Introducing Kvlar: Runtime Security for AI Agents
By Kvlar Team
AI agents are evolving from chatbots into autonomous systems that execute code, query databases, send emails, and interact with production infrastructure. This is incredibly powerful — and incredibly risky.
Today, we're open-sourcing Kvlar, a runtime security layer for AI agents.
The problem
When you give an AI agent access to tools via the Model Context Protocol (MCP), there's no security layer between the agent and those tools. The agent can call any tool with any arguments. There's no policy enforcement, no audit trail, and no human approval for sensitive operations.
This is the equivalent of giving a new employee root access on day one with no guardrails.
What Kvlar does
Kvlar sits between your AI agent and its MCP tool servers as a transparent proxy. Every tool call passes through Kvlar's policy engine before reaching the server.
Agent ──stdio──► Kvlar Proxy ──stdio──► MCP Tool Server
│
Policy Engine
│
Audit Log
For each tool call, Kvlar evaluates it against your security policy and makes one of three decisions:
- Allow — forward the call to the tool server
- Deny — block the call and return an error to the agent
- Require approval — block pending human review
Policy as code
Security policies are defined in YAML — human-readable, version-controllable, and reviewable in pull requests:
name: my-policy
version: "1.0"
rules:
- id: allow-reads
match_on:
resources: ["read_*"]
effect:
type: allow
- id: deny-destructive
match_on:
resources: ["delete_*", "drop_*"]
effect:
type: deny
reason: "Destructive operations are not allowed"
- id: approve-writes
match_on:
resources: ["write_*"]
effect:
type: require_approval
reason: "Write operations require human approval"
Key design decisions
Fail-closed by default. If no rule matches an action, it's denied. This is the opposite of how most systems work — and it's intentional. In security, implicit trust is the enemy.
Pure policy engine. The core engine (kvlar-core) has zero I/O dependencies. Given the same action and the same policy, you'll get the same decision every time. This makes policies testable and auditable.
Protocol-native. Kvlar is built specifically for MCP, not bolted on as an afterthought. It understands the protocol at the transport layer and intercepts tool calls natively.
Getting started
Three commands to go from zero to enforcing:
# Install and create a policy
cargo install kvlar-cli
kvlar init
# Wrap your MCP servers
kvlar wrap
# Test your policy
kvlar test -f policy.test.yaml
Kvlar supports Claude Desktop and Cursor out of the box. The kvlar wrap command automatically detects your MCP client and injects the proxy.
Built in Rust
Kvlar is written in Rust for performance and safety — appropriate for security-critical infrastructure. The workspace is organized into four crates:
| Crate | Purpose |
|---|---|
kvlar-core |
Policy engine — pure, deterministic, no I/O |
kvlar-proxy |
MCP proxy — stdio and TCP transports |
kvlar-audit |
Structured audit logging |
kvlar-cli |
CLI with 9 commands |
What's next
Kvlar is at v0.3.0. Recent additions:
Policy hot-reload— shipped in v0.2.0! Update policies without restarting the proxyPython SDK— shipped in v0.3.0! Wrap the Kvlar CLI from Python applicationsApproval webhooks— shipped in v0.3.0! Routerequire_approvaldecisions to external systemsHealth checks— shipped in v0.3.0!GET /healthendpoint with runtime stats- TypeScript SDK — for Node.js environments
- SHIELD — our commercial enterprise product with managed policy enforcement
Get involved
Kvlar is Apache 2.0 licensed and available on GitHub. We welcome contributions, feedback, and bug reports.
If you're building AI agents with tool access, we'd love to hear about your security challenges. Reach out on X or open an issue on GitHub.