Problem

Problem statement

An internal LLM agent had broad tool access — no scoping, no policy gate, and no audit on tool arguments.

Stakes

Why it matters

The trust boundary for a tool-calling agent is the tool call itself. Putting a deterministic proxy there turns an unbounded risk into a small, verifiable question per call.

Threat Model

Threat model

  • Scope escalation through legitimate tools.
  • Exfiltration via tool arguments.
  • Confused-deputy abuse of the agent identity.
  • Unreconstructable sessions after a failure.
Architecture

Architecture

Policy, validation, and redaction run before any call leaves the proxy; every call is hash-chained into the audit log.

Features

Key features

  • Per-tool policy evaluated before the network call.
  • JSON-schema argument validation.
  • Field-level redaction on arguments and outputs.
  • Approval modes (auto / review / blocked).
  • Tamper-evident, replayable audit per session.
Controls

Guardrails & controls

Per-tool policyArgument validationRedactionApproval modesHash-chained audit
Testing

Test scenarios

  • Scope-escalation attempts on legitimate tools.
  • Exfil via argument fields.
  • Confused-deputy invocation.
  • Audit-chain tamper detection.
Workflow

Example workflow

01

Intercept call

The agent's tool call is captured by the proxy.

02

Evaluate policy

Policy and argument schema are checked before any network call.

03

Gate or execute

Consequential tools require approval; others execute under redaction.

04

Chain audit

The call, arguments, and decision are hash-chained into the session log.

Stack

Tech stack

Language
Python 3.12
Policy
Rego-style rules
Interfaces
MCP · HTTP tools
Audit
Append-only, hash-chained
Eval
Red-team session suite
Visuals

Screenshots

Visual placeholders. Replace with real screenshots and a demo video.

UI · POLICY TRACE
DEMO · AUDIT REPLAY
Lessons

Lessons learned

  • Schemas block most bad calls before policy is even consulted.
  • Redaction belongs at the boundary, not in the model.
  • Replay is what makes the audit trustworthy.
Roadmap

Future roadmap

  • Multi-agent delegation graph.
  • Signed audit exports.
  • SOAR SDK shims for agent calls.
Put this to work

Want this pattern in your stack?

This guardrail proxy sits in front of an agent's tool surface and is open work — get in touch if you're building something similar or want to compare notes.