Coming soon · open source · Apache-2.0

A capability firewall for AI agents

The capability-enforcement layer MCP left out. Your IdP says who you are; eunox says which tool calls, with which arguments, in which order — one YAML file, enforced before the call ever runs. Drop-in, Go-based, no infrastructure.

No spam. One email when it launches.

Sneak peek

Three ways eunox enforces — swipe through

The controls at the core of the MVP: session-aware blocking with response masking, a tamper-evident audit trail, and per-call rate & argument limits. Each call is authorized on its own — eunox blocks the combination no database role or API gateway can see. A preview of what’s launching.

Block the kill-chain, mask the leak

sequenceBlock denies an external write once secrets were read this session; redactFields masks sensitive values in whatever does come back — the key stays, the value becomes "[redacted]".

                      📄
                      eunox.policy.yaml
                    

                      schemaVersion: "0.1"
name: dev-agent
version: "0.1.0"

capabilities:
  # The agent may read secrets — that’s its job.
  - target: tool:read_credentials
    actions: [call]

  # External writes are fine — but NOT after
  # credentials were read this session.
  - target: tool:write_external
    actions: [call]
    conditions:
      - type: sequenceBlock
        afterTools: [read_credentials]

  # Reads are allowed — but PII is masked on the
  # way back, before the agent ever sees it.
  - target: tool:query_db
    actions: [call]
    directives:
      - type: redactFields
        fields: ["ssn", "email"]
                    

eunox-mcp proxy

upstream response

"email": "alice@example.com",
"ssn":   "123-45-6789"

what the agent sees

"email": "[redacted]",
"ssn":   "[redacted]"

Every decision, signed and chained

Allow or deny, every verdict is appended to an OCSF log, HMAC-SHA256-signed and linked to its predecessor — so deletion, reordering, or edits are all detectable after the fact.

                      📄
                      eunox.yaml
                    

                      # eunox.yaml — turns on the signed audit log
transport: stdio

audit:
  log: ~/.eunox/audit.jsonl
  keyPath: ~/.eunox/audit.key

upstreams:
  - name: dev-agent
    command: dev-agent-tools
    policy: [./eunox.policy.yaml]
                    

eunox-mcp

Rate & argument guards on every call

maxCalls caps how often a tool runs; allowedOperations and allowedValues pin what each argument may carry — every call checked before the upstream is touched.

                      📄
                      eunox.policy.yaml
                    

                      schemaVersion: "0.1"
name: dev-agent
version: "0.1.0"

capabilities:
  - target: tool:query_db
    actions: [call]
    conditions:
      - type: maxCalls       # 5 per minute
        count: 5
        windowSeconds: 60
      - type: allowedOperations
        argument: query
        operations: [SELECT]   # reads only

  - target: tool:read_file
    actions: [call]
    conditions:
      - type: allowedValues
        argument: path
        values: ["/reports/*"]
                    

eunox-mcp proxy

Latest writing

25 June 2026

Blocking the lethal trifecta: the one attack only the MCP layer can stop

An agent with read access to secrets and an external channel is one prompt injection away from exfiltrating them. Each call is authorized on its own — eunox's sequenceBlock condition blocks the combination, because only the proxy remembers what the agent already did this session.

Read →

4 June 2026

The prompt injection problem: why every AI agent needs a policy layer

Why fixing prompt injection inside the model doesn't work, and why the only reliable defense is a policy layer at the structured tool call.

Read →