Pattern engine
50-pattern denylist, Day 1.
DROP TABLE without WHERE. rm -rf outside sandbox. git force-push to main. AWS s3 rb. We ship 50 patterns Day 1. Cross-customer pattern DB grows weekly.
SQL.drop_tableshell.rm_rfgit.force_pushaws.s3_rbAgent Firewall · sleep-through-it
Sleep through the night while your AI agent works
Your agent runs deploys, fixes bugs, migrates schemas — and the firewall watches. If it tries something destructive, your phone lights up with approve/deny. If you don't answer, it blocks.
Stop watching, start sleeping
npm i · 60s setup · no credit card
PromiseSet policy once, get a Telegram ping only when something dangerous happens. Default: deny on timeout. Default: stay safe while you're away.
Blocked
Allowed
- <50ms
- p99 verdict
- 30s
- Telegram approve
- 50
- Day-1 patterns
Could've been prevented · 10+ documented agent-destruction incidents · Oct 2024 — Apr 2026
PocketOS
Replit Agent
SaaStr ATL
Antigravity
Cursor IDE
Amazon Kiro
Claude Code
Devin
Cline
Continue
PocketOS
Replit Agent
SaaStr ATL
Antigravity
Cursor IDE
Amazon Kiro
Claude Code
Devin
Cline
Continue
cursor · claude-3-5-sonnet · session #4f3a
live
// agent reasoning
// > clean up old user records before migration
$ tool_call(execute_sql, { query: "DROP TABLE users;" })
[firewall] match: sql.drop_table_no_where · severity=critical · pattern_id=SQL-007[firewall] VERDICT: BLOCKED · agent halted · 18ms
// notification posted to telegram://team/agent-firewall
// audit row: intercepts/01HXR5K2…
$ verdict latency · 18msfail-closed · default denypolicy v1.4 · 50 patterns
Evidence
This is what your team would have seen.
Cursor proposed a destructive SQL call at 04:12 UTC. Pattern SQL-007 matched in 18ms. Verdict: BLOCKED. The agent halted; the database stayed.
- 50-pattern denylist · SQL · shell · git · cloud
- Verdict in <50ms p99 · before the agent runs the call
- Audit row + Telegram alert · every block, no exceptions
Proof
Used by engineering teams who run AI agents on staging overnight. <30s human-in-the-loop for medium-risk calls; instant block on 50 hard-deny patterns. Fail-closed by design — uncertainty never auto-allows.
Three steps · sixty seconds
Install once. Block forever. Sleep through the rest.
The pain on your team today — Engineering leads stay up babysitting agent runs because there's no trustworthy autopilot for destructive actions.
Install
One npm install. Drop the MCP wrap into your agent config or wrap your SDK call. 60 seconds.
npm i @agentfirewall/sdkBlock
Every tool call gets scanned against 50 hard-deny patterns. Critical matches halt instantly. Medium-risk escalates to Telegram.
verdict: blocked · 18msSleep
Vendor IDE settings are per-developer; team-level policy doesn't exist anywhere except a wiki nobody reads.
policy: balanced · 30s timeout
The control plane
Three primitives. Zero ambiguity.
Read-only observability tools tell you what happened. Agent Firewall stops it from happening.
Human-in-the-loop
Telegram approve / deny in 30s.
Medium-risk calls escalate to your phone in seconds. Tap Approve, tap Deny, or set 'Approve always for this pattern'. Fail-closed by default — uncertainty never auto-allows.
ApproveDenyApprove always30s timeout
Cross-vendor
One policy layer, every tool.
MCP server + SDK wrap. Works with Cursor, Claude Code, Devin, Replit Agent, Cline, Continue, and any custom agent loop. One policy layer, every tool.
CursorClaude CodeDevinReplitClineIncident wall · selected
Each of these would have been one match away from prevented.
- POCKETOSread
Cursor-driven Claude wiped production DB and backups in 9 seconds.
Tom's Hardware · Fast Company · ABC News · The Register
- REPLIT · SAASTRread
Replit Agent wiped 1,206 executive records during an explicit code-freeze window.
TechCrunch · Hacker News · Replit blog post-mortem
- ANTIGRAVITYread
Agent loop ran rm -rf inside the repo root after misreading a cleanup task.
Antigravity engineering blog · Twitter thread
- CURSOR · CVE-2026-26268read
RCE via crafted MCP server payload — agent invoked attacker-controlled shell on host.
NVD · Snyk advisory
One blocked incident pays 50 years of subscription.
Pricing
One blocked incident covers a year. Probably ten.
Free tier covers 10 intercepts/day per team — enough to confirm the firewall is wired before you decide.
Solo
$19/mo
One developer. Local SDK or single-agent MCP.
- 50-pattern denylist
- 100 intercepts/day
- Telegram approve/deny
Most teams pick this
Team
$49/mo
10-50 person engineering team. Cross-vendor team policy.
- Unlimited intercepts
- All 50+ patterns + custom rules
- Per-developer approval routing
- 30-day audit retention
Pro
$99/mo
Compliance-grade audit, SSO, custom pattern engine.
- Everything in Team
- SSO + RBAC
- Custom pattern engine
- 1-year audit + export
FAQ
The five things every CTO asks first.
Still have one we didn't list? Open an issue on GitHub and we'll respond.
Hard-deny patterns evaluate in <50ms p99 — a stateless regex/AST match with no network round-trip. The only call that pauses is a medium-risk escalation to Telegram, capped at a 30-second timeout (default-deny on expiry). Everything below medium-risk passes through.
Ship the firewall before the incident
Every overnight agent run is a roll of the dice without a policy layer. Set it once, sleep through the rest.
Your agent runs deploys, fixes bugs, migrates schemas — and the firewall watches. If it tries something destructive, your phone lights up with approve/deny. If you don't answer, it blocks.
Free tier · no credit card · 60-second install