agent-airlock 0.8.3

The Pydantic-based Firewall for MCP Servers. Stops hallucinated tool calls, validates schemas, and sandboxes dangerous operations.

The Open-Source Firewall for AI Agents

One decorator. Zero trust. Full control.

Test suite: 2,466 tests · Coverage: 83.00% · v0.8.3

Get Started in 30 Seconds · Why Airlock? · All Frameworks · Docs

---

┌────────────────────────────────────────────────────────────────┐
│  🤖 AI Agent: "Let me help clean up disk space..."            │
│                           ↓                                    │
│               rm -rf / --no-preserve-root                      │
│                           ↓                                    │
│  ┌──────────────────────────────────────────────────────────┐  │
│  │  🛡️ AIRLOCK: BLOCKED                                     │  │
│  │                                                          │  │
│  │  Reason: Matches denied pattern 'rm_*'                   │  │
│  │  Policy: STRICT_POLICY                                   │  │
│  │  Fix: Use approved cleanup tools only                    │  │
│  └──────────────────────────────────────────────────────────┘  │
└────────────────────────────────────────────────────────────────┘

---

🎯 30-Second Quickstart

pip install agent-airlock

from agent_airlock import Airlock

@Airlock()
def transfer_funds(account: str, amount: int) -> dict:
    return {"status": "transferred", "amount": amount}

# LLM sends amount="500" (string) → BLOCKED with fix_hint
# LLM sends force=True (invented arg) → STRIPPED silently
# LLM sends amount=500 (correct) → EXECUTED safely

That's it. Your function now has ghost argument stripping, strict type validation, and self-healing errors.

---

🧠 The Problem No One Talks About

The Hype "MCP has 16,000+ servers on GitHub!" "OpenAI adopted it!" "Linux Foundation hosts it!"

The Reality LLMs hallucinate tool calls. Every. Single. Day. Claude invents arguments that don't exist GPT-4 sends "100" when you need 100 Agents chain 47 calls before one deletes prod data

Enterprise solutions exist: Prompt Security ($50K/year), Pangea (proxy your data), Cisco ("coming soon").

We built the open-source alternative. One decorator. No vendor lock-in. Your data never leaves your infrastructure.

---

✨ What You Get

Ghost Args Strip LLM-invented params	Strict Types No silent coercion	Self-Healing LLM-friendly errors	E2B Sandbox Isolated execution	RBAC Role-based access	PII Mask Auto-redact secrets
Network Guard Block data exfiltration	Path Validation CVE-resistant traversal	Circuit Breaker Fault tolerance	OpenTelemetry Enterprise observability	Cost Tracking Budget limits	Vaccination Auto-secure frameworks

---

📋 Table of Contents

Click to expand full navigation

• 30-Second Quickstart
• The Problem
• What You Get
• Core Features
  • E2B Sandbox
  • Security Policies
  • Cost Control
  • PII Masking
  • Network Airgap
  • Framework Vaccination
  • Circuit Breaker
  • OpenTelemetry
• Framework Compatibility
• FastMCP Integration
• Comparison
• Installation
• OWASP Compliance
• Performance
• Documentation
• Contributing
• Support

---

🔥 Core Features

🔒 E2B Sandbox Execution

from agent_airlock import Airlock, STRICT_POLICY

@Airlock(sandbox=True, sandbox_required=True, policy=STRICT_POLICY)
def execute_code(code: str) -> str:
    """Runs in an E2B Firecracker MicroVM. Not on your machine."""
    exec(code)
    return "executed"

Feature	Value
Boot time	~125ms cold, <200ms warm
Isolation	Firecracker MicroVM
Fallback	sandbox_required=True blocks local execution

Air-gapped / on-prem? DockerBackend is the supported alternative — cap_drop=["ALL"], no-new-privileges, network_mode="none", timeout enforced, opt-in pytest -m docker integration tests. See docs/sandbox/docker.md.

---

📜 Security Policies

from agent_airlock import (
    PERMISSIVE_POLICY,      # Dev - no restrictions
    STRICT_POLICY,          # Prod - rate limited, agent ID required
    READ_ONLY_POLICY,       # Analytics - query only
    BUSINESS_HOURS_POLICY,  # Dangerous ops 9-5 only
)

# Or build your own:
from agent_airlock import SecurityPolicy

MY_POLICY = SecurityPolicy(
    allowed_tools=["read_*", "query_*"],
    denied_tools=["delete_*", "drop_*", "rm_*"],
    rate_limits={"*": "1000/hour", "write_*": "100/hour"},
    time_restrictions={"deploy_*": "09:00-17:00"},
)

Running an MCP server with STDIO transport? Also wire the Ox MCP STDIO sanitizer via stdio_guard_ox_defaults() — it blocks the entire CVE-2026-30616 class (shell metacharacter injection, non-allowlisted binaries, Trojan-Source RTL overrides, and inline-code flags) before subprocess.Popen.

---

💰 Cost Control

A runaway agent can burn $500 in API costs before you notice.

from agent_airlock import Airlock, AirlockConfig

config = AirlockConfig(
    max_output_chars=5000,    # Truncate before token explosion
    max_output_tokens=2000,   # Hard limit on response size
)

@Airlock(config=config)
def query_logs(query: str) -> str:
    return massive_log_query(query)  # 10MB → 5KB

ROI: 10MB logs = ~2.5M tokens = $25/response. Truncated = ~1.25K tokens = $0.01. 99.96% savings.

---

🔐 PII & Secret Masking

config = AirlockConfig(
    mask_pii=True,      # SSN, credit cards, phones, emails
    mask_secrets=True,  # API keys, passwords, JWTs
)

@Airlock(config=config)
def get_user(user_id: str) -> dict:
    return db.users.find_one({"id": user_id})

# LLM sees: {"name": "John", "ssn": "[REDACTED]", "api_key": "sk-...XXXX"}

12 PII types detected · 4 masking strategies · Zero data leakage

---

🌐 Network Airgap (V0.3.0)

Block data exfiltration during tool execution:

from agent_airlock import network_airgap, NO_NETWORK_POLICY

# Block ALL network access
with network_airgap(NO_NETWORK_POLICY):
    result = untrusted_tool()  # Any socket call → NetworkBlockedError

# Or allow specific hosts only
from agent_airlock import NetworkPolicy

INTERNAL_ONLY = NetworkPolicy(
    allow_egress=True,
    allowed_hosts=["api.internal.com", "*.company.local"],
    allowed_ports=[443],
)

---

💉 Framework Vaccination (V0.3.0)

Secure existing code without changing a single line:

from agent_airlock import vaccinate, STRICT_POLICY

# Before: Your existing LangChain tools are unprotected
vaccinate("langchain", policy=STRICT_POLICY)

# After: ALL @tool decorators now include Airlock security
# No code changes required!

Supported: LangChain, OpenAI Agents SDK, PydanticAI, CrewAI

---

⚡ Circuit Breaker (V0.4.0)

Prevent cascading failures with fault tolerance:

from agent_airlock import CircuitBreaker, AGGRESSIVE_BREAKER

breaker = CircuitBreaker("external_api", config=AGGRESSIVE_BREAKER)

@breaker
def call_external_api(query: str) -> dict:
    return external_service.query(query)

# After 5 failures → circuit OPENS → fast-fails for 30s
# Then HALF_OPEN → allows 1 test request → recovers or reopens

---

📈 OpenTelemetry Observability (V0.4.0)

Enterprise-grade monitoring:

from agent_airlock import configure_observability, observe

configure_observability(
    service_name="my-agent",
    otlp_endpoint="http://otel-collector:4317",
)

@observe(name="critical_operation")
def process_data(data: dict) -> dict:
    # Automatic span creation, metrics, and audit logging
    return transform(data)

---

🔌 Framework Compatibility

The Golden Rule: @Airlock must be closest to the function definition.

@framework_decorator    # ← Framework sees secured function
@Airlock()             # ← Security layer (innermost)
def my_function():     # ← Your code

LangChain / LangGraph from langchain_core.tools import tool from agent_airlock import Airlock @tool @Airlock() def search(query: str) -> str: """Search for information.""" return f"Results for: {query}"	OpenAI Agents SDK from agents import function_tool from agent_airlock import Airlock @function_tool @Airlock() def get_weather(city: str) -> str: """Get weather for a city.""" return f"Weather in {city}: 22°C"
PydanticAI from pydantic_ai import Agent from agent_airlock import Airlock @Airlock() def get_stock(symbol: str) -> str: return f"Stock {symbol}: $150" agent = Agent("openai:gpt-4o", tools=[get_stock])	CrewAI from crewai.tools import tool from agent_airlock import Airlock @tool @Airlock() def search_docs(query: str) -> str: """Search internal docs.""" return f"Found 5 docs for: {query}"

More frameworks: LlamaIndex, AutoGen, smolagents, Anthropic

LlamaIndex

from llama_index.core.tools import FunctionTool
from agent_airlock import Airlock

@Airlock()
def calculate(expression: str) -> int:
    return eval(expression, {"__builtins__": {}})

calc_tool = FunctionTool.from_defaults(fn=calculate)

AutoGen

from autogen import ConversableAgent
from agent_airlock import Airlock

@Airlock()
def analyze_data(dataset: str) -> str:
    return f"Analysis of {dataset}: mean=42.5"

assistant = ConversableAgent(name="analyst", llm_config={"model": "gpt-4o"})
assistant.register_for_llm()(analyze_data)

smolagents

from smolagents import tool
from agent_airlock import Airlock

@tool
@Airlock(sandbox=True)
def run_code(code: str) -> str:
    """Execute in E2B sandbox."""
    exec(code)
    return "Executed"

Anthropic (Direct API)

from agent_airlock import Airlock

@Airlock()
def get_weather(city: str) -> str:
    return f"Weather in {city}: 22°C"

# Use in tool handler
def handle_tool_call(name, inputs):
    if name == "get_weather":
        return get_weather(**inputs)  # Airlock validates

Adapter-shipped vs example-only (honest split)

Both paths use the same @Airlock() decorator placement. "Adapter-shipped" means there's a dedicated src/agent_airlock/integrations/<framework>.py module with framework-specific glue (signature preservation, tool registry rewrites, request-shape adapters). "Example-only" means the decorator is compatible out of the box — no extra adapter required.

Adapter-shipped (11): LangChain (integrations/langchain.py), LangGraph (integrations/langgraph_toolnode_compat.py), OpenAI Agents SDK (integrations/openai_guardrails.py), Anthropic Messages API (integrations/anthropic.py), Anthropic Claude Agent SDK (integrations/anthropic_claude_agent_sdk.py, v0.6.1+), smolagents (integrations/smolagents_wrapper.py), Gemini 3 Agent Mode (integrations/gemini3_tool_shape_adapter.py), GPT-5.5 (integrations/gpt5_5_tool_shape_adapter.py), PydanticAI (integrations/pydantic_ai.py, v0.7.1+), CrewAI (integrations/crewai.py, v0.7.2+), FastMCP (mcp.py).

Example-only (2): AutoGen, LlamaIndex — decorator-compatible without an adapter; see examples/.

Complete Examples

Framework	Path	Surface
LangChain	adapter · example	@tool, AgentExecutor
LangGraph	adapter · example	StateGraph, ToolNode
OpenAI Agents	adapter · example	Handoffs, manager pattern
Anthropic API	adapter · example	Direct Messages API
Claude Agent SDK	adapter · doc	wrap_agent(agent, policy=...)
smolagents	adapter · example	CodeAgent, E2B
Gemini 3	adapter	function_call carrier + thought_signature redaction
GPT-5.5	adapter	gpt_5_5_agent_defaults preset
FastMCP	adapter · example	@secure_tool decorator
PydanticAI	adapter · doc · example	wrap_agent(agent, policy=...) + output_validate hook
CrewAI	adapter · doc · example	wrap_crew(crew, policy=...) + task-level tool overrides
LlamaIndex	example only	ReActAgent
AutoGen	example only	ConversableAgent

---

⚡ FastMCP Integration

from fastmcp import FastMCP
from agent_airlock.mcp import secure_tool, STRICT_POLICY

mcp = FastMCP("production-server")

@secure_tool(mcp, policy=STRICT_POLICY)
def delete_user(user_id: str) -> dict:
    """One decorator: MCP registration + Airlock protection."""
    return db.users.delete(user_id)

---

🏆 Why Not Enterprise Vendors?

	Prompt Security	Pangea	Agent-Airlock
Pricing	$50K+/year	Enterprise	Free forever
Integration	Proxy gateway	Proxy gateway	One decorator
Self-Healing	❌	❌	✅
E2B Sandboxing	❌	❌	✅ Native
Your Data	Their servers	Their servers	Never leaves you
Source Code	Closed	Closed	MIT Licensed

We're not anti-enterprise. We're anti-gatekeeping. Security for AI agents shouldn't require a procurement process.

---

📦 Installation

# Core (validation + policies + sanitization)
pip install agent-airlock

# With E2B sandbox support
pip install agent-airlock[sandbox]

# With FastMCP integration
pip install agent-airlock[mcp]

# Everything
pip install agent-airlock[all]

# E2B key for sandbox execution
export E2B_API_KEY="your-key-here"

---

🛡️ OWASP Compliance

Agent-Airlock maps to the OWASP Top 10 for Agentic Applications (2026) — the agentic-era successor to the old LLM Top 10. Coverage is reported honestly: Full means the primitive ships and blocks the class in tests; Partial means agent-airlock covers the runtime leg but something upstream (client UI, IAM, training data) is out of scope; Monitor-only means we surface the signal but do not actually prevent the risk.

Risk	Implemented in agent-airlock	Module / preset	Coverage
ASI01 Agent Goal Hijack	Pydantic strict validation + ghost-arg rejection + UnknownArgsMode.BLOCK	validator, unknown_args, core	Partial
ASI02 Tool Misuse and Exploitation	Deny-by-default SecurityPolicy, RBAC, rate limits, SafePath / SafeURL, Flowise Function()/eval token ban (CVE-2025-59528), MCPwn destructive-auth check (CVE-2026-33032)	policy, safe_types, filesystem, network, policy_presets.flowise_cve_2025_59528_defaults, policy_presets.mcpwn_cve_2026_33032_defaults	Full
ASI03 Identity and Privilege Abuse	AgentIdentity, MCPProxyGuard token-passthrough prevention, CredentialScope, OAuth-app audit (Vercel 2026-04-19)	policy, mcp_proxy_guard, mcp_spec.oauth_audit, policy_presets.oauth_audit_vercel_2026_defaults	Partial
ASI04 Agentic Supply Chain Vulnerabilities	Ox MCP STDIO sanitizer + CVE regression suite (10+ CVEs tracked) + session-snapshot integrity guard	mcp_spec.stdio_guard, mcp_spec.session_guard, policy_presets.stdio_guard_ox_defaults, tests/cves/	Partial
ASI05 Unexpected Code Execution (RCE)	E2B Firecracker sandbox, pluggable SandboxBackend, capability gating for PROCESS_SHELL, Flowise eval-token ban (CVE-2025-59528)	sandbox, sandbox_backend, capabilities, policy_presets.flowise_cve_2025_59528_defaults	Full
ASI06 Memory & Context Poisoning	AirlockContext contextvars isolation, ConversationConstraints budget caps, audit logging	context, conversation, sanitizer	Partial
ASI07 Insecure Inter-Agent Communication	A2A middleware Pydantic strict validation, method allow-lists	a2a	Partial
ASI08 Cascading Failures	CircuitBreaker, RetryPolicy, token-bucket rate limits	circuit_breaker, retry, policy	Full
ASI09 Human-Agent Trust Exploitation	Honeypot deception, audit-log attribution, structured fix_hints	honeypot, audit_otel	Partial
ASI10 Rogue Agents	Audit telemetry + anomaly detector; no quarantine primitive	observability, anomaly	Monitor-only

MCP-specific mapping

The OWASP MCP Top 10 (2026 beta) is covered end-to-end by the OWASP_MCP_TOP_10_2026 policy preset:

MCP risk	Ships in agent-airlock
MCP01 Token Mismanagement	MCPProxyGuard rejects passthrough headers, enforces audience
MCP02 Excessive Permissions	SecurityPolicy + CredentialScope
MCP03 Tool Poisoning	ghost-arg rejection + SafePath/SafeURL
MCP04 Supply Chain	stdio_guard_ox_defaults() (Ox 2026-04-16 advisory)
MCP05 Command Injection	stdio_guard shell-metachar + deny-pattern rules
MCP07 Insufficient Authentication	OAuth 2.1 + PKCE S256 helpers in mcp_spec.oauth
MCP10 Context Oversharing	PII/secret sanitizer + workspace-scoped config

Use it directly:

from agent_airlock import Airlock
from agent_airlock.policy_presets import owasp_mcp_top_10_2026_policy

@Airlock(policy=owasp_mcp_top_10_2026_policy())
def my_mcp_tool(...):
    ...

Ox Security STDIO advisory (2026-04-16, CVE-2026-30616): see docs/cves/index.md#cve-2026-30616 and the stdio_guard_ox_defaults() preset above. agent-airlock blocks 3 of 4 Ox attack classes at the runtime seam.

---

🏢 Used By

Agent-Airlock secures AI agent systems in production:

Project	Use Case
FerrumDeck	AgentOps control plane — deny-by-default tool execution
Mnemo	MCP-native memory database — secure tool call validation

Using Agent-Airlock in production? Open a PR to add your project!

---

📊 Performance

Test count and coverage are published by the TEST-BADGE block at the top of this file, regenerated from pytest on every release via python scripts/update_test_badge.py. That block is the source of truth; this table tracks latency and surface area only.

Metric	Value
Validation overhead	<50ms
Sandbox cold start	~125ms
Sandbox warm pool	<200ms
Framework integrations	13
Core dependencies	0 (Pydantic only)

---

📖 Documentation

Resource	Description
AGENTS.md	v0.6.1 — repo-root entrypoint for agentic IDEs (Cursor, Claude Code, Windsurf, Mintlify)
Anthropic Claude Agent SDK adapter	v0.6.1 — AnthropicClaudeAgentSDKAdapter.wrap_agent(agent, policy=...); canonical-list trio
airlock manifest enforce	v0.6.1 — fail-closed CLI runtime allowlist gate against signed manifests; CI exits 0/2/3
Managed Agents Outcomes-rubric guard	v0.7.4 — fail-closed gate on the Anthropic Managed Agents 2026-05-06 Outcomes rubric ID; ManagedAgentsOutcomesGuard.evaluate(provenance) + managed_agents_outcomes_2026_05_06_defaults factory; no SDK dep
Filter-Eval RCE guard (CVE-2026-25592 + CVE-2026-26030)	v0.7.5 — regex detector for the Semantic-Kernel-class lambda-filter / template-expression eval RCE primitive (MSRC 2026-05-07); FilterEvalRCEGuard.evaluate(args) + semantic_kernel_filter_eval_rce_2026_25592_26030_defaults factory; framework-agnostic
OIDC publish-window guard (TanStack 2026-05-11)	v0.7.6 — known-bad blast-list guard for the TanStack/Mini-Shai-Hulud npm OIDC trusted-publisher class (postmortem 2026-05-11; 42 pkgs × 84 versions); OIDCPublishWindowGuard.evaluate(args) + npm_oidc_publish_window_guard_defaults factory; pure-data preset, no runtime npm calls
MCP STDIO command-injection guard	v0.7.6 — shell metachar + opt-in path-traversal denier for MCP STDIO argv vectors (HelpNetSecurity 2026-05-05); StdioCommandInjectionGuard.evaluate(args) + mcp_stdio_command_injection_preset_defaults factory; no mcp SDK dep
Eval-RCE guard (CVE-2026-44717)	v0.8.0 — bare-eval()/parse_expr()/exec() invocation detector for the MCP Calculate Server class (NVD 2026-05-15); EvalRCEGuard.evaluate(args) + curated vulnerable-package denylist + parse_expr safe-form exemption + stdio_guard_eval_defaults_2026_05_15 factory
MCP Inspector exposure guard (CVE-2026-23744 runtime)	v0.8.0 — Linux runtime listener-scan via stdlib /proc/net/tcp for the MCPJam Inspector public-bind class; complements v0.5.x config-time bind_address_guard; MCP_INSPECTOR_REQUIRE_AUTH=1 operator bypass
Agent SDK Credit pool budget	v0.8.0 — per-month USD pool tracker for Anthropic's 2026-06-15 billing split (Zed blog 2026-05-14); AgentSDKCreditBudget.register_call(model, input_tokens, output_tokens) with 90% near-limit + 100% exhausted thresholds; packaged 2026-06 pricing fixture
OpenAPI Drift Guard (Hermes 2026-05-13)	v0.8.1 — payload-shape drift detector against an operator-supplied OpenAPI 3.x spec (arXiv:2605.14312); OpenAPIDriftGuard.evaluate(operation_id, args) detects missing_required / unknown_field / type_mismatch; three modes (strict / warn / shadow); vaccinate_openapi(spec) decorator + openapi_doc_drift_guard_defaults factory; caller supplies spec dict, no PyYAML dep
MCP Calc-Server bundle preset	v0.8.1 — composition factory mcp_calc_server_bundle_defaults_2026_05_15() wires v0.8.0 EvalRCEGuard + v0.7.6 StdioCommandInjectionGuard under a single preset_id (CVE-2026-44717 anchor) scoped to calc/calculate/evaluate/sympy_eval/math_eval tool-name patterns; pure config composition, no new detector module
Metis-inspired corpus block-rate regression	v0.8.2 — release-gate primitive MetisInspiredCorpusBlockRateGuard runs a deterministic 25-entry exploit-shape corpus (CVE-2026-44717 + 2026-05-05 STDIO injection) through EvalRCEGuard + StdioCommandInjectionGuard; one-sided gate fires when block rate drops below baseline − 5%; NOT a reproduction of the Metis paper's POMDP attacker (arXiv:2605.10067 cited as motivation, not as prompt source); airlock corpus-bench CLI ships text/json/md reports
Corpus per-category coverage (v0.8.3 extension to corpus-bench)	v0.8.3 — adopts the HarnessAudit-Bench (arXiv:2605.14271) two-category taxonomy (resource_access, info_transfer) as a corpus schema extension; CorpusEntry.violation_category field + CategoryCount decision field; airlock corpus-bench reports per-category coverage in text/json/md; NOT a reproduction of HarnessAudit-Bench (artifacts not yet public — taxonomy adopted as schema, scoring is not)
Stainless SDK provenance classifier	v0.8.3 — pure-function classify_sdk_lineage(user_agent, response_body_head) building block flags MCP servers generated by the deprecated Stainless SDK toolchain (Anthropic acquired Stainless 2026-05-13, hosted generator winding down); operator-callable from own audit hooks — NOT an automatic HTTP probe (decorator-in-process architecture, see ROADMAP §1); stainless_provenance_probe_defaults() preset is default_action=tag_only, visibility not enforcement
Examples	13 framework integrations (11 adapter-shipped + 2 example-only) with copy-paste code
Security Guide	Production deployment checklist
API Reference	Every function, every parameter
Egress Bench	CVE fixture walker — every payload previously blocked stays blocked
OX MCP Supply-Chain preset	Umbrella for the 2026-04-20 OX dossier (10 CVEs)
Elicitation guard (mcp_elicitation_guard_2026_04)	v0.6.0 — runtime mitigation for the MCP tool/elicitation round-trip (spec PR #1487, draft 2026-04-r1); blocks credential-request and policy-override classes
Config-path guard (CVE-2026-31402)	v0.6.0 — Claude Desktop MCP-server-registration path-traversal mitigation (CVSS 8.8)
Gemini 3 Agent Mode adapter	v0.6.0 — function_call carrier normalisation + thought_signature redaction; pinned SUPPORTED_VERSIONS set
OAuth state entropy guard	v0.6.0 — base64/hex/JSON decode + prompt-injection scan on the OAuth state parameter (BlackHat Asia 2026 vector)
airlock console	v0.6.0 — three-pane Textual TUI with live verdict stream + replay-on-edit; gated behind airlock[console] extra
airlock attest receipt	v0.6.0 — Sigstore-compatible signed agent-run receipts; emit + verify subcommands
policy_bundle.lock	v0.6.0 — hash-pinned preset bundles with Cargo.lock semantics; airlock pack lock + airlock replay --bundle-lock
airlock studio	v0.6.0 — local stdlib HTTP rehearsal sandbox; paste-a-transcript verdicts + diff between runs
smolagents wrapper	v0.6.0 — wrap_agent(agent, policy_bundle) for HuggingFace smolagents 1.18+ (4th first-class framework)
STDIO meta-guard (mcp_stdio_meta_cve_2026_04)	v0.5.9 — bundles every airlock STDIO defence into one chain; recommended default for any MCP server registered after 2026-04-26
LangGraph 1.0.11 ToolNode compat shim	v0.5.9 — silent unwrap survives the prebuilt 1.0.11 list-vs-dict shape break
GPT-5.5 ("Spud") agent defaults + tool-shape adapter	v0.5.9 — caps fan-out at 8 / context at 900k / per-call egress at 512 KB
Capability caps (agent_capability_default_caps)	v0.5.9 — programmatic caps for SIGN_CONTRACT / DELEGATE_TO_AGENT / INVOKE_TOOL / WRITE_FILE / NETWORK_EGRESS
OWASP Agentic 2026-Q1 coverage matrix	v0.5.9 — 10/10 mapping risk_id → guard + preset + test, CI gate fails on stale entries
Short-form-video corpus (wild-2026-04/short_form_video)	v0.5.9 — 5 transcript / on-screen / RTL PoCs; airlock replay --namespace short_form_video
airlock graph serve	v0.5.9 — local web UI of the live agent → tool → MCP-server topology with verdict overlay
airlock policy compile / explain	v0.5.9 — natural-language policy authoring with hash-pinned prompt + deterministic cache
airlock kill-switch	v0.5.9 — HMAC-signed cluster-wide freeze with 2-of-3 quorum reset
Comment-and-Control PR-metadata guard	v0.5.8 — neutralises CVSS 9.4 cross-vendor PR-title prompt injection
airlock pack	v0.5.8 — signed policy bundles; airlock pack install claude-code-ci@2026.04
airlock baseline	v0.5.8 — per-agent 7-day rolling profile + drift score
airlock attest	v0.5.8 — DSSE provenance per verdict
Cloudflare Mesh compat	v0.5.8 — runs alongside Mesh; de-duplicates overlapping policies
Manifest-only STDIO mode	v0.5.7 — signed-manifest registry; argv never originates from runtime input
STDIO-taint CI gate	v0.5.7 — AST taint analyzer; flags remote→Popen flows at PR time
Declarative preset YAML	v0.5.7 — composite presets via stdlib-only YAML parser
CVE-2026-30615 Windsurf zero-click	v0.5.7 — diff-on-demand mcp.json auto-load guard
CVE-2026-6980 GitPilot-MCP	v0.5.7 — repo_path injection (vendor unresponsive)
DockerBackend	v0.5.1 hardening + known gaps

Regulatory engagement

• Public comment draft — NIST AI RMF v2.0 Agentic-AI Security (window: 2026-04-18 → mid-June)

---

👤 About

Built by Sattyam Jain — AI infrastructure engineer.

This started as an internal tool after watching an agent hallucinate its way through a production database. Now it's yours.

---

🤝 Contributing

We review every PR within 48 hours.

git clone https://github.com/sattyamjjain/agent-airlock
cd agent-airlock
pip install -e ".[dev]"
pytest tests/ -v

• Bug? Open an issue
• Feature idea? Start a discussion
• Want to contribute? See open issues

---

💖 Support

If Agent-Airlock saved your production database:

• ⭐ Star this repo — Helps others discover it
• 🐛 Report bugs — Open an issue
• 📣 Spread the word — Tweet, blog, share

---

⭐ Star History

---

Built with 🛡️ by Sattyam Jain

_{Making AI agents safe, one decorator at a time.}

---

Sources: This README follows best practices from awesome-readme, Best-README-Template, and the GitHub Blog.