v1.11.9 · LUCID Remote

The AI coding agent leadership can actually approve.

LUCID Agent IDE lets your teams code with AI while your source, prompts & CUI never leave the host. A prompt-injection gate on every tool call that cannot fail open, per-model cost showback, sovereignty-aware governance, and now Remote: drive your desktop agent from your phone. Bring any model.

5,775+ testsmetadata-only by constructionsovereignty-aware & air-gappableany model, no lock-in
0
Tests passing
0
Bytes of code that leave
0
Models in the picker
0
Ways to fail open
Raw models & clouds at the bottom, one neutral fail-closed gate in the middle, only metadata-only evidence rising to your BI at the top.

01 Start here · v1.11.9

Download. Install. Run. No GitHub required.

Built for managers and non-developers: one button per platform, plain-English steps, and zero prerequisites. Bun and the Unicode scanner are already inside the app - it even works air-gapped.

Windows 10 / 11

Windows

Recommended: the installer. Portable option if you can't install software.

Download for Windows
Simple install steps
  1. Click Download for Windows.
  2. Open the downloaded LucidAgent-Setup.exe.
  3. If Windows SmartScreen appears: More info → Run anyway.
  4. Finish the installer, then launch Lucid Agent from the Start menu.
  5. Pick a role and connect Claude, ChatGPT, Gemini, or an API key.
Portable version (no install)
Download LucidAgent-portable.exe, double-click, run. Nothing is written to Program Files.
macOS 12+

macOS

Apple Silicon (M1/M2/M3/M4) primary. Intel package one click away.

Download for Mac (Apple Silicon)
Simple install steps
  1. Click Download for Mac.
  2. Open the .pkg and click through Install → Applications.
  3. Open Lucid Agent from Applications (or Spotlight).
  4. If macOS blocks it (unsigned build): right-click the app → OpenOpen again, or System Settings → Privacy & Security → Open Anyway.
Intel Mac, zip, or Homebrew

Intel .pkg · zip bundles: arm64 / Intel (drag to Applications).

Homebrew (technical users):

brew tap mlcyclops/lucid https://github.com/mlcyclops/lucidagentide
brew trust --cask mlcyclops/lucid/lucidagentide
brew install --cask lucidagentide
Linux x86_64

Linux

Portable AppImage - no package manager required.

Download for Linux
Simple install steps
  1. Click Download for Linux.
  2. Make it executable: right-click → Properties → Allow executing file as program, or run chmod +x LucidAgent-x86_64.AppImage.
  3. Double-click the file to run. No install step.
.deb / .rpm packages
Also published on each release: .deb (amd64) and an .rpm for Fedora/RHEL-family distros.

Links always point at the latest successful release (currently v1.11.9). Direct file downloads - you never need a GitHub account.

02 See it in action

Trust what you can verify.

Short walk-throughs of the features that make LUCID the choice for regulated and secure environments.

Coming soon
LUCID · SECURITY

Fail-closed gate

Hidden Unicode blocked before a byte hits disk.

Coming soon
LUCID · REMOTE

LUCID Remote

Scan a QR, open your phone browser, drive the desktop agent.

Coming soon
LUCID · GOVERNANCE

Cost & Savings Ledger

Per-model spend and cache-savings showback in one pane.

Coming soon
LUCID · PROVENANCE

AI-authorship ledger

Which model wrote which lines - per repo and identity.

Coming soon
LUCID · MODELS

Model picker & Claude Fable 5

47 models, OAuth or API key, including Claude Fable 5.

Coming soon
LUCID · WORKSPACE

Preview tabs & device viewports

Yours / Agent tabs plus phone and tablet frames.

Coming soon
LUCID · KNOWLEDGE

KG Packs & RAG

Ground any model on your vault - scanned and local-first.

Coming soon
LUCID · ONBOARDING

Role onboarding

Developer, Security, Manager, Executive - tailored first run.

Short product walkthroughs are being filmed now - posters above mark the first eight cuts.

03 The business case

Your teams already want AI coding. This is how leadership says yes.

Adoption isn't the question, governance is. LUCID turns "we can't let AI touch that codebase" into a program you can fund, defend, and audit: nothing sensitive leaves, injection can't win, spend is visible, and the evidence belongs to you.

Data protection

Nothing sensitive ever leaves

Metadata-only by construction. Source code, prompts, and CUI never leave the host. The allow-list is an architectural guarantee, not a checkbox. A whole class of data-spill risk is designed out.

Threat defense

Injection can't trick your agent

A prompt-injection gate runs on every tool call and cannot fail open. With roughly half of AI-generated code carrying a vulnerability on first review, security is the default, not a toggle.

Cost governance

Govern and prove AI spend

Live per-model spend and cache-savings showback across every provider. When most enterprises overrun their AI budget, leadership gets one number instead of four consoles.

Compliance

Sovereign, air-gap, ATO-ready

CUI isolation, a foreign-origin warning wall, and the AskSage accredited gateway (FedRAMP High, IL5/IL6). Every run doubles as audit evidence suited to CMMC and continuous monitoring.

Portability

No model or cloud lock-in

Bring any model; publish evidence into your own BI. Every new tool your teams adopt increases LUCID's value instead of trapping your data in someone else's console.

Accountability

Know who wrote every line

A tamper-evident ledger attributes which model wrote which lines, per repo, per person, per session. AI spend and AI authorship, both auditable.

Budget isn't the blocker. Governance is.

LUCID is the neutral layer that lets leadership prove value, stay portable, and prove accountability across every AI tool, model, and cloud your organization runs. The alternative is four vendor consoles and no total.

Four consoles and no total → one pane, consolidated into your own BI.

Where the market is going

The AI-coding wave is here. The governance gap is the opening.

Nearly every developer now uses or plans to use AI coding tools, but spend is overrunning, trust in raw output is falling, and every provider wants your cost and audit data in their console. LUCID sits above the tool war: neutral across models and clouds, handing the evidence back to you.

$27B
AI coding-tools market by 2030 (~28% CAGR)
73%
of enterprises exceeded their AI budget
~48%
of AI-generated code has a vuln on first review
84%
of developers use or plan to use AI tools

Industry context (FinOps Foundation 2026; Precedence / Fortune BI; Stack Overflow / GitHub). Figures cited for landscape, not LUCID performance claims.

04 What makes it novel

Fourteen things you rarely find together.

Plain language below. The deeper “how” stays proprietary.

New in 1.11.9

LUCID Remote

See and drive your desktop agent from your phone via E2E encrypted QR pairing, behind four independent gates.

New in 1.11.9

Preview & Viewports

Yours and Agent tabs with live snapshots to test responsive layouts on device viewports.

A gate that cannot fail open

If the scanner dies or returns garbage, the gate blocks, never “safe.” A test kills it mid-run and the block still holds.

Runtime containment

Even after bash is approved, the process runs OS-isolated and its network is mediated, a package phoning home over DNS at import time is refused and audited.

Provenance-gated memory

Suspicious or quarantined content can never auto-save into memory. Trust comes from the source, not the caller's word.

Encrypted personalization graph

A private, AES-256-GCM “second brain” the agent learns from you and recalls across sessions, CUI-isolated, exportable to Obsidian.

AI-authorship attribution

A tamper-evident ledger of which model wrote which lines, per repo, per person, per session.

Sovereignty-aware governance

Gov-only lockdown, curated model lists, and a clear warning wall before any foreign-origin model is used.

A cache-stable prompt

Safety layers are byte-identical on every request. Untrusted text enters only delimited, only after the cache point, faster and safer.

An IDE where Save is scanned

Edit and save through the same gate. A hidden-Unicode payload is blocked before a byte lands on disk.

One-command migration

Bring your ChatGPT / Claude / Gemini history in, every message scanned, then distilled into your private graph.

Zero prerequisites

Bun and the Python Unicode scanner sidecar are bundled. Works air-gapped out of the box.

A gov-grade gateway, gated

The AskSage accredited gateway is wired in with a lockdown mode, scanned personas, and answers grounded on your own datasets.

Cost tracking & showback

Live per-model spend and cache savings, know exactly what every conversation costs.

05 Built on oh-my-pi

A thin, principled layer over a fast Rust engine.

LUCID rides omp's releases instead of forking it, everything is added through hooks, custom tools, and the SDK. These are the runtime capabilities it is built upon:

ARCHITECTURE · LUCID OVER OH-MY-PILUCID · security · provenance · memoryfail-closed gateprovenanceencrypted memoryAI-authorshipcost showbackomp runtime capabilitiessubagentsplan modeLSPDAPsessionssandboxingtool-callingmodel routingoh-my-pi (omp)NATIVE RUST ENGINEthin, principled layer · heavy lifting stays in omp's Rust engine · upgrades with omp, no fork
LUCID clamps onto omp through hooks, custom tools & the SDK. The heavy lifting stays in omp's Rust engine.
The architecture in one line: TypeScript on Bun, in-process with omp. The only Python is a pure-Unicode scanner sidecar behind a narrow NDJSON contract, so the fail-closed gate that consumes it can never fail open. Provenance & memory live in an append-only DuckDB store.

06 Security model

One lifecycle, enforced end to end.

Every tool call, every Save, every persona, every imported message walks the same path. Any failure at any stage means block or quarantine, never safe defaults.

01

Scan

Pure-Unicode sidecar finds zero-width, bidi, tag-block, homoglyph & PUA.

02

Decide

scanAndDecide: any scan failure ⇒ block / quarantine.

03

Gate

Runs in-process on every tool call via an omp pre-hook.

04

Contain

Approved process runs OS-isolated; egress is mediated + audited.

05

Label

Closed set: trusted · untrusted · suspicious · quarantined.

06

Promote

Suspicious sources can't enter semantic memory.

07

Export

Invisibles escaped; raw referenced by SHA-256, never inline.

Try the gate

Pick a command; the fail-closed gate scans it before it runs.
lucid, agent shell gate active

$ awaiting input…

07 LUCID Remote Live in v1.11.9

Your desktop agent, in your pocket.

The headline of v1.11.9: scan a QR from the Share panel, open your phone browser, then watch or drive the same desktop session through an installable Progressive Web App (PWA). No App Store download. Every prompt still executes on the host behind its fail-closed gate. Remote adds reach, not risk.

See the phone experience

The phone experience, in plain English

A website that behaves like a phone app.

A Progressive Web App (PWA) is a secure website designed to feel like an installed mobile app. Open the QR invite in Safari or Chrome, sign in, and use LUCID Remote immediately. You can optionally save it to your phone's Home Screen for one-tap access.

  • No App Store: nothing to search for, purchase, or install.
  • Watch live: see the transcript, thinking, tools, and new updates.
  • Drive securely: send a prompt or stop the agent from your phone.
  • Desktop stays in control: work runs on the host and passes every LUCID security gate.
LUCID Remote mobile sign-in screen with Google sign-in and an end-to-end encrypted connection notice
1. Open the secure inviteSign in with Google, then the encrypted room key connects the phone to your desktop session.
LUCID Remote mobile session showing live agent updates, tool activity, message composer, Stop and Send controls, and Live you can drive status
2. Watch or drive the agentFollow live work, send the next instruction, or stop the run while the desktop remains the execution host.
END-TO-END ENCRYPTED · AES-256-GCM Agent Phone Desktop 01 · IDENTITY Google sign-in Rendezvous admission 02 · ENCRYPTION Room key Never reaches server CLOUD RELAY Ciphertext + metadata only 03 · AUTHORITY Write token Edit or view-only 04 · HOST GATE Fail-closed Every action re-checked
Phone to desktop through four independent gates over an encrypted channel. The relay sees ciphertext only.
1

Google sign-in

A verified Firebase ID token admits the phone to the rendezvous, and nothing more. Signing in doesn't grant access to anything yet.

2

Room key

An AES-256-GCM key rides only in the invite link's fragment and never touches a server. Without it, the phone can read nothing.

3

Write token

Sending a prompt needs a separate write token carried only by an edit link. A view link stays read-only, refused host-side.

4

Desktop gate

Every remote action still runs on the desktop through its fail-closed scanner, exec approvals, and egress policy. Nothing is bypassed.

The guarantee: a compromised host, CDN, or relay sees ciphertext and metadata, never your session content. Watch the whole turn live (thinking, tool chips, subagents, and the streamed answer) on a mobile-first, installable Progressive Web App that runs the same collaboration core as the desktop, so remote is never a separate, weaker path. Self-host the rendezvous or use the hosted Cloud Run option (claims-gated for the paid Remote Access tier). ADR-0226 / 0227 + 0240–0242 · P-REMOTE.1–.10

08 Any model, any provider

Bring whatever you already pay for.

Sign in with your subscription (OAuth) or paste an API key, keys live in the OS-encrypted vault, never reaching the renderer or the agent. The gate scans every turn the same way, whichever model you choose.

Anthropic Claude · Fable 5 OpenAI GPT Google Gemini xAI Grok Perplexity Sonar AskSage gov gateway Ollama · llama.cpp · vLLM local
Government

Accredited gov gateway

AskSage routes every turn through GovCloud with scanned personas and dataset-grounded RAG, one lockdown toggle hides direct providers.

Offline

Fully air-gapped

Run U.S. open-weight families on your own hardware with local-first RAG and bundled WASM embeddings, no GPU, no egress.

Showback

Cost & savings ledger

Unified spend across every model, estimated cache savings, hit-rate, and per-session drill-down, built for teams that attribute AI cost.

09 Who it's for

Built for the teams the other tools treat as an afterthought.

Government · regulated · CUI teams

A sovereignty-aware agent with hard CUI isolation, a fail-closed gate, and a full provenance / audit trail, packaged for locked-down, air-gapped laptops with zero prerequisites.

Security-conscious engineers

Every tool call, every Save, every persona, every imported message scanned by a gate that cannot fail open. Prompt-injection defense is the default, not a toggle.

Teams that need governance & showback

Real cost per model with cache-savings showback, plus a tamper-evident ledger of which model wrote which lines. AI spend and AI authorship, both auditable.

Agent-platform builders

A worked, test-backed example of adding security, provenance, and memory around a fast runtime via hooks / tools / SDK, extend, never fork.

10 Field manual

Frequently asked

What is LUCID Agent IDE?
A security-first agentic coding harness. It wraps the oh-my-pi (omp) coding runtime with a fail-closed layer that scans every tool call, contains the runtime, tracks provenance, remembers across sessions, and attributes which model wrote which lines, added entirely through omp hooks, custom tools, and the SDK, never a fork.
What does “fail-closed” mean here?
Any failure to get a valid, clean result (a dead scanner, a malformed response, a timeout, an unknown field) is treated as block or quarantine, never as safe defaults. If the Unicode scanner dies mid-run, the gate still blocks. A test kills it on purpose to prove the block holds.
Which AI models does LUCID support?
Any model omp exposes: Anthropic Claude, OpenAI GPT, Google Gemini, xAI Grok, Perplexity Sonar, the AskSage accredited government gateway, and local open-weight models via Ollama, llama.cpp, or vLLM. Authenticate with your subscription (OAuth) or an API key; every turn passes the same gate.
Is it really built on oh-my-pi (omp)?
Yes. omp is a fast agentic coding runtime with subagents, plan mode, LSP, DAP, hindsight memory, hashline edits, and time-traveling rules, driven by a native Rust engine. LUCID adds its security, provenance, and memory through omp's hooks, custom tools, and SDK, riding omp's releases instead of forking.
Can it run air-gapped or in government environments?
Yes. It ships as a desktop app with zero prerequisites (Bun and the Python scanner sidecar are bundled), runs fully offline with local models and local-first RAG, isolates CUI, and integrates the AskSage accredited gateway with a lockdown mode, designed for locked-down, air-gapped laptops.
What is LUCID Remote?
Shipped in v1.11.9: see and drive a running desktop LUCID agent from your phone's browser. The phone interface is a Progressive Web App (PWA), meaning a secure website that behaves like a phone app and can be saved to your Home Screen, with no App Store download. Pair by QR from the Share panel. End-to-end encryption and four independent gates protect the connection: Google sign-in, a room key that never touches the server, a separate write token, and the desktop's fail-closed gate. The phone shows live updates and lets an authorized user send or stop work; execution remains on the desktop.
How do I install without using GitHub?
You don't need a GitHub account. Use the Download section on this site: one button for Windows, macOS, or Linux that starts a direct file download. Follow the short numbered steps under each card (SmartScreen / Gatekeeper / chmod are explained in plain English). The app bundles its runtimes - no Node, Python, or Bun install on your machine.
Why do executives and security leaders choose LUCID?
Because it lets leadership say yes to AI-assisted coding. Nothing sensitive leaves the host (metadata-only by construction), prompt injection can't fail the gate open, AI spend is governed with per-model cost showback, and every run produces audit evidence suited to CMMC and continuous monitoring. It stays neutral across models and clouds, so the cost and governance data belong to you, not a vendor console.
How much does it cost?
The source-available core is free. An enterprise add-on tier (executive BI rollups, SIEM audit export, central policy) is separately licensed and optional, nothing in the core depends on it.

Deploy an agent that can't be tricked into betraying you.

Download the desktop app, or read the source. Open core, source-available, one increment at a time behind its own ADR + demo + tests.

FAIL-CLOSEDMETADATA-ONLYSOVEREIGNTY-AWAREAIR-GAPPABLENO FORK