Give agents prod access and still sleep easy
Claw Patrol holds agent credentials, parses their traffic at the wire, and gates actions they take with rules you write, all while keeping an audit log of every action.
curl -fsSL https://clawpatrol.dev/install.sh | sh
OAuth scopes, IAM roles, and Kubernetes RBAC decide which services an agent can reach. They don’t decide what it can do once connected. The agent that can talk to Postgres can DROP TABLE as easily as SELECT.
If the agent is compromised by prompt injection, the credentials it holds leak with it. Keys should live somewhere the agent can never see.
An agent’s work fans out across Postgres, Kubernetes, GitHub, and Slack. Reconstructing what it actually did means stitching together logs from each service. With a fleet, the question ‘what just happened?’ has no straight answer.
Nothing in the agent changes to use Claw Patrol.
# Join your device to a gateway
$ clawpatrol join https://gw.example.com
# Run your agent through it
$ clawpatrol run codexEvery outbound request runs through a rule engine before it reaches its destination. Match on HTTP method, SQL verb, k8s resource, plugin-defined facets; not just URLs. Edits are hot: save a rule in the dashboard, the next request sees it.
Match anything on the wire
Method, path, headers, body. Any host, any service. Match an HTTP request shape, route it through an LLM judge before it goes out.
# Customer-support replies sent from the agent are scanned by an LLM
# judge before they go out: catches offensive content, missing
# salutations, and markdown that shouldn't ship.
rule "support-reply-on-behalf" {
endpoint = http.deno-deploy
condition = <<-CEL
http.method == 'POST'
&& http.path == '/api/admin.supportTickets.replyOnBehalf'
CEL
approve = [llm_approver.reply-content-judge]
}Postgres and ClickHouse traffic parsed verb-by-verb. Match by SQL verb, table, function name, and substrings of the statement itself.
# Block Postgres functions that could read the filesystem or open
# outbound connections from inside the database — pg_read_file,
# lo_get, and the whole dblink family.
rule "pg-banned-functions" {
endpoint = postgres.pg-staging
priority = 100
condition = <<-CEL
sets.intersects(sql.functions, [
'pg_read_file', 'pg_read_binary_file', 'lo_get',
])
|| sql.functions.exists(f, f.startsWith('dblink_'))
CEL
verdict = "deny"
reason = "filesystem-reaching function"
}API calls to kube-apiserver. Match by namespace, resource, verb, and name. Catch destructive verbs on the wrong cluster, or hand exec commands to an LLM.
# kubectl exec is gated by an LLM judge that reads the command argv:
# allows ls / ps / df, denies env dumps, sensitive file reads, and
# anything touching pod tokens or container sockets.
rule "k8s-exec-content-check" {
endpoints = [kubernetes.k8s-dev, kubernetes.k8s-prod]
priority = 500
condition = "k8s.resource == 'pods/exec'"
approve = [llm_approver.k8s-exec-content-judge]
}Extend Claw Patrol with plugins Read more →
Defer the ambiguous requests. A model with your prompt, or a person in Slack. You decide which one runs when.
require_llmA model with a custom prompt votes on each request. Verdicts are cached so it doesn’t re-bill.
approver "llm_approver" "secret-judge" {
model = "claude-haiku-4-5-20251001"
credential = anthropic_manual_key.anthropic-key
policy = "Reject any SELECT that projects secret-bearing columns."
}POST /tickets/reply { body: "RTFM you moron" }moron.require_humanA person votes in Slack, the dashboard, or your own webhook. Times out closed if no one’s home.
approver "human_approver" "ops" {
channel = "#agent-ops"
credential = slack_tokens.slack-bot
timeout = 600
}/repos/acme/checkoutRecord real actions from the dashboard. Drop the JSON files into a fixtures directory. Run clawpatrol test in CI: when a policy change flips a verdict, the runner prints the diff and fails the build.
No gateway, no database, no auth. A single binary that loads your HCL, replays each fixture against the rule engine, and asserts the verdicts still match.
$ clawpatrol test deno.hcl tests/
ok tests/anthropic-implicit-allow.json
ok tests/clickhouse-default-deny.json
ok tests/clickhouse-read.json
ok tests/deno-com-require-approval.json
ok tests/deno-deploy-read.json
ok tests/github-api-implicit-allow.json
ok tests/k8s-allow-meta.json
ok tests/k8s-debug-pods.json
ok tests/k8s-default-deny.json
FAIL tests/k8s-no-secrets.json
want verdict="deny" rule="k8s-no-secrets"
got verdict="allow" rule="k8s-no-secrets"
ok tests/k8s-reads.json
ok tests/orb-dev2-immutable-operations-allow.json
ok tests/pg-staging-banned-functions.json
ok tests/pg-staging-default-deny.json
ok tests/pg-staging-reads.json
36 action(s) checked, 1 mismatch(es)A walkthrough of the operator UI at demo.clawpatrol.dev. Drill into any request to see what the gateway captured.
Most tools tackle one side of the issue. Claw Patrol does it all..
What the agent does after the LLM replies lives outside their view.
HTTP only. Non-HTTP protocols like Postgres, k8s, and SSH bypass them entirely.
Confines what the agent can touch, not whether each action makes sense.
Secrets stay outside the agent, but the request content itself passes through.
Claw Patrol covers them all.
The proxy holds your secrets and watches every byte your agents send. It has to be auditable, so it’s MIT licensed.
curl -fsSL https://clawpatrol.dev/install.sh | sh