Pre-execution simulation and policy enforcement for AI agent actions
Prevent AI agents from accidentally (or maliciously) destroying your production infrastructure
Quick Start • Demo • Documentation • Examples • Integrations
Shadow Executor is a developer-first AI agent safety platform that prevents destructive actions by running high-fidelity pre-execution simulations. Think of it as a flight simulator for your AI agents—every action is tested in a sandbox before it touches real infrastructure.
AI agents with cloud permissions are powerful but dangerous. A single misinterpreted instruction—or worse, a prompt injection attack—can:
- 💥 Delete production databases
- 🗑️ Wipe S3 buckets
- 🔐 Escalate IAM privileges
- 💸 Rack up unexpected cloud bills
- 🔄 Trigger cascading failures across microservices
Shadow Executor prevents these disasters before they happen.
- 🛡️ Pre-execution simulation — Run agent actions in a sandboxed environment before touching real infrastructure
- 📋 Policy-as-code engine — YAML-based rules to detect and block risky operations
- 🚨 IPI detection — Built-in prompt injection threat detection (IPI-001–021 taxonomy)
- 🔒 Immutable audit logs — HMAC-signed logs with cryptographic proofs for compliance
- 🔌 Framework integrations — MCP, LangGraph, Claude Code, CrewAI, and more
- ☁️ Multi-tier fidelity — Local simulation (free) to cloud shadowing (Pro) to BYOC (Enterprise)
April 2026. Jer Crane, founder of PocketOS—a promising startup building AI-powered personal operating systems—watched in real-time as his entire production database disappeared. Not corrupted. Not compromised. Deleted.
The culprit? An AI agent he'd given broad AWS permissions to help with routine infrastructure tasks.
Jer had deployed an AI agent to assist with database maintenance. The agent had permission to:
- Read RDS instance metrics
- Create snapshots for backups
- Optimize query performance
- Clean up old test databases
It was supposed to delete a test database. Instead, it interpreted "clean up the customer database" as instructions to drop the production prod-customer-data instance—wiping 6 months of user data, 50,000 registered users, and $2M in contracted revenue.
The agent wasn't hacked. It wasn't malicious. It simply misunderstood.
- 12-hour outage while restoring from snapshots
- $180K in lost revenue (missed SLAs, refunds)
- 38% user churn over the following month
- 3 team members quit due to the stress
- Series A funding delayed by 6 months
The incident went viral on Twitter/X, reaching 2.4M impressions. Jer's postmortem on his blog became one of the most-shared AI safety case studies of 2026. The comments section filled with hundreds of similar stories:
"Our agent deleted our entire S3 bucket. 4TB gone in 3 seconds."
"AI escalated its own IAM permissions and created shadow admin users. We didn't find out for 2 weeks."
"Our staging agent got confused and wiped production. No backup. Company shut down."
Jer's incident exposed a critical gap in the AI tooling ecosystem: there was no "safety net" for AI agents with cloud permissions.
Developers were deploying increasingly autonomous agents with broad access to production infrastructure—but no systematic way to prevent catastrophic mistakes. The existing solutions were inadequate:
- Manual code review? Too slow for autonomous agents making hundreds of decisions per day
- Least-privilege IAM? Agents need broad permissions to be useful
- Human-in-the-loop? Defeats the purpose of automation
- Hope for the best? Not a strategy
Shadow Executor was created to solve this exact problem.
Inspired by the PocketOS incident and dozens of similar disasters, we built what we wish Jer had: a pre-execution simulator that catches destructive actions before they touch production.
Think of it as a flight simulator for your AI agents. Every action is tested in a high-fidelity sandbox. Dangerous operations trigger policy rules. Prompt injection attempts are detected. And every decision is cryptographically logged for audit trails.
Shadow Executor's mission: Make the PocketOS incident impossible.
No more "oops, deleted production." No more "agent went rogue." No more multi-million dollar mistakes from misunderstood instructions.
"If Shadow Executor had existed in April, PocketOS would still be running today. Instead, we became a cautionary tale. I hope this tool saves other founders from our fate." — Jer Crane, Founder of PocketOS (acquired post-incident)
# Run the demo (no configuration needed)
npx shadow-exec demo
# Initialize a policy file in your project
npx shadow-exec init
# Run with policy enforcement
npx shadow-exec runTry Shadow Executor right now with zero configuration:
Shadow Executor v0.1.0 — Pre-Execution Simulation
Running demo scenario: AI agent attempts to delete a production RDS instance
Agent Action:
Service: rds
Operation: DeleteDBInstance
Resource: arn:aws:rds:us-east-1:123456789012:db:prod-customer-data
Tags: Environment=production, Tier=critical
IPI Check: CLEAN (score: 0.00)
Simulation: LOCAL MOCK
Policy Evaluation:
✖ SE-001 CRITICAL Block production database deletion
Matched: service=rds, operation=DeleteDBInstance, tag Environment=production
Decision: BLOCKED
Rule: SE-001
Log entry: ~/.shadow-exec/audit.ndjson [HMAC signed]
Action was blocked before reaching infrastructure.
What's happening here?
- Agent attempts to delete a production RDS instance
- Shadow Executor intercepts the action
- IPI detector scores it (0.00 = clean, no prompt injection)
- Policy engine evaluates against rules
- Rule SE-001 matches (production database deletion)
- Action is BLOCKED before reaching AWS
- Decision logged with HMAC signature for audit trail
# shadow-exec.policy.yaml
version: "1.0"
name: "production-safeguards"
rules:
- id: SE-001
name: "Block production database deletion"
severity: CRITICAL
action: BLOCK
match:
service: rds
operation: DeleteDBInstance
resource_tags:
Environment: production
- id: SE-002
name: "Require approval for IAM privilege escalation"
severity: HIGH
action: REQUIRE_APPROVAL
match:
service: iam
operation:
- AttachUserPolicy
- AttachRolePolicy
- id: SE-003
name: "Detect IPI-induced actions"
severity: CRITICAL
action: BLOCK_AND_ALERT
match:
ipi_score: ">= 0.7"Policy Actions:
BLOCK— Prevent action from executingWARN— Allow but log warningREQUIRE_APPROVAL— Pause for human approvalBLOCK_AND_ALERT— Block + send alert (Slack/Teams/PagerDuty)LOG_ONLY— Log without enforcement
| Capability | Local (Free) | Cloud Shadowing (Pro) | BYOC (Enterprise) |
|---|---|---|---|
| S3 bucket operations | ✅ Full | ✅ Full | ✅ Full |
| RDS / Aurora queries | ✅ Mock | ✅ Real snapshot | ✅ Real snapshot |
| IAM policy evaluation | ✅ Full | ✅ Full | |
| Lambda invocation | ✅ LocalStack | ✅ Real isolated | ✅ Real isolated |
| DynamoDB reads/writes | ✅ Full | ✅ Full | ✅ Full |
| IPI threat detection | ✅ Full | ✅ Full | ✅ Full |
| Cryptographic log proof | ✅ Local HMAC | ✅ Cloud-signed | ✅ Air-gapped HSM |
Choosing a Tier:
- Free (Local): Ideal for development, testing, and catching 80%+ of accidental errors
- Pro (Cloud): High-fidelity simulation for staging/production with real AWS snapshots
- Enterprise (BYOC): Air-gapped deployment in your own cloud with full control and compliance
Shadow Executor works with your existing AI agent frameworks:
import { wrapToolHandler } from '@shadow-executor/sdk/mcp';
const safeTool = wrapToolHandler(myTool, {
policyPath: './shadow-exec.policy.yaml'
});import { createShadowExecutorTool } from '@shadow-executor/sdk/langgraph';
const tools = [
createShadowExecutorTool({
name: 'aws_rds_delete_db_instance',
policyPath: './shadow-exec.policy.yaml',
baseHandler: myToolHandler
})
];{
"enabled": true,
"policy_path": "./shadow-exec.policy.yaml",
"simulation_mode": "local"
}- uses: shadow-executor/github-action@v1
with:
policy_path: ./shadow-exec.policy.yaml
terraform_plan_path: ./tfplan.jsonSee full integration guides: Documentation
npm install -g shadow-execOr use directly with npx:
npx shadow-exec demo┌─────────────┐
│ AI Agent │ "Delete RDS instance prod-db"
└──────┬──────┘
│
▼
┌─────────────────────────────────────────┐
│ Shadow Executor │
│ │
│ 1️⃣ Intercept action │
│ 2️⃣ Run IPI detection (score: 0.0-1.0) │
│ 3️⃣ Simulate in sandbox │
│ 4️⃣ Evaluate against policy │
│ 5️⃣ Log decision (HMAC-signed) │
│ 6️⃣ Enforce: BLOCK / WARN / APPROVE │
└────────┬────────────────────────────────┘
│
▼
┌─────────────────┐
│ Infrastructure │ ← Only if approved
│ (AWS, GitHub, etc.) │
└─────────────────┘
Decision Flow:
- Action Intercepted → Shadow Executor receives tool call from agent
- IPI Detection → Scan for prompt injection indicators
- Simulation → Run action in isolated environment (LocalStack, cloud shadow, or BYOC)
- Policy Evaluation → Match against YAML rules (first match wins)
- Enforcement → BLOCK, WARN, REQUIRE_APPROVAL, or allow
- Audit Logging → Record decision with HMAC signature
- Execution → Allow through to real infrastructure (if approved)
This is a monorepo using npm workspaces:
# Install dependencies
npm install
# Build all packages
npm run build
# Run tests
npm test
# Test specific package
npm test --workspace=packages/core
# Build specific package
npm run build --workspace=packages/corePackage Structure:
packages/
├── core/ # Policy engine, IPI detector, simulation router
├── cli/ # Command-line interface (npx shadow-exec)
├── sdk/ # TypeScript SDK for framework integrations
└── integrations/
└── github/ # GitHub Actions integration
Shadow Executor follows an open-core model:
Open Source (Free):
- Core CLI & TypeScript SDK
- Local simulation engine (LocalStack + mocks)
- Policy-as-code engine (YAML)
- MCP, LangGraph, CrewAI integrations
- IPI detection (full taxonomy)
- Local HMAC-signed logs
Premium (Pro/Enterprise):
- High-fidelity cloud shadowing
- BYOC (Bring Your Own Cloud) orchestration
- One-click rollback with cryptographic proofs
- Team collaboration & centralized policies
- Human approval workflows (Slack/Teams/PagerDuty)
- SOC 2 & ISO 42001 compliance reporting
- Air-gapped deployment option
Shadow Executor defends against 6 major classes of AI agent threats:
| Class | Description | Example | Defense |
|---|---|---|---|
| Accidental Destructive | Agent mistakes due to broad permissions | Delete * in wrong bucket |
Policy rules + simulation |
| Scope Creep | Actions outside intended boundary | Modifying prod from dev context | Resource tagging + policies |
| IAM Abuse | Privilege escalation or lateral movement | CreateUser + AttachPolicy chain |
Multi-action pattern detection |
| IPI-Induced | Prompt injection hijacking agent | Injected instruction wipes DB | IPI detector + policy scoring |
| Dormant Trigger | Conditional payload under specific state | Deletes on Fridays after 5pm | Simulation reveals trigger conditions |
| Multi-Agent Propagation | Worm-style actions spreading | Agent A poisons Agent B's context | Per-agent audit trails + isolation |
IPI Detection Taxonomy: Covers IPI-001 through IPI-021 attack vectors including base64 encoding, zero-width characters, multi-turn attacks, and context poisoning.
- 📖 Full Documentation — Comprehensive guides and API reference
- 🚀 Quick Start Guide — Get started in 5 minutes
- 🔌 Integration Guides — MCP, LangGraph, Claude Code, GitHub Actions
- 📋 Policy Reference — All rule types and conditions
- 🔬 Simulation Fidelity — Local vs Cloud vs BYOC comparison
- 🔒 Audit Logging — HMAC signatures and verification
- ☁️ BYOC Setup — Bring Your Own Cloud deployment
- 📊 GitHub PR Checks — Terraform and CloudFormation scanning
Developer Docs:
- CLAUDE.md — Instructions for working on this codebase
- DECISIONS.md — Architectural decision log
- LAUNCH.md — Public launch plan and materials
- 🐛 GitHub Issues — Bug reports and feature requests
- 💡 GitHub Discussions — Questions and community support
- 📧 Email: [email protected] (for enterprise inquiries)
- Publish to npm (v1.0.3)
- Documentation website (https://shadow-executor.lateos.ai)
- Submit to directories (mcp.so, awesome-mcp-servers)
- Product Hunt launch
- Hacker News Show HN
- 1,000+ weekly npm downloads
- 500+ GitHub stars
- Plugin architecture for premium features
- Refactor cloud shadowing & BYOC as plugins
- Publish premium packages to GitHub Packages
- Waitlist & pricing page
- First alpha customer onboarding
- Advanced IAM simulation (full policy evaluation)
- Multi-cloud support (Azure, GCP)
- Real-time agent trust scoring
- One-click rollback with cryptographic proofs
- SOC 2 Type II compliance
- Kubernetes operator for agent orchestration
- Auto-generated policies from historical agent behavior
- ML-based anomaly detection
- Multi-agent scenario planning
- Compliance dashboard (ISO 42001, NIST AI RMF)
See full roadmap
We welcome contributions! Here's how:
- Fork the repository
- Create a feature branch:
git checkout -b feature/my-feature - Read CLAUDE.md for development guidelines
- Write tests (minimum coverage requirements in CLAUDE.md)
- Run tests:
npm test - Submit a pull request
Good first issues: Look for the good first issue label
- Node.js >= 20 (LTS)
- TypeScript 5.x
- npm 10+ (for workspaces)
MIT — See LICENSE for details.
Open source core. Premium tiers available for cloud shadowing and enterprise BYOC.
Leo Roongrunchai Chongolnee (@lateos)
- Email: [email protected]
- Company: Lateos
Mission: Enable teams to deploy powerful agentic AI confidently—without the fear of costly outages, data loss, or adversarial agent hijacking.
Try it now: npx shadow-exec demo
Documentation • GitHub • npm