How does the gate stop a bad command?

You add infraveil-guard as an MCP server and tell the agent, in its instructions, to call guard_action before running any shell, SQL, or infrastructure command. The guard classifies the command's blast radius; safe ones pass and are logged, but a destructive, irreversible one is blocked and returns an action id. The agent cannot approve it - only you can, by running a command in your own terminal that mints a one-time code. The agent passes that code back, and only then does the command run.

Which agents does this work with?

Any MCP client. This generator outputs the exact config for Claude Code, Cursor, and Windsurf, plus a generic mcpServers block that works anywhere MCP is supported. The agent instruction is the same idea everywhere: route commands through guard_action and only proceed on proceed: true.

Is infraveil-guard free and open source?

Yes. infraveil-guard is AGPL-licensed and runs entirely on your machine with no account and no network - you can read every line. It is about 400 lines of plain Python. This generator just produces the config to wire it in; the gate itself is the open-source package.

Free & open source · Runs in your browser

Put a seatbelt on your AI agent.

Coding agents are great until the one time they run rm -rf in the wrong directory or drop the production database. This generates the config to wire in infraveil-guard — so destructive commands stop and wait for your approval. The agent can't approve itself.

Your agent

Gate at

Mode

MCP config

Agent rule

Install

Cooperative, but un-self-approvable

The viral incidents — an agent that deleted a production database in seconds, backups and all — happened because nothing sat between the model deciding to run a command and the command running. The fix isn't to stop using agents; it's to make the destructive, irreversible actions wait for a human. That's all this does, and it does it by construction: the agent calls the gate, the gate blocks the dangerous ones, and only a human, in their own terminal, can mint the one-time code that lets one through. Every decision lands in a tamper-evident local log.

It's a cooperative guardrail — it works because the agent is told to route through it, not because it traps the agent. For a gate the agent genuinely cannot skip, because it runs inside a governed runtime with central audit across a whole fleet, that's the full Infraveil control plane. This is the seatbelt; that's the system.

Related free tools

Command risk checkerIs this command safe?AI-agent blast-radius checkerWhat can your agent destroy?

All free tools →

Free, open source, runs on your machine.

infraveil-guard is AGPL and about 400 lines of plain Python you can read end to end — no account, no network, no telemetry. Wire it in with the config above, or go deeper with the Infraveil control plane for your whole backend.

About infraveil-guard

Get the AI-agent safety playbook

How to let agents touch production without letting them detonate it. No spam.