EMBARGOED until Tuesday 2026-05-26, 13:00 UTC (= 15:00 CEST / 09:00 ET / 06:00 PT)
This page is a pre-release press kit. Quotes, the demo and the downloadable press materials are approved for reporting under embargo.
PARIS, France · Embargoed Tuesday 2026-05-26, 13:00 UTC
EDAMAME introduces runtime verification for coding and self-improving AI agents
New controls help teams secure agents such as Cursor, Codex, Claude Code and OpenClaw across developer workstations, CI/CD runners and cloud environments — with host-side runtime verification, intent-divergence scoring, and immediate attack-pattern alerts for credential harvest, token exfiltration and sensitive-file access.
Coding agents are becoming the execution layer for software delivery: they operate in IDEs, shells, MCP tool calls, CI/CD runners and self-hosted agent runtimes. Today, edamame.tech announced runtime verification and deterministic guardrails for coding and self-improving AI agents — a host-side evidence layer that detects when agent behaviour diverges from declared intent and when telemetry shows attack patterns, across developer workstations, CI/CD runners and cloud environments.
Three ideas behind the launch
1. Coding agents became the execution layer for software delivery.
In May 2026, the important shift is no longer that agents can write code. They now sit inside the developer workflow as operators: in the IDE, in the shell, in MCP tool calls, and increasingly in CI/CD and self-hosted agent runtimes. Cursor, Claude Code, Codex and OpenClaw are different products, but they point to the same change: software is no longer only authored by a human and executed by a machine. It is produced in real time by humans, agents and tools. The new trust question is not future AGI safety. It is whether each autonomous action should happen here, now, on this host, under this posture.
2. Existing controls were built for the human-types-machine-executes world. 2025-2026 broke that assumption.
EDR runs after trust has broken: the axios npm RAT wave (active 2025-2026) installs through a coding agent resolving a dependency tree, runs as a normal node process, and EDR sees a clean execution graph. SAST and SCA test code at rest: tj-actions/changed-files (CVE-2025-30066, March 2025) shipped a clean v45.x to ~23,000 repositories before the maintainer's account was compromised — SCA pinned to the original commit hash flagged nothing. Identity providers gate humans: once Claude Code has a developer's valid GitHub PAT in its context, the IdP cannot tell which prompt told it to push to prod. Observability stacks watch what already happened: by the time a long-running self-improving agent's trace is parseable, the agent has been making decisions across runners for hours. Compliance platforms answer "are we following the right process?" — no SOC 2 trust services criterion currently asks "did the autonomous agent stay inside operator intent?".
3. EDAMAME ships the missing layer — as a primitive, not a per-vendor feature.
What Anthropic shipped this month for Claude Code is an inline confirmation model for one agent. EDAMAME takes a different position: one host-side evidence layer for every coding agent that runs on a host we cover — Cursor, Codex, Claude Code, OpenClaw, and the agents that follow. It compares declared intent with observed process, file, network, credential and posture telemetry; computes divergence when the agent drifts from what it said it would do; and raises immediate alerts when the same telemetry shows attack patterns such as credential harvest, token exfiltration or sensitive-file access. One trust model from developer workstation to CI/CD runner to cloud execution to long-running autonomous workflow, with evidence outside the model at the host boundary.
Product surfaces — what ships
Three surfaces, one trust contract:
EDAMAME Hub
Inventories the fleet and surfaces the workstations and hosts running coding agents without an EDAMAME trust anchor. The first thing a security lead needs is "who in my org is running Cursor / Codex / Claude Code on an unanchored host?". Hub answers that question continuously.
EDAMAME Security (App)
On every anchored workstation, turns process, file, network and posture telemetry into two outputs: a runtime-verification divergence score that compares the agent's declared intent with what the machine actually does, and attack-pattern findings (credential harvest, token exfiltration, sensitive-file access) pulled from enriched host telemetry, scoring and agent-assisted analysis.
EDAMAME Posture (CLI)
The same divergence and attack-pattern outputs on CI/CD runners and self-hosted agent servers, scripted and headless. The same trust model travels from developer workstation to CI/CD runner to cloud; the evidence is produced at the host boundary, not in the model.
Demo
EDAMAME runtime verification on a live Cursor session. The same primitive applies identically to Claude Code, Codex and OpenClaw. Minh Anh (founding engineer, Stanford CS) is the human in the demo. Length ~90 seconds.
Executive quotes
All quotes below are gated on sign-off — final wording to be confirmed before publishing.
“In May 2026, coding agents crossed a quiet line. They no longer only suggest code; they participate in the software supply chain. That changes the security question from 'is this developer trusted?' to 'did the agent stay inside the operator's intent, on this host, under this posture?' My company EDAMAME measures that divergence from host telemetry, and alerts immediately when the evidence shows intent drift or concrete attack patterns.”
— Frank Lyonnet, PhD · founder and CEO, edamame.tech (former INRIA researcher)
“Verifying the behaviour of autonomous software agents — comparing each action against an explicit policy, at the boundary, with evidence — has been a recurring theme in the research community for a decade. What edamame.tech is shipping for coding agents is the operational expression of that work, applied to a workflow that has clearly outgrown after-the-fact monitoring.”
— Kave Salamatian, PhD · Professor of Computer Science, University of Savoie
Supply-chain detection — secondary deliverable
The same host telemetry that feeds the runtime-verification divergence score — enriched with machine learning, anomaly detection and AI analysis — also detects the current wave of npm and PyPI supply-chain attacks reaching developer workstations through coding agents. EDAMAME flags these attack patterns at the agent's host, where the credentials and processes are actually live.
Further reading — supply-chain posts
axios npm RAT
Trojanised axios look-alike packages installed by coding agents resolving a dependency tree, opening a remote-access channel on the developer workstation.
tj-actions/changed-files GitHub Actions compromise — CVE-2025-30066
Compromised v45.x of the action exfiltrated CI secrets into workflow logs across approximately 23,000 repositories in March 2025 — the canonical CI-runner-side supply-chain incident that coding-agent runners inherit.
litellm PyPI takeover
Hijacked PyPI account and package versions of litellm (the LLM router many coding agents depend on) — direct pipeline from a poisoned package to live agent credentials on the workstation.
About EDAMAME
Founded by Frank Lyonnet, PhD — a former researcher at INRIA, France's national institute for research in digital science and technology — edamame.tech ships an SDLC trust layer with deterministic, developer-first runtime verification for coding and self-improving AI agents. The company is a member of France DeepTech, the French network of startups commercialising disruptive science, and works with academic collaborators including Kave Salamatian, PhD, Professor of Computer Science at the University of Savoie, on verifiable behaviour of autonomous software agents. Headquartered in Paris with operations in San Francisco. More: edamame.tech.
Press contact
Frank Lyonnet, PhD — founder and CEO, edamame.tech
Phone: +33 6 75 38 30 73
Downloads
Direct downloads for reporters. Each item opens in a new tab.
Reporting terms
All quotes, data points, demo footage and downloads on this page are released under embargo until Tuesday 2026-05-26, 13:00 UTC (= 15:00 CEST / 09:00 ET / 06:00 PT). Reporters may prepare coverage, schedule briefings, and request additional materials under embargo. To request a 15-minute Q&A or a deeper technical briefing under embargo, reply to the pitch email or book at https://calendly.com/flyonnet. After the embargo lifts, this page becomes public and the password is removed.