AvaKill
The AI Safety Firewall.
New AvaKill v1.2.0 — Ship Agents Safely →One YAML policy. Three independent enforcement paths. Every agent protected. Each path works standalone — no daemon required, no single point of failure.
Native hooks for Claude Code, Cursor, Windsurf, Gemini CLI, Codex, Kiro, and Amp. MCP proxy for tool servers. OS-level sandboxing. <1ms overhead.
›Quick Start
Works on macOS, Linux & Windows. Use pipx or a virtualenv on macOS.
›How It Works
One Policy File
avakill.yaml is the single source of truth. Deny-by-default, allow lists, rate limits, argument pattern matching. Version-controlled security for every agent.
Native Agent Hooks
Drop-in hooks for Claude Code, Cursor, Windsurf, Gemini CLI, Codex, Kiro, and Amp. One command to install. Works standalone, evaluates in-process — no daemon required.
MCP Proxy
Wraps any MCP server with policy enforcement. Scans tool responses for secrets, PII, and prompt injection. Works standalone, evaluates in-process.
OS Sandbox
Launch agents in OS-level sandboxes. Landlock on Linux, sandbox-exec on macOS, AppContainer on Windows. Deny-default, kernel-level enforcement.
Sub-Millisecond
Pure rule evaluation, no ML models. Adds <1ms overhead to tool calls that already take 500ms–5s. Three enforcement paths, zero bottlenecks.
Optional Daemon
Shared evaluation, audit logging, and visibility tooling. Hooks and proxy can talk to it when running. Enables logs, tracking, approvals, and metrics.
›Works With Everything
›Community
›See It In Action
›Support AvaKill
AvaKill is free and open source. If it's protecting your agents and infrastructure, consider sponsoring the project. Your support helps us maintain, improve, and keep it independent.
I'm Logan. I built AvaKill after one too many horror stories about AI agents nuking prod. If you're using it, have questions, or just want to talk shop — reach out.