Launching today

CtrlAI

Launching today

Transparent proxy that secures AI agents with guardrails

39 followers

Transparent proxy that secures AI agents with guardrails

39 followers

Visit website

AI Infrastructure Tools

•

Security software

CTRL-AI v1 is a transparent HTTP proxy that sits between your AI agent and LLM provider, enforcing guardrails, auditing behavior, and blocking unsafe tool calls — with zero SDK modification required.

Free

Launch tags:Developer Tools•Artificial Intelligence•GitHub

Launch Team

Framer — Launch websites with enterprise needs at startup speeds.

Launch websites with enterprise needs at startup speeds.

Promoted

CirtusAI

Maker

📌

Your AI agent just Slacked your CEO "you're a terrible leader" at 3am.

That's the thing about autonomous agents. They don't just write code. They send messages, execute shell commands, read your SSH keys, snap photos from paired devices, and make API calls. One hallucinated tool call is all it takes.

CTRL-AI sits between your agent SDK and the LLM provider as a transparent HTTP proxy. Every tool call the model attempts passes through your rules before anything executes.

What it does:

Intercepts every LLM response, both streaming and non-streaming, across Anthropic, OpenAI, Moonshot, Qwen, MiniMax, and Zhipu (support for other providers will follow soon).
Evaluates tool calls against configurable guardrail rules. Block SSH key access, credential exfiltration, destructive commands, camera or location access, unsolicited messaging, and more.
Blocks dangerous tool calls and rewrites the response so your SDK thinks the model simply chose not to call the tool. Your agent does not crash. It just moves on.
Logs everything to a tamper-proof, SHA-256 hash-chained audit trail with daily rotation and SQLite indexing.
Provides an emergency kill switch that instantly terminates any agent mid-session. It takes effect within seconds and requires no restart.
Ships with 23 built-in security rules enabled out of the box.

Multi-agent, multi-provider:

Run multiple agents through a single proxy, each with its own identity, rules, and audit trail. Route agent "main" through Anthropic and agent "work" through OpenAI using the same proxy with separate policies. Kill one agent without touching the others.

/provider/anthropic/agent/main/v1/messages
/provider/openai/agent/work/v1/chat/completions

Per-agent identity means your audit log tells you exactly which agent did what, when, and whether it was allowed. No more guessing which agent read that .env file.

Zero code changes. Just point your agent's baseUrl to CTRL-AI. Your SDK does not know it is there. Works with any framework that supports custom base URLs. Built for OpenClaw and compatible with everything else.

What you get in 60 seconds:

ctrlai start

Proxy on :3100. Dashboard at /dashboard. Live WebSocket feed. CLI for rules, audit, and kill switch. Hot-reloadable config. Edit rules while the proxy is running.

Built for developers shipping autonomous agents to production.
Open-source under MIT. Self-host it, extend it, own it.

Enterprise with centralized policies, SSO, and managed deployment: enterprise@cirtusai.com

Report

22h ago

The ‘rewrites the response so the SDK thinks the model chose not to call the tool’ line is the most interesting design choice here — it’s not just blocking, it’s state preservation.

A blocked tool call that returns an error triggers the agent’s error-handling logic (which may cascade badly). A clean no-op keeps the agent on the happy path. The agent doesn’t know it was constrained — it just didn’t act.

The open question: what happens when the blocked action was load-bearing? An agent that keeps ‘not calling’ a tool it expects to work may develop a subtly distorted world model over time. Curious how the audit trail helps correlate these silent interventions with downstream behavior.

Report

4h ago

CtrlAI

Maker

@giammbo Hey Gianmarco. You nailed the key insight here, the stop_reason modification is absolutely the critical design choice. First, a quick clarification: we're actually not doing silent blocks. When CtrlAI blocks something, the agent sees a clear message like [CtrlAI] Blocked: Cannot access SSH private keys (rule: block-ssh-keys). So the agent knows it hit a boundary. The "state preservation" magic you spotted is really about the stop_reason field. Here's why it matters: Bad approach: Strip the dangerous tool call but leave stop_reason: "tool_use" → SDK freaks out because it expects tool calls that aren't there → hangs or crashes Also bad: Return an error → triggers agent error handling → retry loops, user spam, task failures Our approach: Strip tool, inject explanation, change to stop_reason: "end_turn" → SDK sees a normal turn, agent understands the constraint, conversation continues gracefully The load-bearing action problem You're absolutely right that this is the tension. When an agent tries to read .env and gets blocked, three things can happen: ✅ Agent adapts: "I can't access .env due to security policies. Could you check it manually?" ✅ Agent escalates: "Access restricted—you'll need to verify this yourself" ❌ Agent loops: Keeps trying different ways to read the same file, burning tokens and patience The third scenario is the nightmare you're describing an agent with a distorted world model. How we handle this This is where the audit chain becomes crucial. Every block is logged with full context: seq: 42 tool: "read" arguments: { "path": ".env" } decision: "block" rule: "block-env-files" The dashboard can detect patterns like: Agent hit the same rule 15 times in 2 minutes? 🚨 Show blocked calls next to user messages—did the task actually fail? Did the user have to intervene? The insight: If your agent is thrashing against the same block repeatedly, that's a signal: Maybe the rule is too broad Maybe you need a safer alternative tool (read_config that sanitizes output) Maybe the agent needs guidance in its system prompt We debated silent blocks vs explicit messages. Explicit won because: Silent: Agent has no idea why things don't work → actually distorted model Error responses: Agent learns "this fails" not "this is forbidden" → wastes effort on workarounds Explicit (our choice): Agent learns "this is off-limits" → can reason about it Think of it like filesystem permissions. When you get "Permission denied," that's better than the file silently disappearing or returning garbage data. Same principle. The goal isn't to make agents that work around security, it's to make agents that understand security constraints. Like how a good engineer doesn't try to bypass rate limits, they design for them. The hash-chained audit trail means you can always ask "why did this task fail?" and trace every blocked action to see if the agent adapted well or got stuck in a loop. We're betting that "transparent constraints + good observability" beats "silent blocks + hope for the best." The audit trail is specifically designed to catch the distorted-world-model problem you identified. Really appreciate this question, it's exactly the right thing to be skeptical about. 🙏

Report

2h ago

CtrlAI

Maker

Hey guys, no more mac minis to operate open claw. Ctrl-AI will allow you to confidentally use your own device and run as many agents as you want. Multi-Agentic architecture is supported. Do follow on https://x.com/MaazInSoftware for updates. Cheers!

Report

3h ago