Disclosure: author of a related tool here. I have create agent-vault-proxy for a very similar reason. It also can help keep credentials out of the agent process. The agent gets a placeholder, the proxy swaps in the real secret in transit.
This is very interesting. I build something like this but native to claude code and something that focus on just logging the violation. My question is if you are terminating a process with in the workflow will that about all other things that executed before. anyway would love your feed back on this https://github.com/varmabudharaju/agent-pd
varmabudharaju 24 minutes ago [-]
*abort
Jayakumark 40 minutes ago [-]
How will credentials be injected via Gateway for each user ? If we have 5 users with one gateway, how it knows whose github credential to inject ?
This is a really cool library to look at even if you aren't running openclaw directly.
Lots of good concepts to seek inspiration from.
1. process-scoped egress policy
2. policy-as-code
3. explicit approval classes
4. normalized network/ guardrail receipts.
5. structured guardrail outcomes
6. centralized decision rules
rough-sea 2 days ago [-]
Thanks! Don't forget wire level protocol parsing - this is important because agents usually can spawn subprocesses and if they have postgres credentials, you're just one psql call away from disaster if you only have MCP/HTTP proxies in place.
pavelpilyak 2 days ago [-]
Neat! Reading the docs - it's default-allow and ships with no rules? Any plans for a default rule set?
rough-sea 2 days ago [-]
Yes default allow and no rules by default. Some sort of default policy would be a great feature - I've been considering it. No one wants agents to DROP tables.
We have a big and detailed config file for our own internal use - but reluctant to release that exactly because it has information about our systems.
really interesting work! i am curious how you handle rule configuration for different protocols such as Postgres or ssh.
Thanks for open-sourcing it under MIT.
Disclosure: author of a related tool here. I have create agent-vault-proxy for a very similar reason. It also can help keep credentials out of the agent process. The agent gets a placeholder, the proxy swaps in the real secret in transit.
I read them as complementary: action firewall in front, credential broker behind. https://github.com/inflightsec/agent-vault-proxy
Lots of good concepts to seek inspiration from.
1. process-scoped egress policy
2. policy-as-code
3. explicit approval classes
4. normalized network/ guardrail receipts.
5. structured guardrail outcomes
6. centralized decision rules
We have a big and detailed config file for our own internal use - but reluctant to release that exactly because it has information about our systems.
There's an example config file here that might be helpful https://github.com/denoland/clawpatrol/blob/main/examples/ga... - we use agents to write the config by pointing it at https://clawpatrol.dev/llms-full.txt