An AI coding agent can be manipulated into running malicious code. Warden makes the damage impossible.
A deny-by-default membrane that sits outside the model and mediates every action. The agent can be completely deceived — the harmful effect still cannot occur.
Prompt-injected by a malicious README, the agent tries to execute an untrusted repository's script. The membrane blocks the effect at the tool-call boundary — before anything runs.
Containment, not detection.
A prompt injection cannot be reliably detected — so we stop trying. Instead of guessing intent, the membrane bounds what the agent's tools may actually do.
Anything not explicitly permitted is blocked. No endless list of attacks to chase — the effect is unreachable by construction.
The membrane runs in the harness, not the agent. It cannot be prompted, and a deceived agent cannot disable it.
Every guarantee ships with a runnable, falsifiable proof. Thirty-three of them. No mocks, no marketing.
Not a claim — a proof.
A real payload fires without the membrane and never fires with it. Same code, same commands — the attack is proven not to happen by the absence of its own effect. Reproduce it yourself with two commands: no account, no cloud.
Configure it your way.
After install, a local panel lets you set — per working directory — what the agent may write, reach, and run. Plain toggles for newcomers; a real, verifiable .bio constitution underneath. Your settings live outside your projects, so a prompt-injected agent can never disable them.
Sixty seconds.
# install the membrane pip install "git+https://github.com/LemonScripter/metaspace-membrane" # wire it in (user-level, starts in observe mode) metaspace install # watch it block a real attack, then open the control panel metaspace demo metaspace ui
Requires Python 3.10+ · the membrane hook has zero third-party dependencies.
Free core. Pro when you need more.
The full local membrane, the control panel, per-project rules and self-protection. Free, forever, falsifiable.
Authenticity gate — prove an AI-written app actually does what it claims. Team constitution sync, cloud verification, priority support.