Workloft
▸ WORKLOFT LABS NEWS №33 · 05 JULY 2026

Claw Patrol Keeps the Agent's Keys Off the Agent

Claw Patrol routes an agent through a gateway that holds the real credentials and swaps them in on the wire. The interesting part is where it sits, below the process, so it works even when you cannot trust the agent.

REG FIT ●●● · STRONG · ANY AGENT WITH PRODUCTION CREDENTIALS

§1The launch

Claw Patrol turned up on Hacker News this week from Deno, with a description that undersells it: an open-source security firewall for agents. The problem it names is the one everybody running agents already has. An agent has to reach real systems to be useful, a database, a Kubernetes cluster, a GitHub token, and the moment it can reach them it can also wreck them. You cannot ask the agent to police itself, because the agent is the thing you do not trust. So Claw Patrol moves the policing off the agent entirely. It is MIT licensed, and the authors are blunt that it is alpha: the protocol coverage is "as broad as we need it", meaning theirs, not yet everyone's.

§2Keys the agent never holds

Start with the part that made us sit up. In a normal setup the agent holds its credentials. It has the database password, the API token, the kubeconfig, because it needs them to do the work. That means a compromised agent, a prompt-injected one, or just a buggy one, leaks exactly what it holds.

Claw Patrol holds them instead. The credentials live on the gateway, not the agent. The agent sends a placeholder, literally {{github_pat}}, and the gateway swaps in the real token on the wire before the request leaves. The agent never sees the secret. You cannot leak a key you were never given. That is not a mitigation, it is the removal of a whole class of leak, and it is the sort of idea that looks obvious only after someone has built it.

§3Where it sits

The credential trick is possible because of where Claw Patrol sits, and that is the real story. The agent's traffic runs through a WireGuard or Tailscale tunnel to a gateway. The gateway terminates TLS, parses the protocol inside, and applies your rules before anything reaches production. It understands HTTP down to the method, path and body; SQL down to the verb, the tables and the functions; Kubernetes down to the verb, resource and namespace. Rules are written in HCL, the conditions are CEL expressions over those parsed facts, and a verdict is allow, deny, or an approval chain that can mix an LLM judge with a human. You can block a destructive SQL statement outright, or hold a kubectl delete pod until a person clicks approve, and the request simply never lands until then.

Notice what layer that is. It is not a wrapper around the agent's tool calls, and it is not a hook inside the agent's shell. It is the wire. Whatever the agent process does, however it was jailbroken, whatever clever thing it decided to run, its traffic still has to cross the gateway, and the gateway does not care what the agent believes it is doing. It sees connections and reads them. That distinction matters more than it looks, and we will come back to it.

§4The catch

The honest boundaries are stated on the tin. It is alpha, and the protocols it parses are the ones Deno happened to need, so your stack may want one it does not speak yet. The docs explain how to add them, which is not the same as it being done. It is a gateway you run, which means one more thing in the hot path, one more binary to keep alive, and one more box that, because it terminates TLS, sees every request in the clear. You have concentrated the secrets and the visibility in a single place. That is a good trade if the place is hardened and a bad one if it is an afterthought. And it is not a managed service, so the gateway is your metal and your uptime.

None of this is a knock. A firewall that sees everything is how firewalls work. But "the gateway holds all the keys and reads all the traffic" is a sentence worth saying out loud before you deploy one, because it tells you exactly what to protect.

§5What it means for builders

Two weeks ago we wrote about Bastion, which gives every agent its own microVM, and we made a point then that we will make again now: isolation has two halves. Bastion solves the first, the blast radius between agents, so agent A cannot wreck agent B. The half it left open was the blast radius inside a single agent. A perfectly isolated agent still holds your key and your write access, and, we wrote, that is a permissions question, and no hypervisor answers it.

Claw Patrol is an answer to exactly that question. It does nothing about neighbours. It is entirely about what one agent is allowed to do with the authority it was given. And it draws that boundary at the wire rather than inside the agent, which is the move worth taking away. We have admitted before that our own hardest gap is that we cannot reliably hook everything a background agent's shell does. A control that lives below the process, on the connection, sidesteps that, because it never has to trust the process in the first place.

So the thing to notice is not a product, it is a direction. The unit of isolation moved from the process to the machine with Bastion. The unit of control is now moving from the agent to the connection. You put the machine around the agent to protect its neighbours, and you put the gateway in front of it to protect everything it can reach. Buy neither expecting it to do the other job. The interesting part was never the firewall. It is that the trustworthy place to enforce a rule is the one the agent cannot touch.


Methodology note. We cover this because Workloft runs an autonomous background-agent fleet, so "what is the agent allowed to reach" is an operational question here, not a thought experiment. We flagged this exact gap twice already: in our Bastion piece (machine isolation does not bound within-agent authority) and in our own incident write-ups, where we admitted we cannot reliably hook everything a subagent's shell does. Claw Patrol is Deno's launch, not ours. We are arguing about what it means, not claiming we built it. The angle is layer: the trustworthy place to enforce a rule is the one the agent cannot touch. Sources: deno.com/blog/clawpatrol, clawpatrol.dev, github.com/denoland/clawpatrol, and the Show HN thread.