BeforeWire 中文 Start evidence review

Agent execution control for security review

Control AI-agent execution before tools run.

BeforeWire sits between an AI agent and its tools. It screens returned content and proposed tool calls while they are still intents, blocks risky actions before execution, and writes local receipts you can review or share after redaction.

Run local proof Review evidence packet
runs in your environment prompts and keys stay local share redacted receipt fields only
action boundary receipt before the tool runs
agent intent pip_install("reqursts")

Still inspectable. No package manager, shell, HTTP client, file system, or MCP server has run.

BeforeWire DENY policy=relay-guard
receipt written deny before execution

Reviewer sees the source, action, policy, reason, redaction state, and hash-chain proof.

source
api_route_response
action
pip_install("reqursts")
effect
deny_before_execution
receipt
sha256:7d4... -> 9ab...
stays local by default

Raw prompts, keys, full traces, tool snapshots, and local audit files.

shared by choice

Redacted receipt fields, report excerpts, and MCP config snippets.

Local enforcement
Runs near the agent and tools, before shell, HTTP, files, or MCP servers execute.
Redacted handoff
Share selected receipt fields and report excerpts without sending raw prompts or keys.
Review packet
Map each decision to an enforcement point, policy record, review surface, and evidence handoff.
evaluation path

Evaluate BeforeWire with redacted evidence, not raw traces.

Security review starts with four concrete objects: a local run, an action-boundary receipt, the redacted fields you choose to share, and a control checklist reviewers can map to launch approval.

local run

Run the local proof

Install BeforeWire, run the selftest, and confirm a risky action is denied before execution.

Run local proof
receipt

Inspect the action boundary

Read the receipt fields: source, proposed action, policy, effect, reason, redaction, and hash chain.

Open evidence packet
redaction

Share only redacted material

Use the input template to send selected receipt fields, MCP config snippets, or trace excerpts.

View input template
security map

Map it to security review

Review the enforcement point, decision record, review surface, and evidence handoff.

Open security checklist
Stays in your environment

Raw prompts, keys, full model traces, local audit records, and complete capability snapshots remain private unless you decide otherwise.

You choose what to share

For evidence review, send redacted receipt fields, report excerpts, and the minimum MCP or agent config needed to explain the action boundary.

Start evidence review
use case / relay poisoning

Relay returns. BeforeWire quarantines. The agent keeps working.

The homepage shows the short proof. A compatible API route returns a suspicious package install and a safe one; BeforeWire quarantines the suspicious action before execution, preserves the safe call, and writes a receipt reviewers can inspect.

Open full use case Run from GitHub
fake relay returns pip install reqursts pip install requests
BeforeWire quarantines DENY before execution policy=relay-guard reason=slopsquat
agent receives pip install requests safe tool call preserved
[DENY] reqursts [ALLOW] requests policy=relay-guard hash-chain receipt
capability surface Scan and pin MCP / tools / skills
response path Screen returned content tamper / injection
execution point Decide before run allow / warn / deny
audit record Prove the decision hash-chain receipt

The risky moment is after the answer, before the action.

AI agents read returned content, then convert it into shell commands, package installs, HTTP calls, MCP tool calls, file access, database writes, office webhooks, and delegated work.

return-path risk

If a model response is modified after passing through a third-party API router or gateway, the risk may not come from the model itself. It appears after the response returns and before the action is actually executed.

API route tampering

A safe model response is changed into a malicious tool call on the return path.

response path
Tool-result injection

A normal-looking tool result pushes new instructions back into the agent context.

tool output
Slopsquat install

requests becomes reqursts, and the agent proceeds to install it.

package
Canary replay

A fake key appears in a response or tool result and can be traced to a session.

attribution
Capability drift

An approved MCP tool, skill, or workflow changes its schema, script, description, or capability boundary.

surface

Place the control at the last safe moment: before execution.

Security review starts with placement. BeforeWire keeps enforcement close to the agent and its tools, where a proposed action is still inspectable but has not yet touched shell, network, files, databases, or MCP servers.

AI client / agent proposes action intent tool_use
BeforeWire screens response, gates action allow / warn / deny
API router / gateway returns model response response path
tools / MCP / shell real execution point execution
audit record every decision is written into a hash-chain receipt

Three control surfaces, one reviewable evidence packet.

BeforeWire is not a generic AI safety scanner. It focuses on the path between what an agent is allowed to use, what a response tries to make it do, and what concrete action is about to execute.

Capability Surface Governance

Can this tool or MCP definition still be trusted?

BeforeWire governs surfaces that change agent behavior: MCP tools, local tools, skills, prompt packs, workflow instructions, and referenced scripts. Each surface can be scanned, snapshotted, approved, diffed, and sent back for review when it drifts.

Available now

MCP / tool scan, approval, diff, and snapshot hash enforcement.

Expanding through field trials

Skills, prompt packs, workflow instructions, and referenced scripts.

  • MCP / tool scan
  • skill review
  • snapshot hash
  • approve / diff
Action Execution Gate

Should this exact action run now?

Every proposed tool call, package install, shell command, file operation, outbound request, message, or delegated task is evaluated while it is still only an intent. A denied action never reaches the tool.

policy decision deny before execution effect: deny
  • allow / warn / deny
  • policy decision
  • pre-execution denial
  • audit record
Response-Path Guard

Is returned content trying to create a risky action?

BeforeWire screens model and tool responses before they become execution intent, catching API route tampering, AI MITM, malicious tool use, tool-result injection, slopsquat suggestions, risky commands, secret leakage, suspicious egress, and canary replay.

  • response tamper screening
  • streaming text passthrough
  • buffered tool-call review
  • canary attribution

Scan capability surfaces -> screen returned content -> decide the concrete action -> write a reviewable receipt.

BeforeWire gates agent actions, not packets. It makes decisions before actions happen and records verifiable evidence.

Run the local proof in 60 seconds.

Install BeforeWire, run the selftest, then inspect the receipt. You can try the proof without sending prompts, keys, traces, or audit records to a third-party service.

local action firewall mode local proxy tamper-evident receipt 
pip install beforewire
beforewire init
beforewire selftest
AUDIT_PATH="$(python3 -c 'import os,tempfile; print(os.path.join(tempfile.gettempdir(),"beforewire-selftest-audit.jsonl"))')"
beforewire receipt "$AUDIT_PATH"
beforewire verify "$AUDIT_PATH"
expected result Risky actions are blocked before they reach pip, shell, HTTP, files, or MCP tools.

When returned content tries to install reqursts, run curl | sh, leak a secret, or replay a canary, BeforeWire denies the action and records the policy, reason, and hash-chain receipt.

source
api_route_response
blocked
pip_install("reqursts")
receipt
hash verified

Show the report, receipt, and reason, not a screenshot.

Each allow, warn, or deny records the source, proposed action, destination, matched policy, effect, reason, capability-surface context, redacted evidence, and hash-chain proof. Security, risk, and audit teams can review the control path without reading a full model trace.

If there is no control before execution, audit is only incident replay. With pre-execution decisions, security review has a boundary and a packet of evidence.

Watch demos and reports
decision receipt verified
source
api_route_response
action
pip_install("reqursts")
policy
relay-guard
effect
deny before execution
reason
slopsquat package
capability_snapshot
sha256:7d4...
audit_chain
hash verified

Give agent launch review a concrete evidence packet.

Security review needs a clear enforcement point, a decision record, and local evidence that shows what was allowed, warned, or denied before execution.

review packet BW-SEC-REVIEW-024
Can this evidence enter an agent launch review?

BeforeWire turns response screening and action decisions into concrete review objects: denied actions, sensitive egress, capability drift, canary hits, policy changes, and receipt hashes.

scope
agent action boundary
evidence
decision receipts, policy hits, capability snapshots
owner
AI platform / security engineering
CTRL-ENF

Enforcement point

Run response screening and action decisions near the agent and tools, while keeping keys, prompts, capability snapshots, and audit records in your environment.

CTRL-DEC

Decision record

Record source, action, matched policy, effect, reason, capability snapshot, and hash-chain receipt for each allow, warn, or deny result.

CTRL-REV

Review surface

Review denied actions, canary hits, capability drift, unapproved tools, and policy changes before they become production incidents.

CTRL-EVD

Evidence handoff

Share only the redacted receipts and report fields your reviewers need, while raw prompts, keys, and local traces stay in your environment.