The Pydantic-based Firewall for MCP Servers. Stops hallucinated tool calls, validates schemas, and sandboxes dangerous operations.
Project description
Agent-Airlock
Your AI Agent Just Tried to rm -rf /. We Stopped It.
Agent: "I'll help you clean up disk space..."
↓
rm -rf / --no-preserve-root
↓
┌─────────────────────────────────────────┐
│ 🛡️ AIRLOCK_BLOCK: Operation Denied │
│ │
│ Reason: Matches denied pattern 'rm_*' │
│ Policy: PRODUCTION_POLICY │
│ Fix: Use approved cleanup tools only │
└─────────────────────────────────────────┘
Agent-Airlock is the open-source firewall for MCP servers. One decorator. Zero trust. Full control.
pip install agent-airlock
The Reality No One Talks About
In January 2026, MCP has 16,000+ servers on GitHub. OpenAI adopted it. The Linux Foundation hosts it.
But here's what the hype cycle ignores:
LLMs hallucinate tool calls. Every. Single. Day.
- Claude invents arguments that don't exist in your function signature
- GPT-4 sends
"100"when your code expects100 - Agents chain 47 tool calls before you notice one deleted production data
The enterprise vendors saw this coming. Prompt Security charges $50K/year. Pangea wants your data flowing through their proxy. Cisco is "coming soon."
We built the alternative.
What This Actually Does
from agent_airlock import Airlock
@Airlock()
def transfer_funds(from_account: str, to_account: str, amount: int) -> dict:
# Your banking logic here
return {"status": "transferred", "amount": amount}
That's it. One line. Now your function has:
| Protection | What It Stops |
|---|---|
| Ghost Argument Stripping | LLM sends force=True that doesn't exist → stripped silently |
| Strict Type Validation | LLM sends amount="500" → blocked, not silently coerced to 500 |
| Self-Healing Errors | Instead of crashing, returns {"fix_hint": "amount must be int"} |
The LLM gets a structured error. It retries correctly. Your system stays alive.
When You Need the Big Guns
from agent_airlock import Airlock, STRICT_POLICY
@Airlock(sandbox=True, policy=STRICT_POLICY)
def execute_code(code: str) -> str:
"""This runs in an E2B Firecracker MicroVM. Not on your machine."""
exec(code)
return "executed"
sandbox=True means:
- Code executes in an isolated VM (125ms boot time)
- No access to your filesystem, network, or secrets
- Warm pool keeps latency under 200ms after first call
policy=STRICT_POLICY means:
- Rate limited to 100 calls/hour
- Requires agent identity tracking
- Every call logged for audit
The Policies You'll Actually Use
from agent_airlock import (
PERMISSIVE_POLICY, # Development - no restrictions
STRICT_POLICY, # Production - rate limited, requires agent ID
READ_ONLY_POLICY, # Analytics agents - can query, can't mutate
BUSINESS_HOURS_POLICY, # Dangerous ops only during 9-5
)
Or build your own:
from agent_airlock import SecurityPolicy
MY_POLICY = SecurityPolicy(
allowed_tools=["read_*", "query_*", "search_*"],
denied_tools=["delete_*", "drop_*", "rm_*"],
rate_limits={"*": "1000/hour", "write_*": "100/hour"},
time_restrictions={"deploy_*": "09:00-17:00"},
)
The Cost Problem (And How We Solve It)
A single runaway agent can burn $500 in API costs before you notice.
from agent_airlock import Airlock, AirlockConfig
config = AirlockConfig(
max_output_chars=5000, # Truncate before token explosion
max_output_tokens=2000, # Hard limit on response size
)
@Airlock(config=config)
def query_logs(query: str) -> str:
# Even if this returns 10MB of logs,
# Airlock truncates to 5000 chars before the LLM sees it
return massive_log_query(query)
Result: Agents that cost 70% less to run. Not a marketing number—it's what happens when you stop feeding 10MB responses to a tokenizer.
The Security You Forgot You Needed
Your agent just queried a user's profile. The LLM is about to see their SSN.
config = AirlockConfig(
mask_pii=True, # SSN, credit cards, phone numbers
mask_secrets=True, # API keys, passwords, connection strings
)
@Airlock(config=config)
def get_user(user_id: str) -> dict:
return db.users.find_one({"id": user_id})
# What the LLM sees:
# {"name": "John", "ssn": "[REDACTED]", "api_key": "sk-...XXXX"}
The data exists in your database. The LLM never sees it. The audit log has the masked version.
FastMCP Integration (The Clean Way)
from fastmcp import FastMCP
from agent_airlock.mcp import secure_tool, STRICT_POLICY
mcp = FastMCP("production-server")
@secure_tool(mcp, policy=STRICT_POLICY)
def delete_user(user_id: str) -> dict:
"""One decorator. MCP registration + Airlock protection."""
return db.users.delete(user_id)
No ceremony. No boilerplate. The @secure_tool decorator handles:
- MCP tool registration
- Ghost argument stripping
- Type validation
- Policy enforcement
- Output sanitization
Why Not Just Use [Insert Enterprise Vendor]?
| Prompt Security | Pangea | Agent-Airlock | |
|---|---|---|---|
| Pricing | $50K+/year | Enterprise | Free forever |
| Integration | Proxy gateway | Proxy gateway | One decorator |
| Self-Healing | No | No | Yes |
| E2B Sandboxing | No | No | Native |
| Your Data | Through their servers | Through their servers | Never leaves your infra |
| Source Code | Closed | Closed | MIT Licensed |
We're not anti-enterprise. We're anti-gatekeeping.
Security for AI agents shouldn't require a procurement process.
Install
# Core (validation + policies + sanitization)
pip install agent-airlock
# With E2B sandbox support
pip install agent-airlock[sandbox]
# With FastMCP integration
pip install agent-airlock[mcp]
# Everything
pip install agent-airlock[all]
Set your E2B key (if using sandbox):
export E2B_API_KEY="your-key-here"
The Numbers
- 182 tests passing
- 84% coverage
- <50ms validation overhead
- <200ms sandbox execution (warm pool)
- 0 external dependencies for core functionality
Documentation
- Examples — Copy-paste patterns for common use cases
- Security Guide — Production deployment checklist
- API Reference — Every function, every parameter
Who Built This
Sattyam Jain — Building AI infrastructure at scale.
This started as an internal tool after watching an agent hallucinate its way through a production database. Now it's yours.
Contributing
We review every PR within 48 hours.
git clone https://github.com/sattyamjjain/agent-airlock
cd agent-airlock
pip install -e ".[dev]"
pytest tests/ -v
Found a bug? Open an issue. Have a feature idea? Start a discussion.
License
MIT. Use it. Fork it. Ship it. No strings.
If this saved your production database from an LLM hallucination, consider a ⭐
github.com/sattyamjjain/agent-airlock
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agent_airlock-0.1.0.tar.gz.
File metadata
- Download URL: agent_airlock-0.1.0.tar.gz
- Upload date:
- Size: 27.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
89962cc33654686074bb33362747f7f3250d40b761957579dd13a7934241e39c
|
|
| MD5 |
b3a1613ab8092a04fdbc208695a1b4c6
|
|
| BLAKE2b-256 |
c69e90b7b37321c91a9788c6b0ba17dd3e9bb5af020d6aeb77070db2c736013f
|
File details
Details for the file agent_airlock-0.1.0-py3-none-any.whl.
File metadata
- Download URL: agent_airlock-0.1.0-py3-none-any.whl
- Upload date:
- Size: 32.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3feef4c8fd3fc2cc9314d827c2b8acd4ec479f8f1d321b047fb2995963e4bda0
|
|
| MD5 |
2aff1aefcfb48fc12593dbd57a96d87f
|
|
| BLAKE2b-256 |
21cd68b1886fb01c4924974111f28005c87e86774f7bb6b8e1e245766c96c17a
|
