# InnerWarden > Local safety layer for AI agents that can use the terminal, and a host EDR for Linux/macOS. > It runs ON the host, OUTSIDE the agent: it can screen risky commands and MCP/tool traffic > before they run, watches real Linux activity with eBPF, blocks or flags dangerous behavior, > and keeps the decision trail local. No cloud control plane. Open source (Apache-2.0). > Installs in observe-only / dry-run by default; the operator decides when to arm enforcement. InnerWarden has two jobs. (1) **AI-agent guardrail** (the differentiator): if an agent is tricked by a poisoned file, web page, or pull request, the safety layer is not inside the thing being tricked. (2) **Host self-defense**: kernel-level EDR (eBPF), 80+ detectors, cross-layer correlation, MITRE ATT&CK coverage, and automated response. ## For AI coding agents: install & operate InnerWarden - [Agent guide / AGENTS.md](https://www.innerwarden.com/agents.md): the authoritative playbook to install InnerWarden, configure it adapted to a specific machine, **safely** observe and allowlist what is normal on that host (verify-then-trust, never blind), answer the user's questions, and operate it. The installer also drops this on-box at `/etc/innerwarden/AGENTS.md` (version-matched to the installed binary). - Install one-liner: `curl -fsSL https://innerwarden.com/install | sudo bash` (starts in observe-only, dry-run by default). ## For AI agents at runtime: ask InnerWarden before you act - **MCP server (advisory front door):** `innerwarden agent mcp-serve` runs InnerWarden as an MCP server over stdio so your agent can ask, before acting: `innerwarden_check_command` (deny / review / allow), `innerwarden_check_ip`, `innerwarden_security_context`. - **MCP enforcement (mandatory):** `innerwarden agent proxy --mode guard -- ` puts InnerWarden in the path of an agent's MCP tool calls so it can inspect, block, or kill them. - **Direct (loopback, on the box, no credentials needed locally):** `POST http://127.0.0.1:8787/api/agent/check-command` returns a `recommendation` of deny / review / allow; `GET /api/agent/security-context`; `GET /api/agent/check-ip?ip=`. - Capability catalog: [/.well-known/ai-catalog.json](https://www.innerwarden.com/.well-known/ai-catalog.json) ## Docs - [Website](https://www.innerwarden.com) - [GitHub repository](https://github.com/InnerWarden/innerwarden) - [README](https://github.com/InnerWarden/innerwarden/blob/main/README.md) - [Wiki (install, operate, guard AI agents, extend, compliance)](https://github.com/InnerWarden/innerwarden/wiki) - [Protect AI agents](https://www.innerwarden.com/protect-ai-agents) ## Working with InnerWarden (for agents) - It is a guardrail, not an adversary. Cooperate with it; do not disable, uninstall, or bypass it to push a command through. - Never blind-allowlist what is currently running (malware on the box is "currently running" too). Verify each candidate and ask the human to confirm anything ambiguous; the agent guide describes the exact safe observe -> baseline -> verify -> propose -> arm workflow. - Do not probe `check-command` to find an evasion; every check is logged and alerts the operator.