Policy-enforced firewall for AI agent tool calls
Project description
agentfirewall
Policy-enforced firewall for AI agent tool calls. Intercepts, evaluates, and audits every tool invocation against a YAML security policy.
Install
pip install agentfirewall
Quick Start
# 1. Initialize policy and audit log
agentfirewall init
# 2. Install hooks into Claude Code
agentfirewall install
# 3. Done -- every tool call is now checked against .agentfirewall/policy.yaml
How It Works
Tool Call (e.g. Bash "rm -rf /")
|
v
+-----------+
| PreToolUse | <-- Claude Code hook reads stdin JSON
| Hook |
+-----+-----+
|
v
+-----------+
| Interceptor| <-- Evaluates against policy.yaml
| .check() | Scans params for secrets
+-----+-----+
|
+----+----+
| |
ALLOW DENY ---------> exit 2 (blocks tool call)
| + JSON reason to stdout
v
Tool Executes
|
v
+-----------+
| PostToolUse| <-- Logs execution to audit.jsonl
| Hook |
+-----------+
Policy Reference
Policies are YAML files at .agentfirewall/policy.yaml:
version: "1.0"
name: "my-policy"
description: "Custom security policy"
default_action: log # allow | deny | log | alert
rules:
- name: allow-read-operations
tools: ["Read", "Glob", "Grep"] # fnmatch patterns
action: allow
reason: "Read operations are safe"
- name: block-dangerous-bash
tools: ["Bash"]
resources: ["rm -rf *", "sudo *"] # resource patterns
action: deny
reason: "Dangerous shell commands blocked"
- name: alert-mcp-tools
tools: ["mcp__*"] # wildcards supported
action: alert
reason: "MCP tool calls flagged for review"
- name: log-all-writes
tools: ["Write", "Edit"]
action: log
reason: "File modifications logged"
Actions:
allow-- permit the tool calldeny-- block the tool call (exit code 2)log-- permit but log to audit trailalert-- permit, log, and fire webhook alert
CLI Reference
| Command | Description |
|---|---|
agentfirewall init |
Create .agentfirewall/ with default policy and audit log |
agentfirewall install |
Add PreToolUse/PostToolUse hooks to .claude/settings.local.json |
agentfirewall uninstall |
Remove agentfirewall hooks from settings |
agentfirewall validate |
Validate policy YAML and print rule summary |
agentfirewall audit |
Query audit log (supports --tail, --tool, --action filters) |
agentfirewall scan [PATH] |
Run security scanner on project files |
Python API
from agentfirewall import Interceptor, PolicyViolationError
from agentsec_core.schemas import PolicyAction
# From a policy file
interceptor = Interceptor(policy_path=".agentfirewall/policy.yaml")
# Check a tool call (returns PolicyDecision, never raises)
decision = interceptor.check("Bash", {"command": "rm -rf /"})
if decision.action == PolicyAction.DENY:
print(f"Blocked: {decision.reason}")
# Check and raise on deny
try:
interceptor.check_or_raise("Bash", {"command": "rm -rf /"})
except PolicyViolationError as e:
print(f"Violation: {e.decision.reason}")
# Decorator pattern
@interceptor.wrap("data_export")
def export_data(**kwargs):
... # Only runs if policy allows
Requirements
- Python 3.11+
- agentsec-core >= 0.1.0
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
No source distribution files available for this release.See tutorial on generating distribution archives.
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agentsec_firewall-0.1.0-py3-none-any.whl.
File metadata
- Download URL: agentsec_firewall-0.1.0-py3-none-any.whl
- Upload date:
- Size: 8.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
02e4490e00ede0dc9f01a086944603e87a659d959ffe106d1a10ff47a8d631f8
|
|
| MD5 |
0dc85064cc0c56ccc8688ced43dd75f7
|
|
| BLAKE2b-256 |
d0f2fda572c4164adab89fe5c6529cba8026eba0665a55960a98c91533b77987
|
