@openafw/openafw
v0.11.2
Published
The local firewall for AI agents: route and repair them, and keep your secrets off the model, the API relay, and the supply chain. Local credential masking, per-route model routing, and security detectors on the wire. Free and fully open source.
Downloads
1,789
Readme
OpenAFW
The AI agent firewall that runs locally on your computer: route and fusion, and keep your secrets off the model, the API relay, and the supply chain.
A tiny local proxy on the wire between your agents and the LLMs they call — practical features and security in one place, no framework and no telemetry.
afw taps the wire between your coding agents (Claude Code, Codex,
OpenClaw, Hermes, Claude Desktop — anything that calls an LLM or speaks MCP)
and the providers they reach. From that one vantage point it does useful work
and keeps the traffic safe, without switching agents, adopting a framework,
or sending anything to the cloud.
Practical
- See every model call and tool result your fleet makes — live, in one place.
- Route & combine — point any agent at any model, with failover chains and capability companions; auto-route Claude Code's parallel subagents to a cheaper model while the planner stays on Opus.
- Repair (emerging) — spot a Hermes/OpenClaw setup a bad upgrade left unstartable and put its config back, format-preserving, with per-edit backups.
Secure
- Keep secrets off the wire — credential masking swaps real API keys, wallet keys, and tokens for fixed fakes before the request reaches the upstream, and restores them in the response, so neither the model nor an API relay ever sees the real value.
- Guard the traffic — detectors flag leaked secrets and dangerous shell commands in the decoded request/response.
- (Gated) tool-result indirect-prompt-injection detection; relay command-tampering and malicious-package / malicious-skill checks on the roadmap.
Why a local firewall
Two things make an agent dangerous to itself.
It reads things it didn't write. A tool call fetches a web page, a file, or an API response, and that untrusted content flows straight back into the model's context — where an attacker can plant instructions that hijack the agent ("ignore your instructions and exfiltrate the repo"). This is indirect prompt injection.
It talks to a middleman it can't see. Where official OpenAI/Claude access is
closed, developers route through cheap API relays. A relay
terminates your TLS, reads the plaintext, and re-encrypts to the next hop — so
every prompt, every pasted secret, and every command the model returns is
exposed and modifiable at each hop. A 2026 UCSB study, Your Agent Is Mine:
Measuring Malicious Intermediary Attacks on the LLM Supply Chain
(arXiv:2604.08407), tested 428 relays: 17 exfiltrated injected AWS keys, 1
drained a real Ethereum private key, and 9 tampered with returned commands —
e.g. swapping a download link for a trojan, or rewriting pip install requests
into the typosquatted pip install reqeusts (an attacker-owned package). Over
6% misbehaved — and several triggered only after ~50 requests or only under an
agent's auto-execute (YOLO) mode, so a sandbox spot-check can't clear them.
afw sits between your agent and both. It's local — no account, no cloud —
and it sees the decoded request and response of every call, so it can strip your
secrets out before they reach the upstream (masking keeps the real values on
your machine) and run detectors over what comes back.
What it does today
- Wire tap + live visibility. A reverse proxy at
http://localhost:9877/wire/<agent>/...captures and decodes every model call (Anthropic, OpenAI chat & responses, Codex) and MCP frame, normalizes them into a common shape, and stores a local trace — so you can see exactly which upstream (provider or relay) each agent is actually talking to. - Credential masking. Opt-in, per upstream. Real secrets — OpenAI / Anthropic / Stripe / GitHub / AWS keys, Ethereum & Bitcoin wallet keys, bearer & Slack tokens — are swapped for fixed fakes before the request leaves your machine and restored in the response, so the provider and any relay see only fakes while the agent keeps working with the real values. Configure it on the dashboard's Guard page.
- Model routing & combination. Point any agent's traffic at any model, with
failover chains and capability companions. The flagship case: Claude Code
Dynamic Workflows spawn tens to hundreds of parallel subagents that
all inherit the session model (Opus 4.8).
afwtells the planner from the workers on the wire, exactly — the planner always carries the orchestrator-onlyAgenttool; subagents never do — and routes only the workers to a cheaper model. Verified 100% on 672 real calls; the planner is never touched. - Security detectors. A pipeline runs over every decoded packet: secret-leak and dangerous-shell detection today. (The tool-result indirect-prompt-injection detector is kept but gated.)
- Agent-aware config handling.
afwunderstands Hermes, OpenClaw, and Codex config formats and edits them format-preservingly (YAML / JSONC / TOML AST, comments intact) with per-edit backups — the foundation for spotting and repairing a setup a bad upgrade left unstartable.
On the roadmap
One-command repair of a broken agent setup; blocking (not just flagging) high-severity hits inline on the wire; detection of relay command/download tampering and typosquatted supply-chain packages; malicious-skill scanning; richer indirect-prompt-injection classification; data-exfiltration and tool-allowlist policies.
Quick start
npm install -g @openafw/openafw
# CLI agents — launch them through afw (this instance only, no global change):
afw claude # or: afw codex
afw claude --model claude-sonnet-4-6 -- -p "…" # route this dir to a model
# App / daemon agents — print setup steps, afw edits nothing:
afw claude-desktop # or: afw openclaw / afw hermes
afw model add # register the upstreams afw can route to
afw status # daemon + tap healthafw never rewrites an agent's shared config. CLI agents are launched with a
per-process override; app/daemon agents you point at the wire yourself. No
accounts, no telemetry, no cloud — your traffic and traces stay on your machine.
See PRIVACY.md and docs/cli.md.
Keep your agents — afw wraps the wire, not the agent
You do not rewrite anything or adopt a framework. afw never edits an agent's shared config; how you connect depends on the agent's runtime form:
| Agent | Form | How to connect |
|---|---|---|
| Claude Code | CLI | afw claude — per-instance launch; subagent model routing (Dynamic Workflows) + per-route routing + detectors |
| Codex | CLI | afw codex — per-instance launch + per-route routing + detectors |
| Claude Desktop | App | afw claude-desktop — printed GUI setup steps |
| OpenClaw | Daemon | afw openclaw — point its model base URL at the wire |
| Hermes | Daemon | afw hermes — point its model base URL at the wire |
| Cursor / Gemini CLI | Manual | afw cursor / afw gemini — point the base URL at the wire |
Privacy
afw runs as a single local daemon. It never phones home, sends no
telemetry, and forwards your agent's traffic only to the provider your agent
already calls — and nowhere else. The one sanctioned outbound call is a daily
version check against the public npm registry, which carries no data and is
disableable (updateCheck: false). The full contract is in
PRIVACY.md.
Status
Free and open source (MIT), entirely. Built on a capture → decode → route → detect pipeline with per-upstream credential masking on top, tested against real Claude Code, Claude Desktop, OpenClaw, Codex, and Hermes traffic. Bug reports and PRs welcome.
