← All posts
By The agentjail team
announcementsecurity

Introducing agentjail

Coding agents take real actions on your behalf, which is exactly what makes them risky. agentjail enforces policy at the tool boundary, offline, before a dangerous call ever runs.

A coding agent's tool call passes through agentjail, which evaluates it against local policy and either lets it run or blocks it.
Each tool call is checked against local policy before it runs.

Coding agents got good at doing things. They edit files, run shell commands, hit the network, open pull requests. That is the whole appeal, and it is also the whole problem. The same agent that fixes your failing build can just as easily delete the wrong directory, leak a secret, or run a command you would never have approved.

Today we are releasing agentjail. It is a small guardrail that sits between your coding agent and the tools it can call, and it blocks dangerous calls before they run. It is open source under Apache-2.0, and it is early. This is an alpha.

”Just ask me first” stops working

Most agent safety today comes in two flavors. One is a sandbox, which is all or nothing and miserable to actually work in. The other is a permission prompt on every action, which holds up right until the tenth prompt of the task, when you stop reading them and just click “allow.” Neither one looks at what the agent is actually trying to do.

And the calls that bite you are rarely dramatic. It is usually something mundane, like “clean up the temp files” or “reset the environment.” A capable agent takes that a little too literally, points it at a path that happens to matter, and now you have a problem.

Policy at the boundary

agentjail takes a different angle. Instead of trusting the agent or interrogating you, it checks every tool call at the boundary, right before the call runs, no matter why the agent wants to make it.

A rule is just a condition over the tool call:

deny[msg] {
  input.tool == "Bash"
  contains(input.tool_input.command, "/.ssh/")
  msg := "Blocked: command targets sensitive path ~/.ssh/"
}

Rules run locally. There is no network round trip and no model in the loop at decision time, so the check is fast and gives the same answer every time. Every rule that ships is plain text you can read, and you keep your own rules in version control next to everything else.

Try it

It installs as a single binary plus a default policy bundle:

curl -fsSL https://agentjail.io/install.sh | sh

Point your agent’s pre-tool-use hook at agentjail and it starts checking calls before they run. The docs walk through installing it, wiring it into your agent, and how the policy model works.

Where this is going

The default rules catch the obvious stuff. The harder and more interesting goal is a policy model expressive enough to capture your team’s real boundaries without burying anyone in prompts. We are building it in the open, so issues, rules, and blunt feedback are all welcome on GitHub.

If you run agents anywhere they can touch something you care about, give it a try and tell us where it gets in your way.