Vigil – Zero-dependency safety guardrails for AI agent tool calls

We run 15 AI agents on a production server with full shell access. One of them tried to rm -rf a directory it shouldn't have touched. Another started curling cloud metadata endpoints. We wrote some hardcoded rules to catch the obvious stuff, then realized we were building the same safety layer everyone else will need too. So we extracted it into a library.

Vigil is a deterministic rule engine that inspects AI agent tool calls before they execute. 22 rules across 8 threat categories: destructive shell commands, SSRF, path traversal, SQL injection, data exfiltration, prompt injection, encoded payloads, and credential exposure. It's not an LLM wrapper — we don't trust an LLM to guard another LLM. Pure pattern matching, zero dependencies, <2ms per check, works completely offline.

npm install vigil-agent-safety

import { checkAction } from 'vigil-agent-safety'; const result = checkAction({ agent: 'my-agent', tool: 'exec', params: { command: 'rm -rf /' }, }); // result.decision → "BLOCK" // result.reason → "Destructive command pattern" // result.latencyMs → 0.3

It plugs into MCP servers, LangChain tool chains, Express middleware, or anything else. MIT licensed, no API keys, no network calls, no telemetry.

This is v0.1 — probably too aggressive for some use cases. Next up is a YAML policy engine (v0.2) and an MCP proxy. We'd love feedback on the rule set, false positive experiences, and threat categories we're missing.

GitHub: https://github.com/hexitlabs/vigil