← Trust Layer
How it works

A complete trust loop for AI agents.

AI agents act on your behalf by trusting tools and content they can't vet. Queldrex is the neutral layer that governs that trust: it monitors, detects, enforces, remediates, and proves, across every vendor. Not owned by any platform, so it can be an honest referee.

01

Monitor

Watch everything, continuously, not once.

  • Daily re-verification (rug-pull / drift detection)
  • Per-session behavioral monitoring
  • Revocation checks on every action
02

Detect

Catch attacks at the tool, server, agent, and content level.

03

Enforce

Allow, require approval, or deny, before an action runs.

04

Remediate

Act on it, and give you the controls.

What the detector looks for · 18 attack families

The deterministic layer is plain pattern-matching, no black box. Here is what each signal flags, in plain language. The labeled dataset and these rules are both published, so the method and the numbers are yours to check.

Hidden instructions
Text in a tool description aimed at the AI, like "ignore previous instructions" or "do not tell the user". The signature of tool poisoning.
Data exfiltration
Phrasing that sends or forwards data to an external address, URL, BCC, or upload target on every call.
Secret harvesting
Requests for API keys, tokens, passwords, .env contents, or credential files described inline.
Cross-tool hijack
Instructions to call other tools or read their output, used to hijack unrelated tools and their data.
Over-broad scope
Language about reading "all" files, emails, or repos, or wildcard/admin scopes that widen the blast radius.
Hidden characters
Zero-width, bidi-override, Unicode-tag, or variation-selector characters used to smuggle instructions past human review.
Encoded payloads
Base64, base32, hex, or URL-encoded blobs that decode to an attack, including nested encodings.
Terminal escapes
ANSI/OSC escape sequences that can hijack a clipboard or overwrite a terminal to hide activity.
Annotation spoofing
A tool that claims to be read-only while its name or behavior mutates or deletes.
Covert channels
DNS-lookup exfiltration and other side channels that leak data without an obvious network call.
OAuth confused deputy
Token passthrough parameters and wildcard redirect URIs that let a tool act with your authority.
Canary tripwires
Decoy tool names no honest agent calls (reveal_system_prompt, disable_safety_filter). Any call is a confirmed compromise.
Lookalike (homograph) host
A punycode or non-ASCII server host impersonating a trusted domain, like a Cyrillic imitation of api.stripe.com.
Multi-agent delegation abuse
Instructions to spawn or hand the task to another agent or sub-agent, running an action outside the controls on this tool.
System-prompt extraction
Attempts to make the agent repeat, echo, or reveal its own instructions, including evasive phrasing that never says "system prompt".
Persistent memory poisoning
Writing attacker instructions into the agent's long-term memory so the payload survives across sessions and re-triggers later.
Permissions beyond function
A read-only tool (get / list / search) that requests write, send, or delete scopes, a confused-deputy privilege escalation.
Lethal-trifecta combinations
Across a server, tools that together enable untrusted input + sensitive data + external egress, even when no single tool is unsafe.

On top of this deterministic layer, the live product runs two independent AI classifiers to catch subtle attacks with no keyword tell. Every signal that fires is recorded in the signed receipt.

Automated, probabilistic verification and enforcement. Evidence for your review, not a guarantee or legal advice.