{"slug": "claw-patrol-an-open-source-security-firewall-for-agents", "title": "Claw Patrol: an open-source security firewall for agents", "summary": "The article introduces Claw Patrol, an open-source security firewall developed by Deno to address the risks of giving AI agents access to production systems like AWS, Kubernetes, and databases. Unlike existing solutions that only handle HTTP traffic, Claw Patrol routes agent traffic through a WireGuard or Tailscale tunnel to a gateway that parses non-HTTP protocols (e.g., SQL, Kubernetes API), injects credentials, and enforces rules written in HCL—allowing verdicts like allow, deny, or multi-step approval chains involving LLM judges and human approvers.", "body_md": "Claw Patrol: an open-source security firewall for agents\nAt Deno, we run Deno Deploy, JSR, and a handful of other production services. We’re increasingly using agents to help with operations: triage PagerDuty alerts, check dashboards, query logs, run kubectl, roll back a bad deploy, and so on.\nThat means giving the agents access to many of the production systems an engineer has: AWS, GCP, Postgres, Kubernetes, ClickHouse, GitHub, Slack, Grafana.\nThis requires extreme care, and presents a dilemma.\nAn agent with limited access isn’t very useful. But the more access it has, the\nmore dangerous it is: kubectl delete namespace prod\nand\npsql -c 'DROP TABLE users'\nare both one tool call away.\nAn agent cannot be trusted to police itself. The agent process holds tools\n(psql\n, kubectl\n, gh\n, curl\n) and the credentials those tools need. A prompt\ninjection, a hallucination, or a bad tool call can use them.\nAnd we can’t change how the agent behaves. Most of what we run (Claude Code, Codex) is code we install, not code we wrote. Any solution has to sit outside the agent.\nA concrete example from our setup: We have a production Aurora database inside a\nVPC, reachable only through an EKS apiserver. It’s extremely useful if our\nagents, which run 24/7, have read access to this database. But we must ensure\nthe agent could never call DROP TABLE\n.\nThat’s an outbound network path the agent’s host can’t reach, on a protocol that isn’t HTTP, gated by a rule that has to understand SQL.\nThere’s a growing set of projects and products around this area:\n- LLM gateways (Helicone, Portkey, OpenRouter, LiteLLM) and content guardrails (NeMo Guardrails, Lakera) watch the model call. Agents talk to many services other than the models; those calls never reach the LLM gateway.\n- HTTP tool-proxies (httpjail, Crab Trap) gate the outbound HTTP call. Agents also speak other non-HTTP protocols like Postgres and SSH.\n- Process sandboxes (NVIDIA OpenShell, agentsh) are generally focused on local access that the agent can make. We already run our agents on standalone VMs; for us these are only marginally useful.\n- Credential-injecting forward proxies (Agent Vault, Clawvisor) terminate TLS, inject credentials, and filter outbound HTTP. They match on HTTP method and URL, not other protocols; they decide allow or deny, without composing LLM judges and human approvers in chains; and they don’t tunnel onward to networks the agent’s host can’t reach. (Deno Sandbox ships a similar capability.)\nEach of these is solving part of the problem. None of them speak anything beyond HTTP, however, and no combination of them reaches a Postgres database through an EKS apiserver, or gates by SQL verb.\nFor agents touching real production systems, that gap is the whole game.\nToday we’re open-sourcing our solution to this problem: Claw Patrol\nAgent traffic routes through a WireGuard or Tailscale tunnel to a gateway that terminates TLS, parses the inner protocol, holds and injects the real credentials, and evaluates each request against rules you write in HCL. The gateway can tunnel onward to reach networks the agent’s host can’t (a kubectl port-forward into EKS, a Cloud SQL proxy, a tailnet).\nHere’s one rule from our config, as an example, denying reads of Kubernetes secrets across our deploy clusters:\nrule \"k8s-no-secrets\" {\nendpoints = [kubernetes.deploy-dev, kubernetes.deploy-prod]\ncondition = \"k8s.resource == 'secrets'\"\nverdict = \"deny\"\nreason = \"Secret values must not leave the cluster via the agent\"\n}\nRules match on parsed protocol facets: HTTP method, path, and body; SQL verb,\ntables, and functions; Kubernetes verb, resource, and namespace. Verdicts can be\nallow\n, deny\n, or a chain of approvers: a model judging against a policy you\nwrite, a human in Slack, or both in sequence. We use the chain to gate\ncustomer-support replies our agent drafts. The LLM checks the body for markdown\nand tone, then a human in #support\napproves or edits the draft.\nCredentials live on the gateway, not the agent. The agent sends a\nplaceholder like {{github_pat}}\nand the gateway swaps in the real token on the\nwire. A compromised agent process can’t leak keys it never held in the first\nplace.\nWhile we’re excited to share Claw Patrol (under MIT license), it is currently alpha software. This is what’s working for us, so the protocol support is as broad as we need it. You’ll find sufficient documentation to code up support for other protocols. We’d especially love to see rule patterns from real deployments, protocols you’d want gated next, and rough edges in the install path. Issues and PRs welcome.\nThe getting-started guide takes you from zero to a working gateway in five minutes.", "url": "https://wpnews.pro/news/claw-patrol-an-open-source-security-firewall-for-agents", "canonical_source": "https://deno.com/blog/clawpatrol", "published_at": "2026-05-21 15:00:00+00:00", "updated_at": "2026-05-22 12:17:56.293967+00:00", "lang": "en", "topics": ["open-source", "cybersecurity", "artificial-intelligence", "developer-tools", "cloud-computing"], "entities": ["Deno", "Deno Deploy", "JSR", "Claude Code", "Codex", "AWS", "GCP", "Kubernetes"], "alternates": {"html": "https://wpnews.pro/news/claw-patrol-an-open-source-security-firewall-for-agents", "markdown": "https://wpnews.pro/news/claw-patrol-an-open-source-security-firewall-for-agents.md", "text": "https://wpnews.pro/news/claw-patrol-an-open-source-security-firewall-for-agents.txt", "jsonld": "https://wpnews.pro/news/claw-patrol-an-open-source-security-firewall-for-agents.jsonld"}}