Tool-call boundary guard
Intercepts matched PreToolUse hooks for wired integrations so policy runs before shell, file, and selected tool actions execute.
A local-first safety layer for developer AI agents.
Agent Firewall is a cooperative tool-call-boundary guard for AI coding agents. It evaluates local policy before matched tool calls run, can ask or block, keeps a local audit trail, and binds the viewer to localhost. It does not protect your whole machine or every agent automatically.
Install
Install from Omnet-hosted release assets, initialize local config, then wire Claude Code hooks. Codex wiring is optional prototype-only.
Published release install
curl -fsSL https://omnetsystems.com/agentfirewall/install.sh -o /tmp/agentfirewall-install.sh
bash /tmp/agentfirewall-install.sh --version 0.1.0 --verify --prefix "$HOME/.local/bin"After install
agentfirewall init
agentfirewall install claude-code --dry-run
agentfirewall install claude-code
agentfirewall doctor
agentfirewall statusRelease checksums are published as SHA256SUMS. Capability labels are published in the public capability matrix.
Release integrity
Privacy
Capability matrix
Agent Firewall governs tool calls at wired hook boundaries. Labels below match the public capability matrix artifact hosted by Omnet for this release.
| Integration | Label | OS | Evidence note |
|---|---|---|---|
Claude Code Claude Code sessions with Agent Firewall hooks wired for PreToolUse, PostToolUse, and PostToolUseFailure. | Ask/block prototype Ask/block prototype — works in local synthetic tests or doctor self-tests; not cleared for broad supported labeling without live validation evidence. | Linux, macOS | Synthetic hook tests and doctor self-test. Broad supported labeling waits on live Claude Code validation records. |
Codex Codex sessions with hooks wired in ~/.codex/hooks.json for PreToolUse and PostToolUse. | Ask/block prototype Ask/block prototype — works in local synthetic tests or doctor self-tests; not cleared for broad supported labeling without live validation evidence. | Linux, macOS | Synthetic hook tests only. Not a supported live-app guarantee until live Codex validation exists. |
Cursor Agent Research only. No hook adapter shipped. | Research Research — docs reviewed; no working local prototype shipped. | Not shipped | Design and planning only. |
Canonical artifact: public-capability-matrix.json. Claude Code remains ask-block-prototype until support-promotion gates are fully evidenced.
Non-goals
Common bypasses
Intercepts matched PreToolUse hooks for wired integrations so policy runs before shell, file, and selected tool actions execute.
Stores config, TOML policy, and SQLite audit events on your machine. Personal mode sends no telemetry by default.
Deterministic allow, ask, and block decisions with terminal approvals where supported, plus post-action audit for wired hooks.
Doctor checks, install dry-runs, and status output show when hooks, policy, or audit health are degraded and how to repair them.
Contact
support@omnetsystems.com