Omnet
All products
LiveDeveloper Security

Agent Firewall

A local-first safety layer for developer AI agents.

Agent Firewall is a cooperative tool-call-boundary guard for AI coding agents. It evaluates local policy before matched tool calls run, can ask or block, keeps a local audit trail, and binds the viewer to localhost. It does not protect your whole machine or every agent automatically.

Agent Firewall logo

Install

Get Agent Firewall on your machine.

Install from Omnet-hosted release assets, initialize local config, then wire Claude Code hooks. Codex wiring is optional prototype-only.

Published release install

curl -fsSL https://omnetsystems.com/agentfirewall/install.sh -o /tmp/agentfirewall-install.sh
bash /tmp/agentfirewall-install.sh --version 0.1.0 --verify --prefix "$HOME/.local/bin"

After install

agentfirewall init
agentfirewall install claude-code --dry-run
agentfirewall install claude-code
agentfirewall doctor
agentfirewall status

Release checksums are published as SHA256SUMS. Capability labels are published in the public capability matrix.

Release integrity

Release packaging uses SHA256 checksums today.

Privacy

Local-first in personal mode.

  • Config, policy, audit data, and the local viewer stay on your machine by default.
  • Agent Firewall sends no telemetry in personal mode.
  • The local viewer binds to 127.0.0.1 only and reads your local audit store.
  • Enterprise fleet dashboards and cloud upload are not part of the day-one personal product.

Capability matrix

Honest support labels for day-one surfaces.

Agent Firewall governs tool calls at wired hook boundaries. Labels below match the public capability matrix artifact hosted by Omnet for this release.

IntegrationLabelOSEvidence note

Claude Code

Claude Code sessions with Agent Firewall hooks wired for PreToolUse, PostToolUse, and PostToolUseFailure.

Ask/block prototype

Ask/block prototype — works in local synthetic tests or doctor self-tests; not cleared for broad supported labeling without live validation evidence.

Linux, macOSSynthetic hook tests and doctor self-test. Broad supported labeling waits on live Claude Code validation records.

Codex

Codex sessions with hooks wired in ~/.codex/hooks.json for PreToolUse and PostToolUse.

Ask/block prototype

Ask/block prototype — works in local synthetic tests or doctor self-tests; not cleared for broad supported labeling without live validation evidence.

Linux, macOSSynthetic hook tests only. Not a supported live-app guarantee until live Codex validation exists.

Cursor Agent

Research only. No hook adapter shipped.

Research

Research — docs reviewed; no working local prototype shipped.

Not shippedDesign and planning only.

Canonical artifact: public-capability-matrix.json. Claude Code remains ask-block-prototype until support-promotion gates are fully evidenced.

Non-goals

What Agent Firewall is not.

  • Whole-machine protection or all-agent coverage
  • Tamper-proof local audit or absolute enforcement
  • Complete prompt-injection prevention
  • Unsigned auto-update or signed-release claims before those controls exist
  • Enterprise fleet dashboard in the personal product
  • DLP, EDR, Slack, or Teams enforcement in the day-one product

Common bypasses

Cooperative guard, not whole-machine enforcement.

  • Shell, git, or editor use outside wired Claude Code or Codex sessions
  • Agent tools outside the installed hook matcher
  • Removing or editing hooks manually
  • Personal-mode fail-open behavior when policy or approval infrastructure is unavailable
01

Tool-call boundary guard

Intercepts matched PreToolUse hooks for wired integrations so policy runs before shell, file, and selected tool actions execute.

02

Local policy and audit

Stores config, TOML policy, and SQLite audit events on your machine. Personal mode sends no telemetry by default.

03

Ask, block, and observe

Deterministic allow, ask, and block decisions with terminal approvals where supported, plus post-action audit for wired hooks.

04

Repairable wiring

Doctor checks, install dry-runs, and status output show when hooks, policy, or audit health are degraded and how to repair them.