AI agents that can read your data are useful. AI agents that can write to your CRM, send emails to customers, or charge credit cards are terrifying. Zehrava Gate is a new open-source project that tries to solve this with a simple concept: make the agent ask permission before doing anything dangerous.
The tool works as a self-hosted policy engine sitting between your AI agents and production systems. When an agent wants to take an action, it submits an intent describing what it plans to do. Gate evaluates that intent against YAML-based policies - deterministically, with no LLM involved in the decision - assigns a risk score, and either auto-approves, holds it for human review, or blocks it outright. Policy decisions take roughly 2 milliseconds.
The project ships in three flavors. The SDK version gives you a gate.propose() method with signed execution tokens that expire after 15 minutes. The proxy version runs as an HTTP forward proxy that you can set up with a single environment variable - it handles TLS interception and includes a credential vault mode where the agent never actually sees API keys or passwords (Gate fetches them from 1Password, HashiCorp Vault, or AWS Secrets Manager at execution time). A third version integrates directly with LangChain and LangGraph.
The Credential Vault Angle
The most interesting piece here is the credential vault mode. Most agent authorization discussions focus on "should this agent do X?" but skip over "this agent has my Stripe API key in its context window." By keeping credentials in a vault and only injecting them at execution time - after policy approval - Gate reduces the blast radius if an agent's context gets leaked or manipulated.
Practical Limits
The creator is upfront about what this does not solve: if an agent is fully compromised and controls its own runtime, a policy layer cannot save you. This protects against mistakes and policy violations, not against a hostile takeover of the agent itself.
Zehrava Gate runs on Node.js with SQLite, is available on npm (zehrava-gate), and the source is on GitHub. For teams already deploying agents that touch production data, it fills a gap that most agent frameworks still ignore entirely. The question is whether enough teams are at that stage yet to build a community around it.