BeforeWire 中文 Run local gate

Local execution control plane

Stop poisoned AI output before it becomes a real action.

BeforeWire runs locally between your AI client, relay, and MCP tools. It catches poisoned model responses, blocks unsafe actions before execution, and proves every decision with hash-bound audit receipts.

Install local gate Review control path
local proxy deny before execution MCP hash approvals
relay output screened policy: deny-overrides
relay response tool intent
control decision DENY 
{
  "source": "relay",
  "action": "pip_install",
  "effect": "deny",
  "reason": "slopsquat package",
  "snapshot": "sha256:7d4..."
}
execution blocked no wire
hash-chain receipt MCP snapshot bound
relay input Screen poisoned output corr_id
action proposal Map output to action action_digest
kernel decision Deny before execution effect: deny
audit evidence Bind proof to hash snapshot_hash

Put BeforeWire in front of your relay.

Start with the local proxy, then scan the MCP tools your agent can reach. Keys, tool schemas, approval hashes, and audit logs stay on your machine.

pip install beforewire
beforewire init
beforewire scan-tools --auto
beforewire proxy
export OPENAI_BASE_URL=http://127.0.0.1:8788/v1
expected result Poisoned output is stopped before it can install, call, fetch, or leak.

Denied actions and tool-surface drift land in the audit log and can be verified with beforewire verify audit.jsonl.

From AI output to real-world execution.

BeforeWire controls the last path before an agent reaches files, packages, networks, tools, or customer data.

Relay Gate

Catch poisoned relay output

The local proxy sits between AI clients and upstream relays. It screens response-side tool intent for slopsquat installs, canary replay, secret leakage, malicious URLs, dangerous commands, and suspicious egress before the agent acts.

  • beforewire proxy --warn
  • beforewire canary demo
  • blocked: pip_install("reqursts")
Action Kernel

Deny unsafe actions before execution

Every proposed tool call, command, package install, outbound request, message, or delegation becomes an allow, warn, or deny decision before execution. Blocked behavior is prevented at the action boundary, not described after the fact.

policy decision deny before execution matched_rule: deny_overrides
  • Governor.check()
  • @govern(tool="pip_install")
  • beforewire verify audit.jsonl
MCP Scan

Recheck tools when they drift

BeforeWire snapshots local MCP configs, tool descriptions, schemas, origins, auth hints, and capability labels. Drift or capability expansion requires review before reuse.

  • scan-tools --auto
  • approve-tool filesystem.read_file
  • diff-tools --baseline old --current new

Proof for security review, not screenshots for a demo.

Each risk case produces the same evidence trail: what triggered the action, which policy decided it, whether execution was blocked, and which audit receipt proves the result.

That gives security, risk, and internal audit teams a concrete path to review instead of a model promise.

relay poisoned response swaps requests to reqursts slopsquat_block
kernel curl pipe shell is denied before execution dangerous_code
mcp approved schema starts asking for tokens requires_reapproval
audit relay, action, policy, and snapshot hash are bound verifiable_receipt
What exists now

Python package, local relay proxy, action governor, hash-chain audit, canary demo, tool scan and diff, hash-bound approval store, and 10 enterprise risk cases.

What stays local by design

Tool schemas, relay traces, approval records, and audit logs remain under the user's control. Deeper MCP introspection waits for explicit consent, timeout, isolation, redaction, and fail-closed behavior.

Turn the control path into enterprise proof.

The open slice already demonstrates the control path. The next release should make the three stories copy-pasteable, reviewable, and usable in enterprise POCs.

  1. P0

    Ship the relay poisoning first-block demo

    Show a poisoned relay response turning requests into reqursts, then prove BeforeWire denied the action before execution.

  2. P0

    Connect policy decisions to real adapters

    Proxy tool-call path, Claude Code PreToolUse hook, MCP proxy, and optional @govern extension should pass action identity, approval context, and snapshot hash.

  3. P1

    Make MCP scan reviewable for enterprise POCs

    Produce field-level diff, risk family, decision, recommended action, and audit receipt for every tool-surface change.