OPEN SOURCE · v0.1.1

The execution firewall
for agents

Shell commands and MCP tool calls evaluated by deterministic policy before execution. Native adapters can emit the same action envelope for file, network, and process operations. Stop covered agent side effects from going rogue.

$cargo install --path crates/blackwall-cli

Features

01

Shell Interception

Protected commands, evaluated.

PATH-prepended shims catch common agent-spawned commands before execution. Git, curl, npm, python, cloud CLIs, package managers, and more. The real binary only runs after policy approval.

14:23:01shell.execgit status
14:23:03shell.execcargo build
14:23:09shell.execnpm install express
14:23:12shell.execrm -rf node_modules
14:23:15shell.execsudo rm -rf /
02

MCP Tool Proxy

Policy for tool calls.

Stdio man-in-the-middle on JSON-RPC tools/call. Read tools can pass, side effects can pause, and dangerous payloads can be denied before reaching the server.

14:23:20·mcp.tool_callread_file
14:23:22mcp.tool_callexecute_command
14:23:25·mcp.tool_callsearch_files
03

Policy Engine

Deterministic decisions.

Three built-in profiles: default, strict, and permissive. Or write your own in YAML. Sub-millisecond evaluation per action.

defaultstrictpermissivecustom.yaml
04

Human Escalation

Humans stay in the loop.

When the gateway is uncertain, it pauses and prompts the human inline. Allow, deny, or end the session entirely.

⏸ PAUSE: confirmation required
shell.exec rm -rf node_modules
reason: matches confirmation rule 'rm -rf'
allow (a)deny (d)end session (x)
05

Anti-Pattern Detection

Behavioral threat modeling.

Sliding window detection catches credential harvesting, sandbox probing, self-modification, data exfiltration, and history tampering.

credential_harvestingHALT
sandbox_probingHALT
self_modificationHALT
public_exfiltrationPAUSE
06

Circuit Breaker

Session-level kill switch.

Critical pattern matches trip a circuit breaker, halting all further actions. No recovery without human restart. Rate limiting built in.

Active
Paused
Halted
07

Full Audit Trail

Every decision, recorded.

Append-only JSONL logs for every action evaluation. Session ID, timestamps, decisions, reasons, sub-millisecond latency. Tail live or query after.

~/.blackwall/logs/7f3a28.jsonl
{"ts":"2025-01-15T14:23:01Z","session":"7f3a28","seq":1,"tool":"shell","op":"exec","target":"git status","decision":"allow","latency_us":42}
{"ts":"2025-01-15T14:23:15Z","session":"7f3a28","seq":2,"tool":"shell","op":"exec","target":"sudo rm -rf /","decision":"deny","reason":"command 'sudo' matches deny rule","latency_us":18}

Configuration

Declarative policy as YAML

Define what's allowed, denied, and what requires confirmation. Patterns, risk thresholds, and temporal rules. All in a single file.

custom-policy.yaml
version: "blackwall/policy-1.0"
name: "production-deploy"

permissions:
filesystem:
read:
allow: ["${WORKSPACE}/**"]
deny: ["**/.env", "**/*.key"]
write:
allow: ["${WORKSPACE}/src/**"]
confirm: ["${WORKSPACE}/config/**"]
shell:
allow: [git, cargo, npm]
deny: [sudo, su]
confirm: ["rm -rf", "git push --force"]
network:
allow: [github.com, crates.io]
deny: ["*"]

Default Policy

File read
Workspace files.env, secrets, SSH keys
File write
Workspace filesSystem dirs, .git/config
Shell
git, npm, cargo...sudo, chmod +s, dd
Network
Registries, GitHubEverything else

Blocked by default

Pipe-to-shell patterns are always blocked, regardless of policy.

curl ... | shwget ... | bashsudo rm -rfchmod +sdd if=mkfs

Integrations

Works with your stack

Cursor, Claude Code, or any agent that runs shell commands or MCP tools. Three lines of config.

Cursor

Shell commands intercepted automatically. Wrap MCP servers in your config.

// .cursor/mcp.json
{
"mcpServers": {
"fs": {
"command": "blackwall",
"args": [
"proxy-mcp",
"--",
"npx",
"@mcp/server-fs"
]
}
}
}

Claude Code

Wrap the process so protected commands Claude spawns are intercepted.

$ blackwall exec -- claude

Codex

Layer Blackwall around Codex while keeping the native sandbox and approvals enabled.

$ blackwall exec -- codex
--sandbox workspace-write
--ask-for-approval on-request

Any Agent

Wrap any agent process that launches shell commands or stdio MCP servers.

$ blackwall exec -- python agent.py
$ blackwall exec -- node agent.js
 
# Or use the env hook
$ source ~/.blackwall/env

Temporal Detection

Catches what permissions can't

Some attacks look harmless as individual actions. Blackwall detects multi-step sequences over sliding windows, derived from documented frontier model behavior.

credential_harvestingHALT

Reading /proc then environment data

/proc/*/environ.env
sandbox_probingHALT

Process info → network config → external request

/procifconfigcurl
self_modificationHALT

Reading then writing MCP/tool configuration

read mcp.jsonwrite mcp.json
public_exfiltrationPAUSE

Workspace reads then unknown network requests

read src/POST unknown.com
history_tamperingPAUSE

Git operations then writing .git internals

git logwrite .git/

Architecture

Four layers of evaluation

Each action passes through four deterministic stages. Sub-millisecond latency. No inference.

1

Circuit Breakers

Session halted? Rate limit exceeded?

2

Permissions

Deny → Confirm → Allow → Default deny

3

Pattern Matching

Sliding window anti-pattern detection

4

Risk Scoring

Cumulative score with pause/halt thresholds

blackwall / gateway
  .-#+-+#--#.  +-.         ..-##..    .+.##-+##-..-.-.  .##-.  -##   .###   .##.  ####.   .##.     +#+     
  .+#+--++##-..##.         -+###+-.   +#++-..-+...++#+--##-.    ##+  ####-  ##-  ###-##.  .##.     ###     
  .+#+.---+#-..##.        -##+--###   #+.     .  .+######+      .##.-## ## ###  ###  -##. .##.     ###     
  -###-+#+###--###++-....-##########..###+.. -#---####++###..    .####. +####  ##########..#######-########
   .-......-.  .----.... ...      ..  ...--..--. ....    ...      ....   ...   ..      ... ....... ........
■ blackwall v0.1.1
policy: default | session: 7f3a28
workspace: /Users/you/project
log: ~/.blackwall/logs/7f3a28.jsonl

detected: mcp (3 servers), cursor, git

shell hook active — new terminals are protected
mcp proxy: blackwall proxy-mcp -- <server-command>

gateway active — press ctrl+c to stop

Stop your AI going rogue

Open source. MIT licensed. Install in under a minute.