Agent lock

Agent Lock is a security gateway for AI agents, MCP proxy, or OpenClaw plugin that intercepts tool calls, classifies risk with AI, requires human approval and uses Token Vault for secure auto actions.

Comment

Inspiration

Every day, AI agents are being deployed into production systems with direct access to emails, databases, code repositories, and cloud services. But the security model for these agents is still dangerously immature — agents execute actions with no oversight, no risk classification, and no way for users to know what credentials are being exposed.

We built Agent Lock because we believe no AI agent should act without human oversight on high-risk operations, and no agent should ever touch raw credentials.

What it does

Agent Lock is a security and governance middleware that sits between any AI agent and the tools it uses. It works in two integration modes:

  1. MCP Gateway — proxies any MCP server and exposes its own secure broker tools. Compatible with Claude Desktop, ChatGPT, Cursor, Windsurf, and any MCP-compatible AI client — not tied to any single AI provider.
  2. OpenClaw Plugin — native before_tool_call hook for OpenClaw agents.

Both modes share the same governance backend deployed on Azure.

Core capabilities

  • Intercepts every tool call made by the agent and routes it through the governance layer before execution
  • Classifies risk using static regex policies + Gemini 2.0 Flash AI intent validation — comparing what the agent does vs what the user asked for
  • Auto-approves LOW risk actions instantly; halts HIGH/CRITICAL actions with a full Telegram alert and waits for human ✅/❌ approval
  • Fail-closed by design — if the backend is unreachable, all agent actions are blocked by default, never silently allowed
  • Full audit trail — every decision (approved, blocked, timed out) is logged with timestamp, risk level, Gemini's semantic analysis, and decision source (auto or human)

Auth0 Token Vault — Broker Mode

This is the core of Agent Lock's security model. Rather than passing credentials to agents, Agent Lock exposes its own first-party secure tools that agents call directly:

Tool What it does
vault/google/gmail/send Send email via Gmail — agent never sees the token
vault/github/issues/create Create GitHub issues securely
vault/slack/messages/send Send Slack messages without exposing credentials
vault/google/calendar/events Create Google Calendar events securely

For each call, Agent Lock:

  1. The user authenticates once via Auth0 Universal Login
  2. Agent Lock intercepts the agent's tool call request
  3. The backend exchanges the user's Auth0 session for a scoped, short-lived federated token using Token Vault's grant type: urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token
  4. Agent Lock calls the provider API server-side (broker mode)
  5. The agent receives only the result — never the credential

This means AI agents are permanently decoupled from raw credentials at the infrastructure level, not the application level.

Next.js Dashboard

A real-time control panel that shows:

  • Live activity stream of all agent tool calls
  • Risk classification for each action
  • Pending approvals queue
  • Audit log viewer with CSV/JSON export
  • Policy editor for custom risk rules
  • MCP server manager
  • Token Vault connection status per provider

How we built it

Backend: FastAPI (Python) deployed on Azure Web Apps, with SQLite persistence for pending actions that survive backend restarts. The backend exposes a full REST API consumed by both integration modes.

Risk Engine: Two-layer classifier:

  • Static policies.json rules with regex patterns for instant classification of known dangerous patterns (shell destruction, DB drops, file deletion)
  • Gemini 2.0 Flash for semantic intent validation — catches cases where the agent's action contradicts what the user actually asked for

Auth: Full Auth0 PKCE flow with Token Vault federated connection exchange using the federated-connection-access-token grant type. Implemented broker endpoints for Gmail, GitHub, Slack, and Google Calendar.

HITL Channel: Telegram bot with approve/reject inline keyboard buttons, deduplication to prevent notification spam, re-notify cooldown, and fail-closed timeout (if no human responds within the configured window, the action is cancelled).

MCP Layer: Python MCP server that proxies any number of target MCP servers through the governance layer. Claude/ChatGPT/Cursor sees all the target tools, but every call is intercepted before reaching the real server.

OpenClaw Plugin: TypeScript plugin using before_tool_call interception hooks, published as an npm package (@agentlock/agent-lock).

Dashboard: Next.js app with real-time WebSocket updates, Server-Sent Events for live activity stream, and a full policy management interface.

Challenges we ran into

Auth0 Token Vault implementation: The federated connection grant type is sparsely documented. Getting the correct grant_type, requested_token_type, and connection parameters required significant testing and iteration. The state hardening (nonce.signature format) for the auth callback also required careful implementation to prevent CSRF attacks.

Fail-closed architecture: Designing a system where backend unavailability always results in blocked actions (not silent pass-through) required careful handling of timeouts, network errors, and partial failures across both integration modes.

Telegram conflict prevention: When both a local dev backend and the Azure production backend are running simultaneously, the same Telegram bot token causes a 409 Conflict on getUpdates. This required implementing TELEGRAM_POLLING_ENABLED config flags and per-environment bot separation.

Deduplication of AUTH_REQUIRED actions: When an agent retries a blocked action, the system must recognize it as the same pending action rather than creating duplicate approval notifications. Implemented action-level deduplication with re-notify cooldown in SQLite.

Accomplishments that we're proud of

  • A fully working Auth0 Token Vault broker mode for Gmail, GitHub, Slack, and Google Calendar — AI agents call these APIs without ever receiving or seeing a token
  • A production backend deployed on Azure with real Auth0 integration and live endpoints
  • Dual integration modes (MCP Gateway + OpenClaw Plugin) sharing the same governance backend — any MCP-compatible AI client can use Agent Lock without any code changes
  • A complete audit trail that includes Gemini's semantic intent analysis for every single agent action
  • A real-time dashboard with live WebSocket updates showing agent activity as it happens

What we learned

Auth0 Token Vault is a genuinely powerful pattern for agentic apps. It solves credential exposure at the infrastructure level — the agent never has an opportunity to leak, log, or misuse credentials because it never receives them.

AI intent validation catches a class of attacks that rule-based systems miss entirely. A regex rule can catch rm -rf, but only Gemini can detect when an agent asked to "summarize a file" suddenly tries to delete it.

Human-in-the-loop is only valuable if it's fast and non-blocking. The Telegram UX needed careful design — the alert had to be informative enough for a real decision, but fast enough that the developer doesn't just approve everything to get their work done.

Built With

Share this project:

Updates