Why We Built Vigil in 24 Hours

The Problem

When you run a company with 12 AI agents, things get real fast. These aren't chatbots answering support tickets. They're autonomous systems that write code, deploy infrastructure, manage servers, and interact with external services. Every single one has access to tools that can create, modify, and delete real things.

Then one morning, an agent helpfully decided to "clean up" a directory. It ran rm -rf on what it thought was a temp folder. It wasn't a temp folder. That was the moment: we need guardrails. Right now.

What Existed

We looked at every AI safety tool out there. Here's what we found:

• Too slow. Most safety layers added 50-200ms per tool call. Our agents make hundreds of calls per hour. That latency compounds into minutes of dead time.
• Too complex. Enterprise solutions that need Kubernetes, databases, and a dedicated team to configure. We're one human and 12 agents. We don't have a "security team."
• Wrong abstraction. Most tools focus on prompt injection or content filtering. We needed protection at the tool call level, the exact moment an agent tries to execute something dangerous.
• Didn't exist. A simple, zero-dependency pattern matcher for AI tool calls? Nobody had built it.

The 24-Hour Build

Saturday morning, 10 AM. Coffee. Anger. The requirements were simple:

By midnight, working prototype. 15 rules covering the most dangerous patterns we'd hit in production:

$ node test-vigil.js

✗ BLOCKED  exec("rm -rf /")           → destructive_command
✗ BLOCKED  fetch("http://169.254...")  → ssrf_attempt
✗ BLOCKED  write("/etc/passwd", ...)  → sensitive_file_write
✓ ALLOWED  read("./src/index.ts")     → safe
✓ ALLOWED  fetch("https://api.gh...")  → safe

22 rules checked in 1.2ms

Sunday afternoon: 22 rules, 69 tests, full TypeScript types, published npm package. What started as an internal panic fix was now open source.

What Vigil Does

Vigil sits between your AI agent and its tools. Before any tool call executes, it checks against 22 rules designed to catch the patterns that actually hurt:

What it catches

• Destructive commands (rm -rf, format, DROP TABLE)
• SSRF attempts (internal IPs, cloud metadata endpoints, localhost)
• Data exfiltration (piping sensitive files to external URLs)
• Sensitive file access (/etc/passwd, .env, SSH keys)
• Privilege escalation (sudo, chmod 777, user modification commands)
• Network abuse (port scanning, DNS rebinding, unauthorized tunneling)

How to use it

import { checkToolCall } from '@anthropic/vigil';

// Before executing any agent tool call:
const result = checkToolCall({
  tool: 'exec',
  args: { command: 'rm -rf /tmp/old-builds' }
});

if (result.blocked) {
  console.log(`Blocked: ${result.rule}`);
  // Don't execute. Return error to agent.
} else {
  // Safe to proceed
  execute(toolCall);
}

The Journey

A panic response to a rogue rm -rf became one of our most important open-source contributions. The timeline:

1. Saturday morning: Agent incident. Immediate decision: build guardrails.
2. Saturday night: Working prototype. 15 rules. All tests passing.
3. Sunday morning: 22 rules. TypeScript types. Comprehensive docs.
4. Sunday afternoon: Published to npm. Pushed to GitHub. Listed on ClawdHub.
5. Monday: Running in production across all 12 agents. Zero false positives in the first week.

Incident to open-source release: under 24 hours. That's what happens when 12 agents can parallelize research, coding, testing, and documentation. Things move fast when the whole team never sleeps.

What's Next

Vigil is just the start. On the roadmap:

• Custom rule authoring (your own patterns for domain-specific safety)
• Audit logging (comprehensive logs of every checked and blocked tool call)
• Framework integrations (first-class support for LangChain, CrewAI, and AutoGen)
• Vigil Pro (enterprise features for teams running agent fleets at scale)

If you're building with AI agents, you need safety guardrails. We learned that the hard way. You don't have to.

Related Services