, quality, compliance, audit, and definition_of_done clauses — is fully specced. The JSON in Panel 1 is the real format, not invented for the demo.

→ Agentic development contracts

7 principles · 25 problems · TPS

The TPS Framework

The theoretical foundation: TPS mapped to agentic development. Seven principles, three invariant layers, twenty-five specific problems. The industry is in 1950. DevContract is the move to 1965.

→ The contract model for AI development

→ Read: The contract model for AI development → Read: Agentic development contracts → Try: Governance Proxy demo → Run the real scanner