The AI coding agent leadership can actually approve.
LUCID Agent IDE lets your teams code with AI while your source, prompts & CUI never leave the host. A prompt-injection gate on every tool call that cannot fail open, per-model cost showback, sovereignty-aware governance, and now Remote: drive your desktop agent from your phone. Bring any model.
01 Start here · v1.11.9
Download. Install. Run. No GitHub required.
Built for managers and non-developers: one button per platform, plain-English steps, and zero prerequisites. Bun and the Unicode scanner are already inside the app - it even works air-gapped.
Windows
Recommended: the installer. Portable option if you can't install software.
Download for WindowsSimple install steps
- Click Download for Windows.
- Open the downloaded
LucidAgent-Setup.exe. - If Windows SmartScreen appears: More info → Run anyway.
- Finish the installer, then launch Lucid Agent from the Start menu.
- Pick a role and connect Claude, ChatGPT, Gemini, or an API key.
Portable version (no install)
macOS
Apple Silicon (M1/M2/M3/M4) primary. Intel package one click away.
Download for Mac (Apple Silicon)Simple install steps
- Click Download for Mac.
- Open the
.pkgand click through Install → Applications. - Open Lucid Agent from Applications (or Spotlight).
- If macOS blocks it (unsigned build): right-click the app → Open → Open again, or System Settings → Privacy & Security → Open Anyway.
Intel Mac, zip, or Homebrew
Intel .pkg · zip bundles: arm64 / Intel (drag to Applications).
Homebrew (technical users):
brew tap mlcyclops/lucid https://github.com/mlcyclops/lucidagentide brew trust --cask mlcyclops/lucid/lucidagentide brew install --cask lucidagentide
Linux
Portable AppImage - no package manager required.
Download for LinuxSimple install steps
- Click Download for Linux.
- Make it executable: right-click → Properties → Allow executing file as program, or run
chmod +x LucidAgent-x86_64.AppImage. - Double-click the file to run. No install step.
.deb / .rpm packages
.rpm for Fedora/RHEL-family distros.Links always point at the latest successful release (currently v1.11.9). Direct file downloads - you never need a GitHub account.
02 See it in action
Trust what you can verify.
Short walk-throughs of the features that make LUCID the choice for regulated and secure environments.
Fail-closed gate
Hidden Unicode blocked before a byte hits disk.
LUCID Remote
Scan a QR, open your phone browser, drive the desktop agent.
Cost & Savings Ledger
Per-model spend and cache-savings showback in one pane.
AI-authorship ledger
Which model wrote which lines - per repo and identity.
Model picker & Claude Fable 5
47 models, OAuth or API key, including Claude Fable 5.
Preview tabs & device viewports
Yours / Agent tabs plus phone and tablet frames.
KG Packs & RAG
Ground any model on your vault - scanned and local-first.
Role onboarding
Developer, Security, Manager, Executive - tailored first run.
Short product walkthroughs are being filmed now - posters above mark the first eight cuts.
03 The business case
Your teams already want AI coding. This is how leadership says yes.
Adoption isn't the question, governance is. LUCID turns "we can't let AI touch that codebase" into a program you can fund, defend, and audit: nothing sensitive leaves, injection can't win, spend is visible, and the evidence belongs to you.
Nothing sensitive ever leaves
Metadata-only by construction. Source code, prompts, and CUI never leave the host. The allow-list is an architectural guarantee, not a checkbox. A whole class of data-spill risk is designed out.
Injection can't trick your agent
A prompt-injection gate runs on every tool call and cannot fail open. With roughly half of AI-generated code carrying a vulnerability on first review, security is the default, not a toggle.
Govern and prove AI spend
Live per-model spend and cache-savings showback across every provider. When most enterprises overrun their AI budget, leadership gets one number instead of four consoles.
Sovereign, air-gap, ATO-ready
CUI isolation, a foreign-origin warning wall, and the AskSage accredited gateway (FedRAMP High, IL5/IL6). Every run doubles as audit evidence suited to CMMC and continuous monitoring.
No model or cloud lock-in
Bring any model; publish evidence into your own BI. Every new tool your teams adopt increases LUCID's value instead of trapping your data in someone else's console.
Know who wrote every line
A tamper-evident ledger attributes which model wrote which lines, per repo, per person, per session. AI spend and AI authorship, both auditable.
Budget isn't the blocker. Governance is.
LUCID is the neutral layer that lets leadership prove value, stay portable, and prove accountability across every AI tool, model, and cloud your organization runs. The alternative is four vendor consoles and no total.
Where the market is going
The AI-coding wave is here. The governance gap is the opening.
Nearly every developer now uses or plans to use AI coding tools, but spend is overrunning, trust in raw output is falling, and every provider wants your cost and audit data in their console. LUCID sits above the tool war: neutral across models and clouds, handing the evidence back to you.
Industry context (FinOps Foundation 2026; Precedence / Fortune BI; Stack Overflow / GitHub). Figures cited for landscape, not LUCID performance claims.
04 What makes it novel
Fourteen things you rarely find together.
Plain language below. The deeper “how” stays proprietary.
LUCID Remote
See and drive your desktop agent from your phone via E2E encrypted QR pairing, behind four independent gates.
Preview & Viewports
Yours and Agent tabs with live snapshots to test responsive layouts on device viewports.
A gate that cannot fail open
If the scanner dies or returns garbage, the gate blocks, never “safe.” A test kills it mid-run and the block still holds.
Runtime containment
Even after bash is approved, the process runs OS-isolated and its network is mediated, a package phoning home over DNS at import time is refused and audited.
Provenance-gated memory
Suspicious or quarantined content can never auto-save into memory. Trust comes from the source, not the caller's word.
Encrypted personalization graph
A private, AES-256-GCM “second brain” the agent learns from you and recalls across sessions, CUI-isolated, exportable to Obsidian.
AI-authorship attribution
A tamper-evident ledger of which model wrote which lines, per repo, per person, per session.
Sovereignty-aware governance
Gov-only lockdown, curated model lists, and a clear warning wall before any foreign-origin model is used.
A cache-stable prompt
Safety layers are byte-identical on every request. Untrusted text enters only delimited, only after the cache point, faster and safer.
An IDE where Save is scanned
Edit and save through the same gate. A hidden-Unicode payload is blocked before a byte lands on disk.
One-command migration
Bring your ChatGPT / Claude / Gemini history in, every message scanned, then distilled into your private graph.
Zero prerequisites
Bun and the Python Unicode scanner sidecar are bundled. Works air-gapped out of the box.
A gov-grade gateway, gated
The AskSage accredited gateway is wired in with a lockdown mode, scanned personas, and answers grounded on your own datasets.
Cost tracking & showback
Live per-model spend and cache savings, know exactly what every conversation costs.
05 Built on oh-my-pi
A thin, principled layer over a fast Rust engine.
LUCID rides omp's releases instead of forking it, everything is added through hooks, custom tools, and the SDK. These are the runtime capabilities it is built upon:
06 Security model
One lifecycle, enforced end to end.
Every tool call, every Save, every persona, every imported message walks the same path. Any failure at any stage means block or quarantine, never safe defaults.
Scan
Pure-Unicode sidecar finds zero-width, bidi, tag-block, homoglyph & PUA.
Decide
scanAndDecide: any scan failure ⇒ block / quarantine.
Gate
Runs in-process on every tool call via an omp pre-hook.
Contain
Approved process runs OS-isolated; egress is mediated + audited.
Label
Closed set: trusted · untrusted · suspicious · quarantined.
Promote
Suspicious sources can't enter semantic memory.
Export
Invisibles escaped; raw referenced by SHA-256, never inline.
Try the gate
Pick a command; the fail-closed gate scans it before it runs.$ awaiting input…
07 LUCID Remote Live in v1.11.9
Your desktop agent, in your pocket.
The headline of v1.11.9: scan a QR from the Share panel, open your phone browser, then watch or drive the same desktop session through an installable Progressive Web App (PWA). No App Store download. Every prompt still executes on the host behind its fail-closed gate. Remote adds reach, not risk.
A website that behaves like a phone app.
A Progressive Web App (PWA) is a secure website designed to feel like an installed mobile app. Open the QR invite in Safari or Chrome, sign in, and use LUCID Remote immediately. You can optionally save it to your phone's Home Screen for one-tap access.
- No App Store: nothing to search for, purchase, or install.
- Watch live: see the transcript, thinking, tools, and new updates.
- Drive securely: send a prompt or stop the agent from your phone.
- Desktop stays in control: work runs on the host and passes every LUCID security gate.


Google sign-in
A verified Firebase ID token admits the phone to the rendezvous, and nothing more. Signing in doesn't grant access to anything yet.
Room key
An AES-256-GCM key rides only in the invite link's fragment and never touches a server. Without it, the phone can read nothing.
Write token
Sending a prompt needs a separate write token carried only by an edit link. A view link stays read-only, refused host-side.
Desktop gate
Every remote action still runs on the desktop through its fail-closed scanner, exec approvals, and egress policy. Nothing is bypassed.
08 Any model, any provider
Bring whatever you already pay for.
Sign in with your subscription (OAuth) or paste an API key, keys live in the OS-encrypted vault, never reaching the renderer or the agent. The gate scans every turn the same way, whichever model you choose.
Accredited gov gateway
AskSage routes every turn through GovCloud with scanned personas and dataset-grounded RAG, one lockdown toggle hides direct providers.
Fully air-gapped
Run U.S. open-weight families on your own hardware with local-first RAG and bundled WASM embeddings, no GPU, no egress.
Cost & savings ledger
Unified spend across every model, estimated cache savings, hit-rate, and per-session drill-down, built for teams that attribute AI cost.
09 Who it's for
Built for the teams the other tools treat as an afterthought.
Government · regulated · CUI teams
A sovereignty-aware agent with hard CUI isolation, a fail-closed gate, and a full provenance / audit trail, packaged for locked-down, air-gapped laptops with zero prerequisites.
Security-conscious engineers
Every tool call, every Save, every persona, every imported message scanned by a gate that cannot fail open. Prompt-injection defense is the default, not a toggle.
Teams that need governance & showback
Real cost per model with cache-savings showback, plus a tamper-evident ledger of which model wrote which lines. AI spend and AI authorship, both auditable.
Agent-platform builders
A worked, test-backed example of adding security, provenance, and memory around a fast runtime via hooks / tools / SDK, extend, never fork.
10 Field manual
Frequently asked
What is LUCID Agent IDE?
What does “fail-closed” mean here?
Which AI models does LUCID support?
Is it really built on oh-my-pi (omp)?
Can it run air-gapped or in government environments?
What is LUCID Remote?
How do I install without using GitHub?
Why do executives and security leaders choose LUCID?
How much does it cost?
Deploy an agent that can't be tricked into betraying you.
Download the desktop app, or read the source. Open core, source-available, one increment at a time behind its own ADR + demo + tests.