Open Source

Projects

Tools built for the hard parts of AI agent security. Rampart is the prevention layer. Snare is the detection layer. Both are open source and designed for real developer environments, not demos.

rampart

active

Firewall for AI agents

rampart.sh ↗

Rampart intercepts agent tool calls at the OS layer before they execute. Network requests, file writes, subprocess spawns — all evaluated against your policy profile. If an action violates policy, it's blocked. The agent sees a failure; you see a log entry.

  • OS-layer interception via LD_PRELOAD and process shims
  • Policy-as-code: YAML rules, version-controlled
  • Works with Claude Code, Codex, Cursor, Cline, and any MCP server
  • Ships with default profiles tuned for common agents
Linux / macOS
curl -fsSL https://rampart.sh/install | sh
GitHub
github.com/peg/rampart ↗

snare

active

Canary tokens for AI agents

snare.sh ↗

Snare plants fake credentials in the locations agents look — AWS config, GCP service accounts, SSH config, dotenv files. When a compromised agent uses one, the embedded callback URL fires and you get an alert with the exact SDK, IP, and user agent that triggered it.

  • awsproc canary fires before the first network request — at credential resolution time
  • Alerts include SDK user agent, IP, ASN, and location
  • Detects both compromised agents and human attackers
  • 18 canary types: AWS, GCP, Azure, SSH, k8s, Hugging Face, and more
Linux / macOS
curl -fsSL https://snare.sh/install | sh
GitHub
github.com/peg/snare ↗

How they fit together

Rampart reduces what an agent can do without approval. Snare tells you when credentials are touched or used anyway. The point is not one perfect layer. The point is separate controls that do not depend on the model deciding to behave.

// More tools in development. Follow github.com/peg for early access and research notes.