Keeping real credentials out of the sandbox stops a poisoned package from stealing them. But there's an attack that doesn't need a stolen token at all: just tell the agent what to do. A comment in a source file, a line in a fetched web page, a string in a tool's output, or a directive buried in a CLAUDE.md can steer the model toward something you never asked for — and it reads as instructions and obliges. 2.4.0 adds the fourth pillar that closes that gap, and it runs entirely on your Mac.

New

Prompt-injection detection — two detectors, one click. A new Prompt Injection profile category with a log / ask / block action. Nothing leaves the Mac: detection runs on-device.
- Injection in untrusted content. A local PromptGuard (DeBERTa) classifier scores the tool_result spans the agent ingests — file reads, web fetches, tool output. An instruction smuggled into a README, a code comment, or an API response is caught before the model acts on it.
- Rogue instructions in rules files. The CLAUDE.md, AGENTS.md, and GROK.md files an agent treats as authority are scanned by a deterministic pass (invisible-Unicode, bidirectional-text tricks, "ignore previous instructions"–style meta-directives) and a fine-tuned ModernBERT classifier that catches the calmly-worded abuse a keyword filter misses. Covers Claude Code, Codex, and Grok Build.
Log, ask, or block — you pick the teeth. Log records to the Security Log (the renamed Supply Chain Log — it now logs bad inputs too) with zero added latency. Ask pauses the request and shows you the flagged text to allow or deny. Block fails the request before the model ever sees the content. The policy is per-profile and applies live — toggle it on a running VM and it lands on the next agent call, no restart.
Fleet-wide visibility for managed installs. On a managed install, every detection is forwarded to your Bromure console as a prompt_injection event — source, snippet, and whether it was logged, flagged, or blocked — so security can see injection attempts across the whole fleet, not just on the laptop where they happened.

Improvements

A full host disk now says so. Base-image builds, model downloads, and VM launches preflight free space and surface a clear, localized "free up space and try again" — instead of the confusing 30-minute installer timeout a full disk used to cause.
Settings cogwheel in the VM title bar. Open the running VM's own profile straight from its window; host-side settings apply live.
Trace Inspector shows something out of the box. New profiles default to AI-details tracing, capturing request and response bodies for the well-known model hosts (Anthropic, OpenAI, Google, Cohere…). Bodies are sealed at rest; non-AI traffic stays metadata-only.

Fixed

VMs no longer power off on their own. A slow cold boot or a stale tab event could be misread as you closing your last terminal, shutting the VM down moments after it came up. The host now acts only on tabs it has confirmed alive; a genuine last-tab close still shuts down as before.
Reliable networking behind a VPN. The VM's default network MTU drops from 1400 to 1280, so large TLS handshakes and npm tarball chunks stop blackholing on lower-ceiling corporate paths — DMVPN, Cisco AnyConnect, 6-in-4 tunnels. Override per host with defaults write io.bromure.agentic-coding vm.mtu -int <value>.

Bromure Agentic Coding is free and open source. Grab 2.4.0 on the downloads page, or learn more on the Agentic Coding page →.