Castle Wall
Operating-system-level egress filtering. nftables, cgroup v2, and NFQUEUE on Linux. Network Extension on macOS. Plain DNS, DoH, DoT, and raw-socket bypass coverage all verified end-to-end against real kernel bindings. Phase 1 shipped.
Open source · Apache-2.0 · v1.2.17 stable · v1.3.0-rc.2 preview
Your agent.
Your machine.
Your keys.
Sanctuary is a firewall for AI agents that runs on your hardware. It blocks prompt-injected
egress at the operating system, gives compliant agents an encrypted sovereignty surface,
and ships receipts and reputation across vendors. One MCP server, runnable with
npx. Drop it under any harness (Claude Code, OpenClaw, CrewAI,
LangChain) without touching your agent code.
Install
Node 22+ · macOS · Linux · Windows
$ npx @sanctuary-framework/mcp-server
5Castle layers
4,763Passing tests
203Kernel-binding tests
0Harness changes
Local node
One command. Full stack, running locally.
Sanctuary runs on your hardware with your keys. Nothing leaves the machine unless you approve it. Point any MCP-compatible agent at it and the whole substrate is live.
boot.log
stdio://sanctuary
:: bootstrap_local_node
generate_ed25519_keypair...
id: did:key:z6Mki7f8a...e90
:: init_aes_256_gcm_encryption
master_kdf = argon2id(m=64mb, t=3, p=4)
mounting vault at ~/.sanctuary/state
:: load_principal_policy
tier_1 ops = 5 (approval gated)
tier_2 ops = 14 (anomaly gated)
tier_3 ops = 43 (audit logged)
:: spawn_approval_dashboard
status: gateway_online @ 127.0.0.1:3501
> ready. waiting for harness _
-
01
Kernel-level egress wall
The Castle Wall blocks unauthorized outbound calls at the operating system. A prompt-injected agent cannot route around it because the kernel itself enforces. DNS, DoH, DoT, raw sockets, all covered. Phase 1 live on Linux and macOS.
-
02
Client-side keys
Ed25519 identity generated locally. AES-256-GCM on every write. Keys never leave the box and never appear in any MCP response, log, or error.
-
03
Local approval dashboard
Dark-theme web UI on
127.0.0.1:3501. Real-time SSE, approve and deny buttons, audit viewer. Optional TLS and webhook channels for headless setups.
Architecture
The Castle Architecture.
Five layers, each with a distinct contract. Real enforcement at the perimeter, observation inside, a sovereignty surface for compliant agents, receipts and reputation across vendors, and an install-time substrate that binds it all to the operator. The layers compose. None of them substitute for another.
Sentinels
Internal behavioral observation. eBPF on Linux. Cross-platform auditd-tail. Seven sentinels watching for prompt-injection signatures, anomalous tool sequences, and policy drift. The sentinels surface; the operator decides.
Charter (Cooperative MCP)
Encrypted state, signed audit, mandate primitives, canonical policy slots, and substrate selector. Compliant agents that voluntarily route through Sanctuary get the full surface. Non-compliant agents still hit the Castle Wall and the Sentinels.
Heralds (Receipts and Reputation)
Cryptographic receipts on cross-castle transactions, portable reputation that survives vendor churn. Concordia structures negotiation and commitments; Verascore prices the reputation. Operators carry the trust record across vendors.
Mantle (install-time binding)
Install-time substrate-binding to the operator. The Mantle gives the rest of the castle a verifiable anchor on the operator's machine before the agent runs. Phases 1 and 2 shipped.
Interop
Drop it into any harness.
Sanctuary speaks standard MCP. No forks, no adapters, no special case for your stack. Point your harness at the server and every tool in the sovereignty layer becomes available to your agent immediately.
Claude Code
mcp · stdio
// .mcp.json
"mcpServers": {
"sanctuary": {
"command": "npx",
"args": ["@sanctuary-framework/mcp-server"]
}
}
OpenClaw
mcp · stdio
# ~/.openclaw/mcp.yaml
servers:
sanctuary:
type: stdio
command: sanctuary-mcp
args: []
CrewAI
python · mcp
# crewai native mcps field
agent = Agent(
role="analyst",
mcps=["sanctuary"],
tools=[],
)
LangChain
python · adapter
# langchain-mcp-adapters
from langchain_mcp import MCPTool
sanctuary = MCPTool.from_stdio(
"npx", ["@sanctuary-framework/mcp-server"],
)
60 seconds
From zero to sovereign.
Three commands. A local vault, a self-custodied identity, and a running approval dashboard before your coffee cools.
Boot the server
One npx command. No global install, no build step, no config file required.
$ npx @sanctuary-framework/mcp-serverWire into your harness
Add Sanctuary as an MCP server in your harness config. No agent code changes.
$ claude mcp add sanctuary npx @sanctuary-framework/mcp-serverOpen the dashboard
Approve sensitive operations in real time at the local dashboard URL.
$ open http://127.0.0.1:3501
Journal
Field notes from the substrate layer.
Design decisions, security write-ups, and the reasoning behind the architecture.
Nobody Else Was Going to Build It
Why I left a startup four years ago, why I waited, and why one morning in February I leapt out of bed and started coding. The Castle Architecture is the iteration that finally got the framing right.
Read the postThe Castle Wall, Live on Linux
Cooperative gates do not stop a prompt-injected agent. Kernel-level enforcement does. Castle Wall Phase 1 shipped on Linux: 203 Rust tests against a real kernel binding, with plain-DNS, DoH, and DoT bypass coverage verified end-to-end.
Read the post
Ship sovereign agents
Give your agent a real firewall in one command.
Open source. Runs locally. No platform dependency. No blockchain. No telemetry.