Skip to main content

AI Agent Runtime Security Platform — runtime security and behavioral monitoring for agentic AI systems

Project description

AgentWall

Behavior-based runtime security for AI agents.

AgentWall is an SDK-first runtime security platform that sits between AI agents and tools, monitoring actions in real time to detect and prevent unsafe behavior.

Unlike prompt scanners and jailbreak detectors, AgentWall focuses on what agents actually do, not what users say.


Why AgentWall?

Modern AI agents can:

  • Read files
  • Execute tools
  • Access APIs
  • Send emails
  • Interact with external systems

A successful prompt injection often matters only because it changes agent behavior.

AgentWall detects:

  • Goal Hijacking
  • Tool Misuse
  • Scope Expansion
  • Sensitive Resource Access
  • Data Exfiltration
  • Unauthorized Actions
  • Behavioral Drift
  • Goal Drift

How It Works

User Goal
    ↓
AI Agent
    ↓
AgentWall Runtime
    ↓
Tool Execution

Before a tool executes, AgentWall evaluates:

  • Current goal
  • Tool being used
  • Resource being accessed
  • Recent tool history
  • Active policies
  • Risk score

AgentWall may:

  • ALLOW
  • WARN
  • BLOCK

depending on risk and alignment.


Installation

pip install agentwall-security

Quick Start — Zero Configuration

import agentwall  # auto-instruments all supported frameworks

That's it. No protect_* calls. No session management. No goal strings.

AgentWall automatically:

  • Detects LangChain, OpenAI Agents SDK, and CrewAI at import time
  • Instruments runtimes via lightweight patching
  • Creates sessions per agent run
  • Infers goals from the agent's first input
  • Tracks goal transitions throughout the session
  • Classifies tool types from function names and docstrings
  • Evaluates runtime actions before execution
  • Records audit events to ~/.agentwall/data.db

LangChain

import agentwall

executor = AgentExecutor(agent=agent, tools=tools)
result = executor.invoke({"input": "Fix the authentication bug in login.tsx"})

OpenAI Agents SDK

import agentwall

result = await Runner.run(agent, "Fix the authentication bug in login.tsx")

CrewAI

import agentwall

result = crew.kickoff(inputs={"task": "Fix authentication bug"})

Disable Auto-Instrumentation

AGENTWALL_AUTO=0 python your_script.py

Advanced Usage

Use explicit protection functions for full manual control over sessions, goals, and tool type mappings.

from agentwall.integrations.langchain import protect_langchain_agent
from agentwall.core.types import ToolType

wall = protect_langchain_agent(
    executor,
    goal="Fix the authentication bug in login.tsx",
    tool_type_map={
        "read_file": ToolType.FILESYSTEM,
        "list_directory": ToolType.FILESYSTEM,
    },
)

result = executor.invoke({"input": "Read login.tsx and find the bug."})
wall.end_session()

See INSTALLATION_GUIDE.md for full advanced usage examples.


Key Features

Zero Configuration

One import enables automatic protection for all supported frameworks with no code changes required.

Automatic Goal Inference

Goals are inferred from agent inputs automatically. Goal history, transitions, and confidence are recorded throughout the session.

Goal Drift Detection

Detects when agent actions deviate from the inferred or stated goal — a key signal for prompt injection compromise.

Automatic Tool Classification

Tools are classified by type (filesystem, terminal, API, database, email, browser) from function names and docstrings. No manual tool_type_map required.

Runtime Security

Behavior-based protection. Evaluates actions before execution. Raises AgentWallSecurityException on BLOCK.

Goal Tracking

Tracks goal segments throughout a session. Detects transitions using a two-signal heuristic (token overlap + resource token overlap). Records confidence per segment.

Policy Engine

Create custom allow/warn/block rules targeting specific tool types, actions, resource categories, and path patterns.

Post-Execution Analysis

Classifies tool outcomes after execution. Detects sensitive data exposure, bulk data access, external transfers, and email dispatch. Audit-only — never retroactively blocks.

Inspector

Native desktop security console. Launch with:

agentwall inspect

Pages:

  • Overview — live stats: active executions, tool calls, risk distribution, top detectors
  • Executions — per-execution history with tool calls, security evaluations, and goal timeline drill-down
  • Providers — LLM evaluator configuration
  • Policies — policy management

The Inspector backend polls the same local SQLite database used by protected agents. Overview and Executions are scoped to the project where agentwall inspect was launched. The backend pins that project context during startup, so later working-directory changes inside the Inspector process cannot switch projects. Every poll opens a fresh SQLite connection so executions from separate terminals in that same project appear without restarting the Inspector. The top bar includes a Refresh button that immediately reloads project context, Overview, Executions, Providers, and Policies.

Provider Agnostic

Supports:

  • OpenAI
  • Anthropic
  • Groq
  • DeepSeek
  • Ollama

Framework Integrations

Supports:

  • OpenAI Agents SDK
  • LangChain
  • CrewAI

CLI

agentwall version
agentwall doctor
agentwall config
agentwall inspect

Security Model

AgentWall focuses on:

  • Runtime behavior
  • Tool usage
  • Resource access
  • Goal alignment

AgentWall does not primarily operate as:

  • Prompt firewall
  • Jailbreak detector
  • Content moderation system

It evaluates the consequences of agent actions relative to the user's stated or inferred goal.


Supported Storage

Local-only architecture.

Uses:

  • SQLite (~/.agentwall/data.db)
  • OS Keyring (API keys only)
  • Local FastAPI backend
  • Local Inspector UI

No cloud dependency required.


Architecture

Auto Instrumentation Layer
    ↓
Goal Inference & Tracking
    ↓
Security Engine
    ↓
Policy Evaluation
    ↓
Risk Assessment + Goal Drift Detection
    ↓
Optional LLM Evaluation
    ↓
Decision (ALLOW / WARN / BLOCK)
    ↓
Tool Execution
    ↓
Post-Execution Analysis

Documentation


License

MIT License.


Status

v0.2.8

Production-ready.

Open-source and self-hosted.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

agentwall_security-0.2.8.tar.gz (186.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

agentwall_security-0.2.8-py3-none-any.whl (132.1 kB view details)

Uploaded Python 3

File details

Details for the file agentwall_security-0.2.8.tar.gz.

File metadata

  • Download URL: agentwall_security-0.2.8.tar.gz
  • Upload date:
  • Size: 186.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.9

File hashes

Hashes for agentwall_security-0.2.8.tar.gz
Algorithm Hash digest
SHA256 50118c9ecc2f98fae86acc36d6efb1a61f242e895ce2a45ad822fd3dbd605943
MD5 315b2ad8e540d379debefcee7b0eb6ca
BLAKE2b-256 d898d4215f99a84a15daa37e4f92d30d712ee67bfcfb91271ef08b69ea140a2b

See more details on using hashes here.

File details

Details for the file agentwall_security-0.2.8-py3-none-any.whl.

File metadata

File hashes

Hashes for agentwall_security-0.2.8-py3-none-any.whl
Algorithm Hash digest
SHA256 4b80c20cedff91fb37e0754f9c9eb30165fd22695eff8fb87dbff67679c93ac7
MD5 a0ea675784dce6cb64420a9ab99dbe71
BLAKE2b-256 9eed6faa3b158158cd2f1c8f00a80ecb72beb664e13ee7e1e5edf210670c9247

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page