Stop Surrendering Data.
Start Owning Boundaries.
Every SaaS platform trusted with your data is a liability waiting to detonate. Baur Software built pap://, Papillon, and Chrysalis so the principal who owns the data controls what agents can see — cryptographically, by design.
The Next Breach Is Already Scheduled
The following are not hypothetical scenarios. They are documented, recent, catastrophic failures of the exact security model most organizations are still relying on today.
The Canvas LMS Catastrophe
In May 2026, the ShinyHunters group breached Instructure's Canvas platform - the LMS used by 41% of all U.S. higher education institutions - stealing over 275 million records including student IDs, private messages, and course data across 9,000+ schools worldwide. Finals were cancelled. Class-action lawsuits followed immediately.
Source: Wikipedia / Fisher Phillips, May 2026The GitHub Repository Breach
In May 2026, attackers compromised a widely-used coding tool to infiltrate and steal data from thousands of GitHub's internal repositories. Proprietary intellectual property — source code, internal tooling, trade secrets — is exposed whenever the boundary between trusted tools and attacker access lacks cryptographic enforcement.
Source: TechCrunch / CyberSecurity Dive, May 2026Healthcare Hacking Incidents in 2025
As of October 2025, the U.S. Department of Health and Human Services had already recorded 364 hacking incidents against healthcare organizations. PHI records, patient histories, and billing data - all surrendered to platforms that were never designed to enforce cryptographic identity at the agent layer.
Source: American Hospital Association, Oct 2025Gold Certified Governance
Both PAP and Chrysalis passed Gold certification from Raknor AI. We built out the Cassandra adversarial scenario library and ran it against both systems — everything held.
Adversarial Testing Highlights
- ✓ Injected governance overrides in handshake data — PAP treated them as literal strings, never executed
- ✓ Forged mandate signatures and expired TTL replays — all rejected by Scope::permits()
- ✓ Delegation chain injection (scope + TTL escalation) — Mandate::delegate() blocked both
- ✓ CEO verbal override after DENIED action — PAP ignored it completely
- ✓ SSRF attempts against Chrysalis via AWS metadata, GCP metadata, and Docker socket URLs — net_guard blocked all three
- ✓ Audit suppression requests — both systems logged the request and continued recording normally
Every Industry Has Unique Risks. pap:// Has Specific Answers.
Baur Software's team has worked directly inside these industries. We built pap://, Papillon, and Chrysalis from the ground up with the compliance requirements, threat models, and operational realities of each sector in mind.
| Sector | The Risk You Are Living With | The pap:// Solution |
|---|---|---|
| Education | Student records, private messages, and IDs concentrated in shared databases create large-surface breach exposure — as the 2026 Canvas incident demonstrated at scale. | Cryptographic SD-JWT selective disclosure ensures agents access only the exact data fields their mandate permits. No centralized PII aggregation. No ransom leverage. |
| Law / Legal | Uploading privileged case files, trade secrets, and client communications to external AI platforms destroys attorney-client privilege and creates catastrophic discovery liability. | Papillon's OS-level sandboxed execution means case data never leaves your secure boundary. Cryptographic receipts prove what was accessed and by whom. |
| Health Care | Autonomous medical billing and scheduling agents routinely access full patient records when they need only a single field - a HIPAA violation waiting to be audited. | Mandate-scoped permissions limit agent visibility to specific PHI properties. Immutable co-signed audit logs provide cryptographic HIPAA compliance proof on demand. |
| Military | Supply-chain compromises and air-gapped leaks occur when autonomous logistics or intelligence agents operate without cryptographic identity enforcement across fragmented networks. | Fully on-premises, air-gapped Chrysalis deployment. Every agent action produces a cryptographic receipt. CMMC and DoD architecture requirements met by design. |
| Private Sector | Corporate IP theft through rogue AI agents, compromised browser extensions, and unmonitored automation scripts accessing internal wikis, codebases, and financial systems. | Seccomp and pledge-level OS sandbox constraints prevent compromised agents from spawning subprocesses, accessing the filesystem, or exfiltrating IP - even if fully compromised. |
| Government | FedRAMP and CMMC compliance failures when AI agents operate across shared agency databases with assumed identity and no immutable audit trail. | Multi-tenant zero-trust architecture with immutable, cryptographically signed audit trails for every delegation step. FedRAMP, CMMC, and DoD-ready by architecture. |
| Private Use | Personal identity theft, financial credential leaks, and exposure of behavioral and financial data on platforms outside your direct control. | Device-bound keypairs with ephemeral session DIDs per transaction. No central registry. No token economy. Data stays on the principal's machine. |
3 minutes · Scored across 5 dimensions · Written report, no email required
Find Where I'm Exposed →Three Products.
One Unified Trust Architecture.
Baur Software engineered pap://, Papillon, and Chrysalis as a cohesive, interlocking system. Each product solves a distinct layer of the trust problem. Together, they seal the entire stack.
Principal Agent Protocol
A cryptographic open standard that governs what agents are permitted to see. A principal signs a mandate specifying the action, the disclosure scope, and the TTL. SD-JWT selective disclosure ensures agents receive only the exact data properties their mandate permits - nothing more. A child request can never exceed its parent's scope. Cryptographically enforced. Always.
Sandboxed Agent Workspace
A secure, multi-agent desktop canvas where every agent executes in OS-level isolation. Enforced capability constraints (seccomp, pledge, entitlements) prevent network access, filesystem escapes, and subprocess spawning - even if an agent is fully compromised. Every execution produces a cryptographic receipt proving exactly what constraints were applied.
Federated Agent Identity
A self-hostable, federated agent registry where agents register with verifiable DIDs and Ed25519-signed advertisements. pap:// mandates are verified before any execution. Per-agent sandbox enforcement with cryptographic attestation. Principal-controlled and self-hosted on your infrastructure, federated by design.
We Do Not Hand You a Spec Sheet. We Build It With You.
Most security strategies look strong in architecture diagrams and fail the moment they meet legacy systems and real operational pressure. Baur Software's human-AI engineering team works directly inside client environments to close that gap.
Analyze
We audit existing infrastructure, data flows, agent permissions, and identity architecture to map every hidden vulnerability and implicit trust gap - the ones current tools cannot see.
Strategize
We design a custom, zero-trust delegation model tailored specifically to the sector's regulatory requirements, operational constraints, and threat landscape. No generic playbooks.
Implement
We deploy pap://, Papillon, and Chrysalis directly into production environments - integrating seamlessly with legacy stacks without operational downtime or forced migration.
Most Founders Can't Name
Their Three Biggest Exposures.
Book 20 minutes. We map your three highest-risk boundaries, tell you straight whether our stack fits, and hand you something your engineering team can act on the same day.
You leave with, in writing
- ✓ Your three highest-risk agent permission boundaries, named and ranked
- ✓ A straight answer on whether pap://, Papillon, or Chrysalis fits your stack. Or doesn't.
- ✓ One concrete first step you can hand to engineering today