[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78049":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":25,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":27,"readmeContent":28,"aiSummary":29,"trendingCount":16,"starSnapshotCount":16,"syncStatus":14,"lastSyncTime":30,"discoverSource":31},78049,"clawpatrol","denoland\u002Fclawpatrol","denoland","Security firewall for agents","https:\u002F\u002Fclawpatrol.dev",null,"Go",679,29,2,40,0,87,148,587,261,98.43,"MIT License",false,"main",true,[],"2026-06-12 04:01:23","# clawpatrol\n\nThe security firewall for agents.\n\nClaw Patrol sits between your agents and prod, parses their traffic\nat the wire, and gates each action against rules you write in HCL.\nFor example, you can block destructive SQL, or pause `kubectl delete pod`\nuntil a human approves it before the request reaches Kubernetes.\n\nFor the full overview see [clawpatrol.dev](https:\u002F\u002Fclawpatrol.dev).\n\n## Install\n\n```\ncurl -fsSL https:\u002F\u002Fclawpatrol.dev\u002Finstall.sh | sh\n```\n\nFrom source: `make` (requires Go and Node.js).\n\n## A rule\n\nA real rule from our own production config:\n\n```hcl\nrule \"k8s-no-secrets\" {\n  endpoint  = k8s-prod\n  condition = \"k8s.resource == 'secrets'\"\n  verdict   = \"deny\"\n  reason    = \"Secret values must not leave the cluster via the agent\"\n}\n```\n\nConditions are CEL expressions over wire-level facts the gateway\nextracts per protocol: SQL verbs and table names for Postgres \u002F\nClickHouse, resource \u002F verb \u002F namespace for Kubernetes, method \u002F\npath \u002F headers \u002F body for HTTP. The full set of facts lives in the\n[config reference](https:\u002F\u002Fclawpatrol.dev\u002Fdocs\u002Fconfig-reference).\n\n## Run\n\nThree deployment shapes; pick whichever fits.\n\n```\nclawpatrol gateway config.hcl   # run the proxy itself\nclawpatrol join \u003Cgateway-url>   # join a gateway\nclawpatrol run claude           # wrap one agent's process tree\n```\n\n`clawpatrol run` opens a per-process tunnel on Linux (via netns) or\nmacOS (via NetworkExtension); only the wrapped command's traffic\ngoes through the gateway. `clawpatrol join` brings up a WireGuard\ntunnel that routes the whole host. `clawpatrol gateway` is the\nproxy: a single binary that loads your HCL config and accepts\nclients tunneling in via WireGuard or Tailscale.\n\n## Configure\n\n[clawpatrol.dev\u002Fdocs\u002Fgetting-started](https:\u002F\u002Fclawpatrol.dev\u002Fdocs\u002Fgetting-started)\nwalks through a first config end-to-end.\n[clawpatrol.dev\u002Fdocs\u002Fconfig-reference](https:\u002F\u002Fclawpatrol.dev\u002Fdocs\u002Fconfig-reference)\nis the auto-generated field reference. See\n[`gateway.example.hcl`](examples\u002Fgateway.example.hcl) for an\nannotated starting template.\n\n## License\n\nMIT. See [LICENSE.md](LICENSE.md).\n","Clawpatrol 是一个用于代理的安全防火墙。它位于代理和生产环境之间，能够解析传输中的流量，并根据用户用HCL编写的规则来控制每个操作。例如，可以阻止破坏性的SQL语句，或者在请求到达Kubernetes之前暂停`kubectl delete pod`命令直到获得人工批准。项目使用Go语言编写，具有高度可配置性，支持多种协议（如Postgres、Kubernetes API等）的细粒度控制。适合需要对自动化工具或CI\u002FCD流水线进行安全审计与控制的企业级应用场景。","2026-06-11 03:56:25","CREATED_QUERY"]