Kvlar

Bulletproof security for AI agents.

Kvlar is an open-source policy engine and runtime security layer for AI agents. It evaluates every tool call, data access, and operation against YAML-based security policies before execution — ensuring agents only do what they're allowed to do.

Why Kvlar?

AI agents are gaining the ability to execute code, send emails, access databases, and interact with production systems. But there's no standardized security layer between the agent and its tools. Kvlar fills that gap.

• Fail-closed by default — if no policy rule matches, the action is denied
• Policy-as-code — define security rules in human-readable YAML
• Protocol-native — built for the Model Context Protocol (MCP, spec 2024-11-05)
• Deterministic — same action + same policy = same decision, every time
• Auditable — every decision is logged with full context

Quick Start

1. Build & Install

git clone https://github.com/kvlar-io/kvlar && cd kvlar
cargo build --release
# Binary at: target/release/kvlar-cli

2. Initialize a Policy

# Create ~/.kvlar/policy.yaml from a starter template
kvlar init                      # default template
kvlar init --template strict    # strict (deny-heavy)
kvlar init --template filesystem  # filesystem MCP server demo

3. Wrap Your MCP Servers

# Automatically inject Kvlar into Claude Desktop's MCP config
kvlar wrap                    # auto-detect client
kvlar wrap --dry-run          # preview changes first
kvlar wrap --client cursor    # target Cursor instead

Restart your MCP client after wrapping. Every tool call now flows through Kvlar's policy engine.

4. Test Your Policy

Write a test file to verify your policy behaves as expected:

# my-policy.test.yaml
policy: "../policy.yaml"
tests:
  - id: deny-bash
    action:
      resource: bash
    expect: deny
    rule: deny-shell

  - id: allow-read
    action:
      resource: read_file
    expect: allow

Run it:

kvlar test -f my-policy.test.yaml           # human output
kvlar test -f my-policy.test.yaml --verbose  # show passing tests too
kvlar test -f my-policy.test.yaml --json     # JSON output for CI

5. Unwrap (Remove Kvlar)

kvlar unwrap           # restore original MCP server commands

CLI Commands

Architecture

Agent ──stdio/TCP──► kvlar-proxy ──stdio/TCP──► MCP Tool Server
                         │
                    kvlar-core (policy evaluation)
                         │
                    kvlar-audit (structured logging)

MCP Compatibility

• Spec version: 2024-11-05
• Transport: stdio (primary), TCP
• Tested with: Claude Desktop, @modelcontextprotocol/server-filesystem
• Protocol: JSON-RPC 2.0 over newline-delimited JSON

Development

# Build
cargo build --workspace

# Test (80 tests)
cargo test --workspace

# Lint
cargo clippy --workspace -- -D warnings

# Format
cargo fmt --all

License

Apache 2.0 — see LICENSE for details.

Links

• Website: kvlar.io
• GitHub: github.com/kvlar-io/kvlar
• X: @kvlar_io

lib.rs:

kvlar-core

Core policy engine for Kvlar. Evaluates agent actions against YAML-based security policies. Pure logic — no I/O, no async, fully deterministic.

Architecture

• Policy: A set of rules defining what agents can and cannot do
• Action: A description of something an agent wants to do (tool call, data access, etc.)
• Decision: The engine's verdict — Allow, Deny, or RequireApproval
• Engine: Evaluates actions against loaded policies