maryada

The Semantic Firewall for Autonomous Agents

Comment

Inspiration

As AI agents become more autonomous, they are gaining the ability to modify real systems — delete files, call APIs, create cloud resources, and handle secrets. Today, these agents operate with near “god mode,” while traditional security tools only see IP addresses and ports, not intent or consequences.

I was inspired by a simple question: “Why don’t AI agents have a firewall?”
Just as browsers needed AdBlock, autonomous AI needs a semantic safety boundary. That idea became Maryada.

What it does

Maryada is a semantic firewall for AI agents. It runs locally as a transparent proxy between an agent and the internet and:

  • Intercepts every outbound HTTP request
  • Locally detects and redacts secrets (DLP for text and JSON)
  • Applies policy rules via YAML configuration
  • Uses Gemini 3 to reason about intent vs. action
  • Supports three verdicts: Allow, Block, AskHuman
  • Keeps a lightweight “ownership ledger” so agents can safely modify what they created
  • Provides a live terminal console that visualizes decisions in real time

In practice, Maryada can:

  • Block accidental password leaks
  • Stop destructive actions like DELETE /production-db
  • Pause risky requests and ask for human approval
  • Allow safe, routine actions automatically

How I built it

  • Core Proxy: Rust + Tokio + Hyper for high-performance request interception
  • HTTPS forwarding: hyper-tls + hyper-util
  • Policy Engine: YAML-configurable rules (method, endpoint, and body-based)
  • Local DLP Layer:
    • Regex-based secret detection (Stripe, AWS, generic secrets)
    • JSON-aware traversal that redacts sensitive fields by key name
  • Reasoning Layer: Gemini 3 (Flash) analyzes sanitized request summaries and returns a structured decision + explanation
  • Human-in-the-Loop: Terminal-based approval flow for high-risk actions
  • Live Console: Minimal in-memory dashboard showing recent Allow/Block/Ask events

Everything runs locally first, and the system is designed to fail closed on errors, timeouts, or missing API keys.

Challenges I ran into

  • Building a reliable forward proxy that worked with real-world tools like curl and agent workflows
  • Safely buffering and reconstructing request bodies without breaking upstream semantics
  • Designing redaction that was general enough to feel real, yet simple enough for a hackathon
  • Integrating Gemini in a way that was central (reasoning) rather than cosmetic
  • Making Human-in-the-Loop responsive without freezing the entire proxy

Accomplishments that I’m proud of

  • Shipping a working Rust-based semantic firewall in a short timeframe
  • Making Gemini the decision brain, not just a chatbot
  • Implementing a capability-style “agent ownership” model
  • Creating a clean, memorable demo that clearly shows risk → reasoning → enforcement
  • Designing an architecture that could plausibly scale beyond a hackathon

What I learned

  • Security for AI agents is a new layer of infrastructure, not just prompt engineering
  • Local-first safeguards build trust and reduce dependency on cloud services
  • Structured decisions (verdict + reason) are critical for usability and transparency
  • Even simple ownership tracking dramatically improves safety guarantees
  • Good demos are as much about narrative as technical depth

What’s next for Maryada

Open-source roadmap:

  • Full HTTPS MITM support
  • WebSocket and gRPC interception
  • Pluggable community redaction rules (like “EasyList for AI”)
  • Deterministic event replay for debugging

Hosted product vision:

  • Centralized policy management
  • Fleet monitoring for teams running multiple agents
  • Slack/Teams approval workflows
  • Audit logs for compliance
  • Risk scoring and intent-drift detection across agents

Long term, Maryada aims to become the default safety boundary for autonomous AI systems — the control plane that keeps agents powerful, but safe.

Built With

Share this project:

Updates