Agentwall
VEXA AgentWall is a local-first sidecar proxy that enforces deterministic security policies for autonomous AI agents communicating over the MCP protocol. It sits between an agent runtime and its MCP tool servers, intercepting every JSON-RPC call, evaluating it against a policy schema.
Ask AI about Agentwall
Powered by Claude Β· Grounded in docs
I know everything about Agentwall. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
VEXA AgentWall
Local-first sidecar proxy enforcing deterministic security policies for autonomous AI agents over MCP.
VEXA AgentWall sits between an AI agent runtime and its MCP (Model Context Protocol) tool servers. It intercepts every JSON-RPC tool call, evaluates it against a YAML-defined policy, and either allows or denies the call β while writing a cryptographically chained, tamper-evident audit log of every decision.
Table of Contents
- Why AgentWall?
- Key Benefits
- Official Landing Page
- Architecture & Enforcement Flow
- Demo UI
- Quickstart
- Policy Reference
- CLI Reference
- Key Features
- Security & Limitations
- Building from Source
- Contributing
- Support
- License
Why AgentWall?
Autonomous AI agents can call tools with real-world consequences β writing files, executing shell commands, making network requests. Without an enforcement layer, a hallucinated tool call or a compromised agent can cause irreversible damage.
AgentWall provides a zero-trust enforcement boundary with zero changes required to your agent code.
Key Benefits
| Benefit | Description |
|---|---|
| π‘οΈ Zero-Trust by Default | Explicit allow-list policy. Everything not permitted is denied. |
| π Cryptographic Auditability | Every decision is HMAC-SHA256 chained β tamper-evident and compliance-ready. |
| π Agent-Agnostic | Works as a transparent sidecar; no agent code changes required. |
| β‘ Ultra-Lightweight | Single Rust binary, zero external runtime dependencies, <10ms latency overhead. |
| π Operational Resilience | Token-bucket rate limiting prevents runaway loops and API flooding. |
| π§ͺ Frictionless Development | Dry-run mode and a pre-flight check tool let you iterate safely. |
Key Features
| Feature | Description |
|---|---|
| Nested Validation | Full JSON Schema validation for nested parameters with depth limiting. |
| Identity Binding | OIDC-bound JWT validation for tool calls with background JWK rotation. |
| Promotion Suite | agentwall promote for production readiness checks and cryptographic signing. |
| Durable Audit | Every decision is HMAC-SHA256 chained β tamper-evident and compliance-ready. |
| Rate Limiting | Token-bucket rate limiting per session and per tool. |
| Dry-Run Mode | Policy enforcement simulation for safe development and onboarding. |
| Policy Generation | agentwall init scaffolds a policy from observed tool calls. |
| Zero-Dependency UI | A local dashboard for real-time monitoring and policy testing. |
| Bidirectional MCP Interception | HTTP proxy + stdio wrap for fullβduplex tool calls (FRβ302). |
| Safe Mode | Sensible out-of-the-box security blocking high-signal threats (secrets, exfil, SSRF) with zero configuration. |
Official Landing Page
For more information, product tours, and demo requests, visit: https://vexasec.io/agentwall.html
Architecture & Enforcement Flow
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI Agent Runtime β
β (any framework: LangChain, AutoGPT, β¦) β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β JSON-RPC over HTTP or Stdio (Wrap mode)
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VEXA AgentWall Proxy β
β βββββββββββββββ ββββββββββββββββ βββββββββββββββββ β
β β Policy Eval β β Safe Mode β β Audit Logger β β
β β (YAML) β β (Global Reg) β β(HMAC-SHA256) β β
β βββββββββββββββ ββββββββββββββββ βββββββββββββββββ β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β Allowed calls forwarded
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MCP Tool Servers β
β (filesystem, shell, search, database, β¦) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Transport Modes
AgentWall supports two distinct interception modes:
- HTTP Proxy Mode (
agentwall start): Intercepts MCP calls over HTTP. - Stdio Wrap Mode (
agentwall wrap): Wraps the agent executable, intercepting its standard input/output streams directly. This is ideal for CLI agents that don't support configuring a proxy URL.
Key Design Decisions
- Deny-by-default β only explicitly permitted tools/parameters pass through.
- Safe Mode Protection β out-of-the-box global rules blocking high-risk paths, exfiltration, and SSRF attempts even with no policy file.
- Regex-anchored patterns β all string parameters are validated against anchored regex (
^(?:...)$) to prevent partial-match bypasses. - Chained audit log β each entry's HMAC includes the previous entry's hash, forming a tamper-evident chain.
- Kill modes β on violation, the proxy can close the connection, SIGKILL the agent process, or both.
Operational Flow (Step-by-Step)
VEXA AgentWall acts as a mandatory enforcement layer between your AI agent and its tools.
AI AGENT VEXA AGENTWALL TOOL SERVER
β β β
β (1) Tool Call Request β β
ββββββββββββββββββββββββ>β β
β (HTTP or Stdio) β β
β β β
β ββββ [Evaluation Phase] β
β β β Identity Check β
β β β Rate Limiting β
β β β Global Safe Mode β
β β β Param Validation β
β β<ββ β
β β β
β ββββ [Durable Logging] β
β β β Chained HMAC β
β β β fsync to Disk β
β β<ββ β
β β β
β [IF ALLOWED] β β
β β (2) Forward Call β
β ββββββββββββββββββββββββ>β
β β β
β β (3) Return Result β
β β<ββββββββββββββββββββββββ€
β (4) Tool Result β β
β<ββββββββββββββββββββββββ€ β
β β β
β [IF DENIED] β β
β β β
β (2) Policy Error β β
β<ββββββββββββββββββββββββ€ β
β ββββ [Enforcement] β
β β β Trigger --kill-mode β
β β<ββ β
β β β
- Deployment & Interception:
- HTTP Mode: You set
AGENTWALL_PROXY_URL(e.g.,http://127.0.0.1:8080). The AI agent's MCP SDK redirects JSON-RPC traffic to the proxy listener. - Stdio Mode: You launch your agent via
agentwall wrap --command "agent-exec". The proxy spawns the agent as a child process and intercepts its standard input/output streams.
- HTTP Mode: You set
- Evaluation: For every intercepted tool call, the policy engine evaluates the request against
policy.yaml. This includes Identity Binding (JWT check), Rate Limiting, and Nested Parameter Validation (JSON Schema). - Durable Logging: The decision (
allowordeny) is written to the audit log. The entry is cryptographically chained (HMAC-SHA256) and immediately flushed to disk (fsync) before any action is taken. - Enforcement:
- On Success: The call is forwarded to the upstream MCP server.
- On Violation: The call is blocked. The proxy returns a JSON-RPC error to the agent and, depending on the configured
--kill-mode, may immediately terminate the agent process to prevent further unauthorized attempts.
[!IMPORTANT] Why the agent has no choice but to use the proxy:
- SDK-Level Resolution: Most MCP SDKs resolve the server URL from
AGENTWALL_PROXY_URLat import time.- Stdio Pipe Ownership: In
wrapmode, the proxy owns the agent's input/output pipes; the agent has no direct way to communicate with tools except through these supervised channels.- Network Egress Control: Direct MCP access should be blocked at the OS or network level (e.g.,
iptablesor K8sNetworkPolicy). Even if an agent tries to ignore environment variables, it cannot reach the MCP server any other way.
Demo UI
AgentWall ships with a local-first demo dashboard for exploring its features interactively without writing any code.
The demo UI is a zero-dependency single-page app (no npm, no build step) backed by a lightweight Python bridge server that relays commands to the agentwall binary.
demo-ui/
βββ index.html # Single-page dashboard (open directly in browser)
βββ bridge.py # Python bridge server (Flask) β relays API calls to the binary
βββ policy.example.yaml # Default demo policy template
βββ README.md # Demo-specific setup guide
Demo UI Features
| Panel | Key | What It Does |
|---|---|---|
| Policy Editor | 01 | Live YAML editor with one-click pre-flight validation against built-in sample calls |
| Monitor & Auth | 02 | Start/stop the proxy, watch real-time log stream via SSE, and simulate identity-bound calls |
| Policy Promotion | 03 | Verify policy integrity, risk scores, and cryptographic signatures for production readiness |
| Audit History | 04 | Browse all log entries with stats (total / allowed / denied / p95 latency) |
| Session Report | 05 | Generate and view a session analytics report with blocked incidents and tool usage |
Quick Launch (macOS/Linux)
# 1. Install Python dependencies (one-time)
pip install flask flask-cors
# 2. Start the bridge server (from demo-ui folder)
cd demo-ui
python3 bridge.py --vexa-bin ../agentwall
# 3. Open the UI β open index.html in your browser
# (e.g. 'open index.html' on macOS)
Quick Launch (Windows)
# 1. Install Python dependencies (one-time)
pip install flask flask-cors
# 2. Start the bridge server (from demo-ui folder)
cd demo-ui
python bridge.py --vexa-bin ..\agentwall.exe
# 3. Open the UI β just double-click index.html in File Explorer
# or navigate to it in your browser
See
demo-ui/README.mdfor the full setup guide including all bridge server options.
Quickstart
The recommended path starts locally in dry-run mode β no CI/CD, no DevOps, no pipeline changes.
Prerequisites
- Rust Toolchain:
cargoandrustc(v1.75+). Install from rustup.rs. - Python 3.8+: Required for running the included simulation scripts and the Demo UI bridge.
- Git: To clone and manage the repository.
Step 1 β Clone the repository
git clone https://github.com/noviqtechnologies/agentwall.git
cd agentwall
Step 2 β Build the binary
Before you start, build the project and move the binary to the root for easier access:
macOS/Linux (Bash):
cargo build --release
cp target/release/agentwall .
Windows (PowerShell):
cargo build
copy target\debug\agentwall.exe .
Step 3 β Start in dry-run mode without a policy
Open a terminal and start the proxy.
Bash:
./agentwall start --dry-run --listen 127.0.0.1:8080 --log-path audit.log &
# Wait for proxy
until curl -sf http://127.0.0.1:8080/healthz; do sleep 0.1; done
PowerShell:
Start-Process -FilePath ".\agentwall.exe" -ArgumentList "start", "--dry-run", "--listen", "127.0.0.1:8080", "--log-path", "audit.log"
Step 4 β Point your agent at the proxy (or simulate a call)
To test the proxy immediately, you can use the provided quickstart agent script.
Bash:
# Set environment variable
export AGENTWALL_PROXY_URL=http://127.0.0.1:8080
# Simulate a tool call
curl -X POST http://127.0.0.1:8080 -H "Content-Type: application/json" -d '{"jsonrpc": "2.0", "method": "tools/call", "params": {"name": "read_file", "arguments": {"path": "test.txt"}}, "id": 1}'
PowerShell (Windows):
# Set the environment variable for your session
$env:AGENTWALL_PROXY_URL="http://127.0.0.1:8080"
# Run the simulated agent
python quickstart_agent.py
Once you are ready, you can run the provided quickstart agent:
python quickstart_agent.py
Step 5 β See what your agent actually did
# macOS/Linux (Bash):
./agentwall report audit.log --format text
# Windows (PowerShell):
.\agentwall.exe report audit.log --format text
Step 6 β Generate a starter policy
# macOS/Linux (Bash):
./agentwall init --from-log audit.log
# Windows (PowerShell):
.\agentwall.exe init --from-log audit.log
Step 7 β Tune the generated policy and re-run with enforcement
Edit policy.yaml β tighten regexes, remove tools your agent shouldn't need. Then pre-flight validate using the security test suite:
# macOS/Linux:
./agentwall test --policy policy.yaml audit.log
# Windows:
.\agentwall.exe test --policy policy.yaml audit.log
Finally, run with enforcement enabled (no --dry-run):
macOS/Linux (Bash):
# Adding & at the end runs it in the background
./agentwall start --policy policy.yaml --listen 127.0.0.1:8080 --log-path audit.log --kill-mode both &
Windows (PowerShell):
# Start-Process ensures the proxy runs in a separate window so it doesn't block your terminal
Start-Process -FilePath ".\agentwall.exe" -ArgumentList "start", "--policy", "policy.yaml", "--listen", "127.0.0.1:8080", "--log-path", "audit.log", "--kill-mode", "both"
Step 8 β Verify the log
Note: If you didn't run the proxy in the background in the previous step, you must open a new terminal window to run this command.
# macOS/Linux (Bash):
./agentwall verify-log audit.log
# Windows (PowerShell):
.\agentwall.exe verify-log audit.log
Path B β CI/CD Integration (Graduation Path)
Once you have a working local policy and at least one session report, you can deploy the proxy to your CI/CD pipeline or cluster, enforcing the same policy.yaml.
Policy Reference
A policy file is a YAML document with the following structure:
version: "2" # Schema version (FR-201/202 support)
default_action: deny # "allow" or "deny" for unconfigured tools
identity: # FR-202: Identity Binding
issuer: "https://auth.com" # OIDC issuer URL
audience: "agentwall-proxy" # Expected audience in JWT
session:
max_calls_per_second: 10 # Optional: rate limit across all tools
tools:
- name: "query_database" # FR-201: Nested Validation Engine
action: allow
risk: high # Required for FR-204 promotion
parameters:
- name: "options"
type: object
schema: # Recursive JSON Schema validation
type: object
properties:
query: { type: string, pattern: "^SELECT.*" }
limit: { type: integer, maximum: 100 }
required: ["query"]
Pattern Auto-Anchoring
All regex patterns are automatically wrapped in ^(?:...)$ to prevent partial-match bypasses. For example:
pattern: "/workspace/.*"
# Becomes: ^(?:/workspace/.*)$
β Footgun Warning: If you use alternation like
foo|bar/.*, the non-capturing group ensures it evaluates as^(?:foo|bar/.*)$, not(^foo)|(bar/.*$). Do not disable anchoring in production.
CLI Reference
agentwall <SUBCOMMAND>
SUBCOMMANDS:
start Start the proxy server (HTTP mode)
wrap Wrap an agent executable, intercepting its stdio (Stdio mode)
test Execute security unit tests against a fixture file (FR-204)
promote Validate and sign a policy for production (FR-204)
verify-log Verify cryptographic integrity of an audit log
report Generate a session analytics report from an audit log
init Generate a starter policy from a dry-run audit log
OPTIONS FOR 'start':
--policy <PATH> Path to policy YAML file
--listen <ADDR> Listen address (default: 127.0.0.1:8080)
--mcp-url <URL> Upstream MCP server URL (default: http://127.0.0.1:3000)
--log-path <PATH> Path for the audit log file
--kill-mode <MODE> Action on policy violation: connection | process | both (default: connection)
--dry-run Log violations but do not enforce them
--oidc-issuer <URL> Override OIDC issuer for identity binding (FR-202)
--report-path <PATH> Path to write the session report JSON on shutdown
OPTIONS FOR 'wrap':
--command <CMD> The full command to execute and wrap (e.g., 'python agent.py')
--policy <PATH> Path to policy YAML file
--log-path <PATH> Path for the audit log file
--kill-mode <MODE> Action on policy violation: connection | process | both (default: connection)
OPTIONS FOR 'test':
--policy <PATH> Policy YAML file to validate against
<FIXTURE> JSON file containing an array of tool calls to test
OPTIONS FOR 'promote':
--policy <PATH> Policy YAML file to promote
--key <PATH> Path to Ed25519 private key (optional: generates temp key if absent)
OPTIONS FOR 'report':
<LOG_PATH> Path to audit log file
--format <FORMAT> Output format: json | text (default: json)
--report-include-params Include raw parameters in the report (WARNING: sensitive data)
OPTIONS FOR 'init':
--from-log <PATH> Audit log to derive policy from
--output <PATH> Output policy file path (default: policy.yaml)
Security & Limitations
What AgentWall Cannot Prevent
-
Direct Bypass: The proxy cannot stop an agent from calling MCP servers directly if the network allows it. You must block direct MCP egress at the OS/container level (e.g., Kubernetes
NetworkPolicy,iptables) and force all traffic through the proxy. -
SIGKILL Rollback: When a violation triggers a kill, the proxy terminates the connection and/or process. It cannot roll back side effects already committed by the MCP server before termination.
--kill-mode Reference
| Mode | Behaviour | When to Use |
|---|---|---|
connection | Closes the TCP socket immediately | Default β K8s without shareProcessNamespace |
process | Sends SIGKILL to the agent's PID | Single-host deployments |
both | Closes socket and sends SIGKILL; falls back to connection-only if kill fails | Maximum enforcement |
Kubernetes Note: PID namespaces are not shared by default. Set
shareProcessNamespace: truein your pod spec if you wantprocessorbothkill mode to work.
Dry-Run Security Implications
Starting the proxy with --dry-run (or VEXA_DRY_RUN=true) logs violations as DRY_RUN_DENY but forwards the call to the MCP server anyway. The agent is never killed.
β WARNING: Dry-run disables enforcement. It is for policy development only. A
dry_run_activesecurity event is logged at startup, and the final session report will explicitly mark"dry_run": true. Never use in production.
Building from Source
Prerequisites: Rust toolchain 1.75+
# Debug build (faster compilation, larger binary)
cargo build
# Release build (optimized, recommended for benchmarking)
cargo build --release
# Run the test suite
cargo test
# Run benchmarks
cargo bench
The compiled binary is agentwall (or agentwall.exe on Windows).
Contributing
We welcome contributions! Whether it's reporting a bug, improving documentation, or submitting a Pull Request, please check our GitHub Issues to get started.
- Fork the repository.
- Create a feature branch (
git checkout -b feature/amazing-feature). - Commit your changes (
git commit -m 'Add some amazing feature'). - Push to the branch (
git push origin feature/amazing-feature). - Open a Pull Request.
Support
- Documentation: coming soon
- Email Support: support@vexasec.io
- Issues: GitHub Issues
Security Policy
If you discover a security vulnerability within VEXA AgentWall, please send an e-mail to security@vexasec.io. All security vulnerabilities will be promptly addressed.
License
Apache-2.0 Β© NoviqTech β see LICENSE for details.