{"id":50322497,"url":"https://github.com/denoland/clawpatrol","last_synced_at":"2026-06-11T01:01:34.502Z","repository":{"id":359358249,"uuid":"1223425250","full_name":"denoland/clawpatrol","owner":"denoland","description":"Security firewall for agents","archived":false,"fork":false,"pushed_at":"2026-06-05T23:17:32.000Z","size":32314,"stargazers_count":602,"open_issues_count":75,"forks_count":25,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-06-07T12:04:08.648Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://clawpatrol.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/denoland.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-04-28T10:05:23.000Z","updated_at":"2026-06-07T08:44:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/denoland/clawpatrol","commit_stats":null,"previous_names":["denoland/clawpatrol"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/denoland/clawpatrol","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denoland%2Fclawpatrol","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denoland%2Fclawpatrol/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denoland%2Fclawpatrol/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denoland%2Fclawpatrol/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/denoland","download_url":"https://codeload.github.com/denoland/clawpatrol/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/denoland%2Fclawpatrol/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34146871,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-29T04:00:19.365Z","updated_at":"2026-06-11T01:01:34.489Z","avatar_url":"https://github.com/denoland.png","language":"Go","funding_links":[],"categories":["Provenance, Instrumentation \u0026 Observability"],"sub_categories":[],"readme":"# clawpatrol\n\nThe security firewall for agents.\n\nClaw Patrol sits between your agents and prod, parses their traffic\nat the wire, and gates each action against rules you write in HCL.\nFor example, you can block destructive SQL, or pause `kubectl delete pod`\nuntil a human approves it before the request reaches Kubernetes.\n\nFor the full overview see [clawpatrol.dev](https://clawpatrol.dev).\n\n## Install\n\n```\ncurl -fsSL https://clawpatrol.dev/install.sh | sh\n```\n\nFrom source: `make` (requires Go and Node.js).\n\n## A rule\n\nA real rule from our own production config:\n\n```hcl\nrule \"k8s-no-secrets\" {\n  endpoint  = k8s-prod\n  condition = \"k8s.resource == 'secrets'\"\n  verdict   = \"deny\"\n  reason    = \"Secret values must not leave the cluster via the agent\"\n}\n```\n\nConditions are CEL expressions over wire-level facts the gateway\nextracts per protocol: SQL verbs and table names for Postgres /\nClickHouse, resource / verb / namespace for Kubernetes, method /\npath / headers / body for HTTP. The full set of facts lives in the\n[config reference](https://clawpatrol.dev/docs/config-reference).\n\n## Run\n\nThree deployment shapes; pick whichever fits.\n\n```\nclawpatrol gateway config.hcl   # run the proxy itself\nclawpatrol join \u003cgateway-url\u003e   # join a gateway\nclawpatrol run claude           # wrap one agent's process tree\n```\n\n`clawpatrol run` opens a per-process tunnel on Linux (via netns) or\nmacOS (via NetworkExtension); only the wrapped command's traffic\ngoes through the gateway. `clawpatrol join` brings up a WireGuard\ntunnel that routes the whole host. `clawpatrol gateway` is the\nproxy: a single binary that loads your HCL config and accepts\nclients tunneling in via WireGuard or Tailscale.\n\n## Configure\n\n[clawpatrol.dev/docs/getting-started](https://clawpatrol.dev/docs/getting-started)\nwalks through a first config end-to-end.\n[clawpatrol.dev/docs/config-reference](https://clawpatrol.dev/docs/config-reference)\nis the auto-generated field reference. See\n[`gateway.example.hcl`](examples/gateway.example.hcl) for an\nannotated starting template.\n\n## License\n\nMIT. See [LICENSE.md](LICENSE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdenoland%2Fclawpatrol","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdenoland%2Fclawpatrol","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdenoland%2Fclawpatrol/lists"}