BeforeWire 中文 Request shadow audit

Security review packet for AI agents

Give agent launch review a concrete control point.

BeforeWire runs in your environment between agent intent and tool execution. It decides risky actions before they run, records why the policy matched, and leaves reviewers a local evidence packet.

Inspect security packet Open evidence packet Run local proof
control placement policy decision local evidence tool drift review hash-chain receipts
evidence packet action control before execution
controlBW-EVIDENCE-001 policyrelay-guard / sensitive-egress / capability-diff scopeagent action boundary
model response tool intent
BeforeWire DENY
tool execution stopped
decision receipt verified
action
pip_install("reqursts")
policy
relay-guard
effect
deny before execution
hash_chain
sha256:7d4... -> 9ab...
review surface 4 findings
  • slopsquat packageblocked
  • capability snapshotbound
  • canary attributionsession
  • audit recordwritten
prompts, tool definitions, payload evidence, and receipts stay in your environment
use case / relay poisoning

Relay returns. BeforeWire quarantines. The agent keeps working.

The homepage shows the short proof. A compatible API route returns a suspicious package install and a safe one; BeforeWire quarantines the suspicious action before execution, preserves the safe call, and writes a receipt reviewers can inspect.

Open full use case Run from GitHub
fake relay returns pip install reqursts pip install requests
BeforeWire quarantines DENY before execution policy=relay-guard reason=slopsquat
agent receives pip install requests safe tool call preserved
[DENY] reqursts [ALLOW] requests policy=relay-guard hash-chain receipt
execution evidence

Watch the control boundary run.

Three short casts show the action boundary directly on the homepage: response-path poisoning, sensitive egress, and MCP drift. Each one shows the proposed action, the BeforeWire decision, and the evidence a reviewer can inspect.

Open the full evidence page
response-path gate

Relay poisoning blocked

A compatible relay returns reqursts and requests. BeforeWire denies the suspicious install before execution and preserves the safe call.

egress control

Sensitive egress blocked

An agent prepares to send a suspected secret and Chinese personal-data patterns to an unapproved webhook. BeforeWire denies the outbound action and keeps audit evidence redacted.

tool drift

MCP drift requires reapproval

A previously approved MCP tool changes its description or schema. BeforeWire detects snapshot drift and requires review before the changed tool is used.

reports and audit template

Open the reports reviewers ask for.

Keep the review materials close to the demos: a report sample, a generated sensitive-egress report, the audit intake template, and the recording guide.

Audit sample reportHTMLChinese report sample for review-format feedback. Sensitive egress reportHTMLReport generated from the sensitive-egress local demo. Audit intake templateHTMLTemplate for redacted agent config or trace review. Recording guideHTMLHow to reproduce the recording and report pack locally. Action-boundary articleHTMLPublic narrative with the demo links and action-boundary framing. Full demo castPLAYReal asciinema recording of the full local demo pack.
capability surface Scan and pin MCP / tools / skills
response path Screen returned content tamper / injection
execution point Decide before run allow / warn / deny
audit record Prove the decision hash-chain receipt

The risky moment is after the answer, before the action.

AI agents read returned content, then convert it into shell commands, package installs, HTTP calls, MCP tool calls, file access, database writes, office webhooks, and delegated work.

return-path risk

If a model response is modified after passing through a third-party API router or gateway, the risk may not come from the model itself. It appears after the response returns and before the action is actually executed.

API route tampering

A safe model response is changed into a malicious tool call on the return path.

response path
Tool-result injection

A normal-looking tool result pushes new instructions back into the agent context.

tool output
Slopsquat install

requests becomes reqursts, and the agent proceeds to install it.

package
Canary replay

A fake key appears in a response or tool result and can be traced to a session.

attribution
Capability drift

An approved MCP tool, skill, or workflow changes its schema, script, description, or capability boundary.

surface

Place the control at the last safe moment: before execution.

Security review starts with placement. BeforeWire keeps enforcement close to the agent and its tools, where a proposed action is still inspectable but has not yet touched shell, network, files, databases, or MCP servers.

AI client / agent proposes action intent tool_use
BeforeWire screens response, gates action allow / warn / deny
API router / gateway returns model response response path
tools / MCP / shell real execution point execution
audit record every decision is written into a hash-chain receipt

Three control surfaces, one reviewable evidence packet.

BeforeWire is not a generic AI safety scanner. It focuses on the path between what an agent is allowed to use, what a response tries to make it do, and what concrete action is about to execute.

Capability Surface Governance

Can this tool or MCP definition still be trusted?

BeforeWire governs surfaces that change agent behavior: MCP tools, local tools, skills, prompt packs, workflow instructions, and referenced scripts. Each surface can be scanned, snapshotted, approved, diffed, and sent back for review when it drifts.

Available now

MCP / tool scan, approval, diff, and snapshot hash enforcement.

Expanding through field trials

Skills, prompt packs, workflow instructions, and referenced scripts.

  • MCP / tool scan
  • skill review
  • snapshot hash
  • approve / diff
Action Execution Gate

Should this exact action run now?

Every proposed tool call, package install, shell command, file operation, outbound request, message, or delegated task is evaluated while it is still only an intent. A denied action never reaches the tool.

policy decision deny before execution effect: deny
  • allow / warn / deny
  • policy decision
  • pre-execution denial
  • audit record
Response-Path Guard

Is returned content trying to create a risky action?

BeforeWire screens model and tool responses before they become execution intent, catching API route tampering, AI MITM, malicious tool use, tool-result injection, slopsquat suggestions, risky commands, secret leakage, suspicious egress, and canary replay.

  • response tamper screening
  • streaming text passthrough
  • buffered tool-call review
  • canary attribution

Scan capability surfaces -> screen returned content -> decide the concrete action -> write a reviewable receipt.

BeforeWire gates agent actions, not packets. It makes decisions before actions happen and records verifiable evidence.

Run the local proof in 60 seconds.

Run BeforeWire in your environment, point an AI client or SDK at the local proxy, and watch a risky response get quarantined before execution.

packet BW-POC-001 mode local proxy evidence hash receipt 
pip install beforewire
beforewire init
beforewire selftest
beforewire proxy
export OPENAI_BASE_URL=http://127.0.0.1:8788/v1
expected result Risky actions are blocked before they reach pip, shell, HTTP, files, or MCP tools.

When returned content tries to install reqursts, run curl | sh, leak a secret, or replay a canary, BeforeWire denies the action and records the policy, reason, and hash-chain receipt.

source
api_route_response
blocked
pip_install("reqursts")
receipt
hash verified

Show the report, receipt, and reason—not a screenshot.

Each allow, warn, or deny records the source, proposed action, destination, matched policy, effect, reason, capability-surface context, redacted evidence, and hash-chain receipt. Security, risk, and audit teams can review the control path without reading a full model trace.

If there is no control before execution, audit is only incident replay. With pre-execution decisions, security review has a boundary and a packet of evidence.

Watch demos and reports
decision receipt verified
source
api_route_response
action
pip_install("reqursts")
policy
relay-guard
effect
deny before execution
reason
slopsquat package
capability_snapshot
sha256:7d4...
audit_chain
hash verified

Give agent launch review a concrete evidence packet.

BeforeWire should be easy to test as a local developer tool. Security review needs a clear enforcement point, a decision record, a drift approval surface, and a path to team governance.

review packet BW-SEC-REVIEW-024
Can this evidence enter an agent launch review?

BeforeWire turns response screening and action decisions into concrete review objects: denied actions, sensitive egress, capability drift, canary hits, policy changes, and receipt hashes.

scope
agent action boundary
evidence
decision receipts, policy hits, capability snapshots
owner
AI platform / security engineering
CTRL-ENF

Enforcement point

Run response screening and action decisions near the agent and tools, while keeping keys, prompts, capability snapshots, and audit records in your environment.

CTRL-DEC

Decision record

Record source, action, matched policy, effect, reason, capability snapshot, and hash-chain receipt for each allow, warn, or deny result.

CTRL-REV

Review surface

Review denied actions, canary hits, capability drift, unapproved tools, and policy changes before they become production incidents.

CTRL-EXT

Team extension

Add team policy packs, approval workflows, private audit aggregation, compliance evidence, and a managed capability registry.

From local action control to team agent governance.

The open-source release proves the critical control path: local proxy, response screening, pre-execution decisions, tool approval, sensitive egress control, and verifiable audit records. Team deployments can add policy distribution, approval workflows, private audit aggregation, compliance evidence, and a capability registry.

  1. Local control

    Local proxy and audit records

    Run the enforcement point close to the agent and its tools, while keeping keys, capability snapshots, and audit data in your environment.

  2. Team governance

    Team policies and capability approvals

    Distribute policy packs, review changes to MCP tools, skills, prompt packs, and workflow bundles, and require approval before reuse.

  3. Audit evidence

    Private audit aggregation and compliance evidence

    Aggregate receipts privately, map decisions to controls, and produce evidence for internal security review, risk, and compliance.

shadow audit review packet
Run a shadow audit on a redacted agent config or trace.

Request a shadow audit to map your agent runtime, MCP tools, outbound destinations, approval flow, and the evidence packet your security team needs for launch review.

place
control placement
decide
policy decisions
prove
private evidence
Request shadow audit