Disclosure: author of a related tool here. I have create agent-vault-proxy for a very similar reason. It also can help keep credentials out of the agent process. The agent gets a placeholder, the proxy swaps in the real secret in transit.
This is very interesting. I build something like this but native to claude code and something that focus on just logging the violation. My question is if you are terminating a process with in the workflow will that about all other things that executed before. anyway would love your feed back on this https://github.com/varmabudharaju/agent-pd
claw patrol runs on the network level. There’s no process being terminated - HTTP/SQL/etc are rejected based on rules that you define. it’s resilient to the agent making changes to its own hooks or bypassing a local sandbox.
Thanks! Don't forget wire level protocol parsing - this is important because agents usually can spawn subprocesses and if they have postgres credentials, you're just one psql call away from disaster if you only have MCP/HTTP proxies in place.
Yes default allow and no rules by default. Some sort of default policy would be a great feature - I've been considering it. No one wants agents to DROP tables.
We have a big and detailed config file for our own internal use - but reluctant to release that exactly because it has information about our systems.
really interesting work! i am curious how you handle rule configuration for different protocols such as Postgres or ssh.
Thanks for open-sourcing it under MIT.
Nice work shipping this.
Disclosure: author of a related tool here. I have create agent-vault-proxy for a very similar reason. It also can help keep credentials out of the agent process. The agent gets a placeholder, the proxy swaps in the real secret in transit.
I read them as complementary: action firewall in front, credential broker behind. https://github.com/inflightsec/agent-vault-proxy
This is very interesting. I build something like this but native to claude code and something that focus on just logging the violation. My question is if you are terminating a process with in the workflow will that about all other things that executed before. anyway would love your feed back on this https://github.com/varmabudharaju/agent-pd
claw patrol runs on the network level. There’s no process being terminated - HTTP/SQL/etc are rejected based on rules that you define. it’s resilient to the agent making changes to its own hooks or bypassing a local sandbox.
*abort
How will credentials be injected via Gateway for each user ? If we have 5 users with one gateway, how it knows whose github credential to inject ?
You can define different profiles that are associated with different credentials. Take a look here https://clawpatrol.dev/docs/credentials/#single-credential-t...
I did this
This is a really cool library to look at even if you aren't running openclaw directly.
Lots of good concepts to seek inspiration from.
1. process-scoped egress policy
2. policy-as-code
3. explicit approval classes
4. normalized network/ guardrail receipts.
5. structured guardrail outcomes
6. centralized decision rules
Thanks! Don't forget wire level protocol parsing - this is important because agents usually can spawn subprocesses and if they have postgres credentials, you're just one psql call away from disaster if you only have MCP/HTTP proxies in place.
Neat! Reading the docs - it's default-allow and ships with no rules? Any plans for a default rule set?
Yes default allow and no rules by default. Some sort of default policy would be a great feature - I've been considering it. No one wants agents to DROP tables.
We have a big and detailed config file for our own internal use - but reluctant to release that exactly because it has information about our systems.
There's an example config file here that might be helpful https://github.com/denoland/clawpatrol/blob/main/examples/ga... - we use agents to write the config by pointing it at https://clawpatrol.dev/llms-full.txt
really interesting work! i am curious how you handle rule configuration for different protocols such as Postgres or ssh. Thanks for open-sourcing it under MIT.
There's a plugin API https://clawpatrol.dev/docs/plugins/