View as markdown

# Introduction

Claw Patrol is a firewall for AI agents. It sits between your agents and the internet, decides what each request is allowed to do, and stamps real credentials onto the wire so the agent never holds them.

# The problem

Your AI agent has every API key in plaintext. It talks to GitHub, Slack, Anthropic, Postgres, Kubernetes, and a dozen other services. You can’t see what it’s doing, what it’s spending, or where your credentials end up. One prompt injection — or one model that hallucinates a DELETE — and your secrets exfiltrate or your production gets touched.

# What Claw Patrol gives you

• Allow / deny rules on every outbound request, written in CEL against typed variables for the protocol.

• Protocol-aware, not just HTTP. Claw Patrol terminates the full wire protocol for the systems agents actually touch, so rules see what the agent is doing — not just where it’s pointed:

  • Postgres / ClickHouse — the gateway parses the SQL out of the wire protocol. Rules see sql.verb, sql.tables, sql.statement. Deny DROP TABLE, gate SELECT * FROM api_keys, restrict an agent to read-only verbs.
  • Kubernetes — API URLs decompose into k8s.verb, k8s.resource, k8s.namespace, k8s.name. Deny delete secrets cluster-wide, allow get pods only in dev, route any write to kube-system through a human approval.
  • HTTPS — http.method, http.path, http.headers, http.body_json for the REST APIs (GitHub, Slack, Anthropic, …). The body is parsed once for JSON endpoints so you can match on payload fields, not just shape.

• Human-in-the-loop approvals for risky actions — defer kubectl apply -f production to a Slack approval before the request leaves. If the reviewer denies or the approval times out, Claw Patrol does not call the upstream service.

• Secret injection at the wire. Agents send placeholders ({{github_pat}}); the gateway swaps them for the real token in transit.

• Full audit log — every request, verdict, and latency, searchable in the dashboard, exportable as fixtures for regression tests.

# How it fits

Claw Patrol has two pieces:

• A gateway — a single Go binary running on a host you control. It holds the policy, the credentials, the audit log, and the dashboard.
• One or more devices — your laptop, a CI runner, a teammate’s workstation — that join the gateway over WireGuard. The device captures the agent’s outbound flows and tunnels them to the gateway, which decides per request what to allow, what to deny, what to gate behind a human, and what credential to stamp on.

Agent ─→ Device ──WireGuard──→ Gateway ──→ Upstream
                                  │
                                  ├ matches rule
                                  ├ injects credential
                                  └ logs the action

The agent never sees the real credential. The gateway never trusts the agent.

# Open source

MIT. The gateway, the dashboard, and the plugins are all in one repo. All state lives in a single SQLite file on the gateway host — no cloud required. The binary phones home for an update check; disable with CLAWPATROL_TELEMETRY=0 or DO_NOT_TRACK=1.

# Next

• Getting Started — stand up a gateway and join a device in 5 minutes.
• Architecture — how interception works.
• Rules — gating writes behind a human or an LLM judge.
• Security model — what Claw Patrol does and doesn’t protect against.