Deno open-sources Claw Patrol agent firewall

Deno open-sourced Claw Patrol, an agent firewall that intercepts traffic between AI agents and production systems to parse non-HTTP protocols and enforce action-level rules. The gateway extracts wire-level facts such as SQL verbs, Kubernetes resources, and HTTP methods, then evaluates them against rules written in HashiCorp Configuration Language (HCL). Released under an MIT license, the project supports credential injection, human-in-the-loop and LLM-based approval workflows, and deployment via WireGuard or Tailscale.

Deno open-sources Claw Patrol agent firewall Deno released Claw Patrol , an open-source firewall that interposes between AI agents and production systems to parse non-HTTP protocols and enforce action-level rules. The Deno blog post May 21, 2026 and the project's GitHub repo describe a gateway that extracts wire-level facts SQL verbs, Kubernetes resource/verb/namespace, HTTP method/path and evaluates them against rules written in HashiCorp Configuration Language HCL . The project supports credential injection, human-in-the-loop and LLM approvers the project site shows examples using claude-haiku-4-5-20251001 , and deployment via WireGuard or Tailscale. The code is published under an MIT license on GitHub and is installable via the project's install.sh script, per the project website and package documentation. What happened Deno published Claw Patrol , an open-source security firewall for AI agents, in a May 21, 2026 blog post and on GitHub under an MIT license, according to the Deno blog and the project's GitHub repository. The project website and README describe a gateway that sits between agents and production services, parses traffic at the wire level for multiple protocols Postgres, ClickHouse, Kubernetes, GitHub, Slack, HTTP , and evaluates each outbound request against user-defined rules written in HashiCorp Configuration Language HCL . The Deno blog states, "An agent cannot be trusted to police itself," framing the motivation for an external enforcement layer. Technical details The project extracts protocol-specific facts that rules can match against: SQL verbs and table names for Postgres/ClickHouse, k8s.resource, k8s.verb, and k8s.namespace for Kubernetes, and method/path/headers/body for HTTP, per the GitHub README and pkg.go.dev module documentation. The gateway supports per-process tunneling clawpatrol run via Linux network namespaces or macOS NetworkExtension, host-level tunnels via WireGuard clawpatrol join , and a standalone proxy binary clawpatrol gateway . The website and docs show rule examples that use CEL-like expressions the repo and docs expose the field reference used in conditions . What the project enforces and integrates Per the project site and README, Claw Patrol can keep credentials out of the agent process by holding keys and injecting them when the gateway approves outbound requests. The website documents approver types including require llm an LLM-based judge, with cached verdicts and require human human voting via Slack or webhook . The project advertises audit logging for every gated action and examples of blocking destructive operations such as kubectl delete pod or DROP TABLE through rule matches shown in the repository. Industry context Editorial analysis: Companies and teams running autonomous agents increasingly expose those agents to multi-protocol production surfaces. Public coverage and the Deno project place Claw Patrol in a niche distinct from HTTP-focused proxies and LLM gateways: it aims to parse and gate non-HTTP protocols at the wire level and to combine automated LLM judgement and human approval in decision chains. This fills a gap between process sandboxes, HTTP forward proxies, and model-only guardrails by operating as an external enforcement point that understands protocol semantics. For practitioners Editorial analysis: Claw Patrol's HCL rule approach and per-protocol fact extraction give security teams a way to express action-level constraints without modifying agent code. The integration points WireGuard/Tailscale, per-process tunneling lower the barrier to adoption for teams that cannot replace agent binaries. At the same time, the project imposes operational work: writing comprehensive rules in HCL, mapping protocol facts to policy, and operating an approval workflow and audit store. What to watch Editorial analysis: Observers should watch how the project scales in real deployments-rule expressivity versus manageability, performance under high-throughput agent fleets, and the usability of approval workflows. Another open question is ecosystem integration: whether third-party tooling will emerge to author HCL policies, visualize audits, or provide managed approver services. Scoring Rationale This is a notable open-source security tool for teams running autonomous agents: it addresses a practical gap non-HTTP protocols and action-level enforcement and provides deployable primitives. It is not a paradigm-shifting model release, but it materially affects security operations and agent deployment patterns for practitioners. Practice interview problems based on real data 1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with. Try 250 free problems /problems