UC Berkeley AI Hackathon 2026

The approval layer for AI agents, built for the people actually using them.

AI agents can browse, shop, and book for you now. Agent Immunity sits in front of every consequential checkout action and checks it against what you actually authorized — before it happens, not after.

View Source → How It Works

Live Decision Feed — Authorization Delta

BLOCKHeritage Rewards+ membership

$49.99/month recurring charge — not authorized

BLOCKVIP Savings Bundle checkbox

"Discount" disguises a $29.99/season auto-renewal

ALLOWComplete checkout — $287.00

Matches authorized goal exactly, nothing added

The Problem

AI agents may be more susceptible to manipulation than humans.

A 2026 benchmark study, DECEPTICON, found that dark patterns steered web agents toward manipulated outcomes in over 70% of tested tasks, compared with a reported human average of 31%. The study also found that greater model capability did not automatically make agents more resistant.

70%+

of DECEPTICON's tested agent tasks were steered off-goal

31%

reported human average, for comparison

complete demo flows, both naive and protected, both recorded

How It Works

Rules for facts. AI for judgment.

Deterministic rules catch obvious violations instantly, with zero LLM calls. A reasoning layer (Claude) handles genuinely ambiguous cases — asking not "does this match a known bad pattern" but "does this still serve what the user actually authorized."

User goal → Policy Contract ↓ Agent (Browserbase + Stagehand) navigates the real flow ↓ ┌─────────────────────────────────┐ │ Deterministic rules (instant) │ │ + LLM intent-mismatch reasoning │ ← checks Redis cache first └─────────────────────────────────┘ ↓ Authorization Delta → Dashboard + Sentry + Redis ↓ Only if everything passes → agent proceeds

Stack

Three sponsor integrations, all genuinely real.

Browserbase + Stagehand

The actual execution layer — real cloud browser sessions, not a simulation

Claude (Anthropic)

Powers the agent's actions and the intent-mismatch reasoning

Redis

Caches reasoning verdicts — proven to work across different sites

Sentry

Every blocked decision becomes a real, searchable event

Node.js

The decision engine — plain, fast, explainable

Express + WebSocket

The live dashboard, rendering decisions as they happen

Proven, Not Just Built

Every claim here is demonstrated, not asserted.

✓Real Browserbase cloud sessions, recorded and replayable

✓Live LLM reasoning generating correct explanations, not scripted

✓Cross-site Redis cache hit — same pattern, different site, zero new LLM call (cache:llm:intent_mismatch:recurring_charge)

✓Real, tagged Sentry events with full decision context attached

✓Two complete 3-page demo flows, naive and protected modes, both recorded