Civic Technologies

If you run Node.js projects with axios as a dependency, check your versions right now. axios versions 1.14.1 and 0.30.4 were compromised in a supply chain attack. An attacker hijacked an npm maintainer account and injected a malicious dependency called plain-crypto-js. That dependency runs a postinstall script that drops a remote access trojan on your machine. macOS, Linux, and Windows are all affected. The attack is particularly nasty because no code change is needed on your end. Just running pnpm install or npm install with a lockfile pointing to those versions is enough. The dropper contacts a command-and-control server, deploys the RAT, then deletes itself and replaces the evidence with a clean package stub. Designed to leave no trace. This isn't an axios problem. It's a supply chain problem. It can happen to any package with a compromised maintainer account. The npm ecosystem's trust model puts a lot of weight on individual account security, and when that fails, the blast radius is wide. To check if you're affected, look for these artifacts on your machine. # macOS ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "COMPROMISED" # Linux ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED" # Windows (cmd.exe) dir "%PROGRAMDATA%\wt.exe" 2>nul && echo COMPROMISED If you find them, consider that machine compromised. Rotate all credentials that were accessible from it. Civic-hosted systems, including our MCP servers, were not affected by this attack. This is exactly the kind of risk that makes dependency management in agent workflows worth taking seriously. When your agent calls tools through a supply chain you don't fully control, visibility and the ability to stop things fast aren't optional. More details from StepSecurity: https://lnkd.in/d5Gwy9Fu Help fellow axios users by sharing this post. Follow us for more builder content → Civic Technologies

Every agent you build has a moment where it tries something you didn't expect. Maybe it attempts to send an email you didn't authorize. Maybe it tries to write to a database it should only read. The moment it happens, you need to know about it. And you need to be able to stop it. That's what we built Civic to do. Your agent doesn't call tools directly. It calls Civic first. We sit between your agent and 85 MCP servers, including Google Workspace, Slack, GitHub, databases, and CRMs. Every tool call gets logged. 14 out-of-the-box guardrails control what your agent can and can't do. Read everything. Touch nothing. Unless you say so. And if something goes wrong, you stop it in one move. Revocation is architecturally separated from the agent API, so a compromised agent can't undo its own constraints. The human stays in the loop for access decisions. Always. We built this because we needed it ourselves. Now it's yours. Try it free at civic.com

Your Python agent can now connect to 85 MCP servers through Civic. One pip install. We built civic-mcp-client because most agent frameworks make you choose between capability and control. You can wire your agent up to Gmail, Slack, GitHub, and dozens of other tools. But the moment it has that access, you need guardrails, audit logs, and a way to stop it if things go sideways. That's what this library handles. pip install civic-mcp-client It works with LangChain, Pydantic AI, and FastMCP out of the box. Three lines of code to initialize the client, discover available tools, and start making guarded calls. Every tool call runs through Civic's guardrails. Every action gets logged. The setup takes four steps. 1. Install the package 2. Generate a token at app.civic.com 3. Initialize the client 4. Your agent discovers and calls tools through Civic You get 85 MCP servers, guardrails on every call, a full activity log, and revocation when you need it. We wrote this recipe so you can go from zero to a working Python agent with real tool access and real controls in about ten minutes. Read the full recipe and try it yourself. https://lnkd.in/guNgfcQ9

$300 billion wiped from SaaS stocks in February. It would be easy to run with a hot take that AI is killing SaaS. But, the reality is more interesting. CIO Online dug into what's actually happening, and our VP Titus Capilnean weighed in. His perspective: employees are already using agents to access SaaS tools. That shift isn't coming. It's here. And it changes the buying criteria completely. When a human uses your CRM, you manage their permissions through an admin panel. When an agent uses your CRM, you need to know exactly what it touched, set boundaries on what it can do, and have a way to stop it instantly if something goes wrong. That's auditability, access governance, and revocation. Three things most SaaS evaluations never asked about until now. SaaS isn't dying. But the checklist for choosing it just got longer. If your vendor can't explain how agents interact with their product, and how you maintain control when they do, that's worth asking about in your next renewal conversation. https://lnkd.in/gvzWFxCV

Our CTO, Daniel Kelleher, gave his agent a simple job. Once an hour, read his emails, send him a Slack digest via dm. Next thing he knew, it posted his report to the company's general channel. The agent was prompted to DM him. It had access to Slack's generic send_message tool. It reasoned about which channel to use. It reasoned wrong. Daniel had a choice. Stronger prompt instructions ("be extremely careful, only send to this channel ID") or move the constraint into code. Instead, he built a tool called send_dm_to_dan. The channel ID is pre-bound at the gateway. The agent sees one tool, one action, zero choices. It doesn't know it's a wrapper. That pattern turned out to solve more than security. He applied the same approach to database access. Instead of exposing execute_sql(query), he exposed generate_weekly_report(week_start_date). The SQL is pre-encoded. Only the time window is adjustable. Grafana exposes around 30 tools through its MCP server. When his agent reads logs, it needs one. So he filters at the gateway. Only the log query tool is visible. Post-processing tool responses the same way led to 80% token savings. The agent reasons better with less information, not more. That's the counterintuitive finding he writes about. Security and efficiency have the same root cause. Excess capability and excess information both degrade reliability. The fix is the same for both. Shape the capability surface before it reaches the model. You can learn more about this subject and others in a recent article he wrote. It covers OAuth limitations, deterministic guardrails, progressive disclosure, and why MCP and CLI are plumbing, not competing architectures. https://lnkd.in/gtAEygqQ

We just endorsed .agent. It's an open top-level domain for the agent ecosystem. Not owned by any single company. Not controlled by any single vendor. That matters. The agent ecosystem is growing fast. The infrastructure it runs on should be open, not locked to whoever got there first. Open standards let builders pick their own tools, switch when something better comes along, and build without worrying that the ground underneath them belongs to someone else. We support it because open infrastructure makes that job easier for everyone. If you're building with AI agents, the Agent Community is worth joining. https://agentcommunity.org

Build a Dify agent in an afternoon. That part's easy. Here's the system I use to make sure it doesn't touch anything it shouldn't: Step 1: Connect through Civic, not directly to tools. Your agent calls Civic Hub. Civic Hub calls Gmail, Slack, GitHub. Nothing goes direct. Step 2: Set guardrails before the first run. Read-only on email. No delete on files. 1,000 rules to choose from. Pick what matches what your agent actually needs. Step 3: Check the activity log after every run. Not because something went wrong. Because you need to know what it did before you trust it to run again unsupervised. Step 4: Start with one tool connection. Add more as you confirm the guardrails are holding. Dify makes it fast to connect. Civic makes sure each connection has the right boundaries. Step 5: Set revocation up before you need it. If your agent does something unexpected, you stop it in one move. The kill switch is the feature. https://lnkd.in/gmqSuQTk

We sponsored a Civic prize track at the AI London Hackathon & Conference with Encode Club. Four teams stood out for how they integrated Civic into real, working projects. 1st Prize: FixFlow Built by Kenneth Hagin, Sachit R, and Abel Chernet. An autonomous AI quoting agent for emergency plumbing and boiler services. It handles symptom diagnosis, job classification, live availability, dynamic pricing, negotiation, and authority enforcement without human involvement. It uses Civic Bodyguard as its primary injection defense and routes scheduling through Civic's MCP hub. 2nd Prize: PhotoPal Built by Henry Beedham and Arad Soutehkeshan. An agentic AI platform that helps photographers analyse their portfolio, discover qualified leads, match opportunities to their style, and generate tailored outreach. Every agent in the system uses Civic MCP. The token exchange engineering alone, direct JWT detection with RFC 8693 fallback, was impressive. 3rd Prize: RangerAI Built by Hayden Bradley and Pralisha Shrestha. An autonomous multi-agent system for wildlife conservation monitoring. It ingests camera trap imagery and citizen science data, classifies species, scores threats against IUCN Red List data, and delivers real-time alerts to rangers. All agent outputs pass through Civic guardrails via MCP. Honourable Mention: Mirai Flashcards Built by Nirvaan. A clean Civic Auth integration on both frontend and backend, with Civic as the sole auth mechanism. A focused example of what a Civic Auth drop-in looks like. What stood out across all four teams: they didn't just connect to Civic. They made it load-bearing. Bodyguard as a primary defense layer. MCP as the backbone for agent tool access. Auth integrated as the sole identity provider. Congrats to all the builders, and thanks to our fellow sponsors Base, Luffa AI, OpenAI, Vercel, Architect, ElevenLabs, and Canva, and to Encode Club for putting it together.

The gap between "using AI tools" and "building AI tools" is about 20 lines of code. April 2 we're building OpenClaw agents from scratch with self-improving agent from scratch with tool use, memory, and a self-upgrade loop. Will, Founder of Codesmith and South Park Commons Fellow, is leading this build. Titus and Nancy are supporting from Civic Technologies to show how to use guardrails, audit trails, and access revocation to make agents secure from the first session. Part of our SF workshops at Worldwide Studios Studio 45 · SF · 6:30pm · Link below