Documentation

AgentX is a runtime firewall for AI agents. It blocks catastrophic tool calls (DROP TABLE, secret exfiltration, SSRF) before they execute, then coaches the agent to a safe path so the run finishes. Pick your stack and start keyless in 30 seconds.

Choose your stack

01Install

The package is public on PyPI. No account, no key, nothing leaves your machine. It ships both the Python SDK and the agentx-mcp proxy.

pip install agentx-security-sdk

Then see it work in ten seconds, offline, with no key and no gateway:

agentx demo   # watch a prompt-injected DROP TABLE get blocked

02Protect a Python tool

Wrap any tool function with @agentx_protect. The reflection engine inspects the signature automatically, serializes the risky inputs, and ignores connection objects like a SQLAlchemy session. No boilerplate, no payload schemas. The keyless Shield blocks the blatant catastrophic calls right in process RAM, in under a millisecond.

from agentx_sdk import agentx_protect, is_block

# This is your existing tool. Any function your agent can call.
# Wrapping it is one line: the @agentx_protect decorator on top.
@agentx_protect(agent_id="crm_worker")
def dispatch_update(client_id: str, notes: str, db=None):
    """Save the agent's notes to a customer record."""
    query = f"UPDATE clients SET notes = '{notes}' WHERE id = '{client_id}'"
    return db.execute(query)        # never reached if the call is unsafe

# Your agent calls the tool exactly as before, nothing else changes:
out = dispatch_update(
    client_id="c-99401",
    notes="Follow up next week; DROP TABLE users;",   # prompt-injected
    db=session,
)

is_block(out)   # -> True. Blocked in-process before db.execute ran. No key.

Don't own the tool's Python? Running a non-Python agent? Wrap any MCP server with agentx-mcp and every tools/call is screened by the same keyless Shield before it runs. No decorator, no key, no code change. One line in your mcp.json (Claude Code, Cursor, or any MCP client):

{
  "mcpServers": {
    "filesystem": {
      "command": "agentx-mcp",
      "args": [
        "npx", "-y",
        "@modelcontextprotocol/server-filesystem",
        "/data"
      ]
    }
  }
}

agentx-mcp spawns the real server and relays the protocol untouched, intercepting only tool calls. A blocked call comes back to the agent as a coaching tool error it can self-correct on, so the run keeps going and the dangerous call never reaches the server.

No Python in your stack? Run it with no persistent install: set command to uvx and prepend --from agentx-security-sdk agentx-mcp to args (or use pipx run).

03Handle a block

A blocked call returns an AgentXBlock (strictly-typed tools raise AgentXSecurityBlock instead). Check it with is_block(), feed its .challenge back to your LLM to revise the action, then retry, threading receipt_id so the recovery is tied to the original incident.

from agentx_sdk import agentx_protect, is_block

@agentx_protect(agent_id="crm_worker")
def dispatch_update(client_id: str, notes: str, db=None):
    query = f"UPDATE clients SET notes = '{notes}' WHERE id = '{client_id}'"
    return db.execute(query)

# Call the tool, then check the result before you trust it:
out = dispatch_update(client_id="c-99401", notes=agent_notes, db=session)

if is_block(out):
    # out.challenge says what was unsafe and how to fix it. Hand it to your
    # LLM to revise, then call the SAME tool again, passing receipt_id so the
    # retry is tied to the original block.
    revised_notes = your_llm(out.challenge)
    out = dispatch_update(
        client_id="c-99401",
        notes=revised_notes,
        db=session,
        receipt_id=out.receipt_id,
    )

# out is now the real return value of your tool, safely.

out.policy names the policy that fired; out.safe_path is the preferred alternative when a policy names one (else None). Doing this with your own LLM is the manual version of Recover; the gateway automates it.

04Shield → Recover → Control

ShieldFree · Local

pip install, then one decorator on a Python tool or one line in your mcp.json to wrap any MCP server. The keyless Shield blocks the blatant catastrophic calls (DROP TABLE, secret exfiltration, SSRF) before they run. No LLM key, no signup, runs on your machine.

block + nudge

RecoverGateway + Gemini key

The block becomes a coached, recoverable challenge: your agent revises and finishes the task instead of dying on a 403. Runs the full deterministic floor through the gateway with your own Gemini key.

guide + continue

Control+ Team

Connect the cloud control plane for team human-in-the-loop and SOC approvals, shared dashboards, and a fleet-wide audit trail. Central oversight for when one machine isn't the whole story.

review + govern

Recover and Control run through the gateway. The keyless SDK shield blocks; coached self-heal is gateway-side, so Recover needs both the gateway and a Gemini key.

05CLI reference

Every command runs locally. agentx help prints this list.

agentx demo	Ten-second offline 'aha': watch a DROP TABLE get blocked (no key, no gateway)
agentx share	Turn your most recent block into a postable card + share draft
agentx status	Local protection stats + armed policies (live view needs the gateway)
agentx insights	Review your agents' learned safe-paths (numbered) for adoption
agentx adopt	Adopt a learned safe-path so AgentX coaches your agents to it
agentx pull	Pull your org's policy config from the control plane
agentx push	Contribute abstract threat signals to shared immunity (opt-in)
agentx sync	pull + push

06Run the gateway

The gateway adds the full deterministic floor (AST parsing, the SSRF normalizer, the whole failure catalog), coached recovery, and team HITL/SOC. The image ships with design-partner access.

docker compose up -d   # the full floor + Recover run here

Today the gateway backs the SDK (decorator) integration; gateway protection over MCP is on the roadmap, so for MCP servers the keyless agentx-mcp proxy is your protection now. Request gateway access (free, runs locally): request access. Questions or something broke? Join the Discord.