Blackwall – execution firewall for AI agents

Problem & Context

Agent-based coding tools are powerful, but they run with your full permissions. "Yes to all" approval flows trade safety for speed; sandbox-based approaches trade integration for isolation. Blackwall aims at the missing middle: a deterministic, always-on gate that lives between the agent and the real system, so obviously-bad calls never fire and ambiguous ones pause for a human without breaking the agent's flow.

Implementation

• Rust gateway with PATH shims: installs shims for common binaries (shell, file utilities, package managers) so invocations are transparently routed through Blackwall before hitting the real executable.
• MCP stdio proxy: wraps Model Context Protocol servers, so any MCP tool call the agent makes is inspected and evaluated the same way as raw shell calls — one policy model across both surfaces.
• YAML policy engine: a rule-based evaluator with allow / deny / pause outcomes. Rules can match on command, args, paths, and patterns; the engine is deterministic and designed to be reviewable.
• Inline human confirmation: risky or ambiguous patterns pause and prompt the developer in-context instead of silently allowing or killing the agent.
• JSONL audit log: every decision (allow, deny, pause, override) is appended to a structured log — useful for debugging agent runs, replaying incidents, and tightening policy over time.
• Next.js marketing site + Cursor install flow: shipped alongside the core firewall, with commands like blackwall init and proxy-mcp that drop a working setup into a Cursor project.

Outcomes

Shipped a working end-to-end flow: install Blackwall, point your agent at it, get deterministic policy-based guardrails across shell and MCP tool calls with a usable audit trail. The project became a forcing function for thinking about agent safety as infrastructure rather than a model capability — something boring, reviewable, and in the critical path by default.