Pattern engine
50-pattern denylist, Day 1.
DROP TABLE without WHERE. rm -rf outside sandbox. git force-push to main. AWS s3 rb. We ship 50 patterns Day 1. Cross-customer pattern DB grows weekly.
SQL.drop_tableshell.rm_rfgit.force_pushaws.s3_rbAgent Firewall · keep-yolo-mode
Keep your agent in YOLO mode. We block what it gets wrong.
Stop choosing between speed and safety. Hard-deny patterns block instantly; medium-risk calls escalate to your phone for approve/deny in seconds.
Turn YOLO mode safe
npm i · 60s setup · no credit card
PromiseYour team keeps --dangerously-skip-permissions on, ships fast, and the firewall catches the 1% of calls that would cause a real incident.
Blocked
Allowed
- <50ms
- p99 verdict
- 30s
- Telegram approve
- 50
- Day-1 patterns
Could've been prevented · 10+ documented agent-destruction incidents · Oct 2024 — Apr 2026
PocketOS
Replit Agent
SaaStr ATL
Antigravity
Cursor IDE
Amazon Kiro
Claude Code
Devin
Cline
Continue
PocketOS
Replit Agent
SaaStr ATL
Antigravity
Cursor IDE
Amazon Kiro
Claude Code
Devin
Cline
Continue
cursor · claude-3-5-sonnet · session #4f3a
live
// agent reasoning
// > clean up old user records before migration
$ tool_call(execute_sql, { query: "DROP TABLE users;" })
[firewall] match: sql.drop_table_no_where · severity=critical · pattern_id=SQL-007[firewall] VERDICT: BLOCKED · agent halted · 18ms
// notification posted to telegram://team/agent-firewall
// audit row: intercepts/01HXR5K2…
$ verdict latency · 18msfail-closed · default denypolicy v1.4 · 50 patterns
Evidence
This is what your team would have seen.
Cursor proposed a destructive SQL call at 04:12 UTC. Pattern SQL-007 matched in 18ms. Verdict: BLOCKED. The agent halted; the database stayed.
- 50-pattern denylist · SQL · shell · git · cloud
- Verdict in <50ms p99 · before the agent runs the call
- Audit row + Telegram alert · every block, no exceptions
Proof
Same denylist that would have caught the PocketOS wipe, the Replit code-freeze incident, and the Antigravity event. 50-pattern starter list ships Day 1; cross-customer pattern DB grows weekly.
Three steps · sixty seconds
Install once. Block forever. Sleep through the rest.
The pain on your team today — Removing --dangerously-skip-permissions slows the team down; keeping it on means one chain-of-thought from disaster.
Install
One npm install. Drop the MCP wrap into your agent config or wrap your SDK call. 60 seconds.
npm i @agentfirewall/sdkBlock
Every tool call gets scanned against 50 hard-deny patterns. Critical matches halt instantly. Medium-risk escalates to Telegram.
verdict: blocked · 18msSleep
Custom per-tool guardrails fragment across Cursor / Claude Code / Devin and break on every vendor update.
policy: balanced · 30s timeout
The control plane
Three primitives. Zero ambiguity.
Read-only observability tools tell you what happened. Agent Firewall stops it from happening.
Human-in-the-loop
Telegram approve / deny in 30s.
Medium-risk calls escalate to your phone in seconds. Tap Approve, tap Deny, or set 'Approve always for this pattern'. Fail-closed by default — uncertainty never auto-allows.
ApproveDenyApprove always30s timeout
Cross-vendor
One policy layer, every tool.
MCP server + SDK wrap. Works with Cursor, Claude Code, Devin, Replit Agent, Cline, Continue, and any custom agent loop. One policy layer, every tool.
CursorClaude CodeDevinReplitClineIncident wall · selected
Each of these would have been one match away from prevented.
- POCKETOSread
Cursor-driven Claude wiped production DB and backups in 9 seconds.
Tom's Hardware · Fast Company · ABC News · The Register
- REPLIT · SAASTRread
Replit Agent wiped 1,206 executive records during an explicit code-freeze window.
TechCrunch · Hacker News · Replit blog post-mortem
- ANTIGRAVITYread
Agent loop ran rm -rf inside the repo root after misreading a cleanup task.
Antigravity engineering blog · Twitter thread
- CURSOR · CVE-2026-26268read
RCE via crafted MCP server payload — agent invoked attacker-controlled shell on host.
NVD · Snyk advisory
One blocked incident pays 50 years of subscription.
Pricing
One blocked incident covers a year. Probably ten.
Free tier covers 10 intercepts/day per team — enough to confirm the firewall is wired before you decide.
Solo
$19/mo
One developer. Local SDK or single-agent MCP.
- 50-pattern denylist
- 100 intercepts/day
- Telegram approve/deny
Most teams pick this
Team
$49/mo
10-50 person engineering team. Cross-vendor team policy.
- Unlimited intercepts
- All 50+ patterns + custom rules
- Per-developer approval routing
- 30-day audit retention
Pro
$99/mo
Compliance-grade audit, SSO, custom pattern engine.
- Everything in Team
- SSO + RBAC
- Custom pattern engine
- 1-year audit + export
FAQ
The five things every CTO asks first.
Still have one we didn't list? Open an issue on GitHub and we'll respond.
Hard-deny patterns evaluate in <50ms p99 — a stateless regex/AST match with no network round-trip. The only call that pauses is a medium-risk escalation to Telegram, capped at a 30-second timeout (default-deny on expiry). Everything below medium-risk passes through.
Ship the firewall before the incident
Every day a developer on your team gets faster while one weekend-long incident wipes the gain. Install before that happens.
Stop choosing between speed and safety. Hard-deny patterns block instantly; medium-risk calls escalate to your phone for approve/deny in seconds.
Free tier · no credit card · 60-second install