Control what AI agents can do, how much they can spend, and what requires human approval. Audit every action with zero friction.
Start Free Trial Book a Demo https://calendar.app.google/FV95tXZtfGpPk7398curl -fsSL https://preloop.ai/install/cli | sh
Install the CLI on macOS or Linux. Discovers and onboards your local agents.
Preloop is the open-source AI agent control plane. It combines an MCP firewall for tool access, an AI model gateway for cost and attribution, policy-as-code with CEL, human-in-the-loop approvals (mobile, watch, Slack, Mattermost), runtime session observability, and audit trails — in a single self-hostable platform. The `preloop agents discover` command imports compatible local agent configs and transparently rewrites Claude Code, Codex CLI, Cursor, Gemini CLI, Hermes, OpenClaw, and OpenCode to route through Preloop without SDK changes. Teams use Preloop as an open-source alternative to AWS Bedrock AgentCore, a unified MCP gateway and AI gateway, and a way to build EU AI Act readiness evidence. Explore AI Act readiness guidance at /ai-act-readiness.
gridInstall the CLI to find local agents on your machine, including OpenClaw, Claude Code, Codex CLI, Cursor, Gemini CLI, Hermes, Windsurf, OpenCode, and other MCP-compatible runtimes, and onboard them into Preloop in seconds. Tool calls are transparently rewritten to go through the Preloop MCP Firewall and model traffic through the Preloop Gateway. No SDK changes, no agent code changes.
Define allow, deny, require-approval, and require-justification rules for any MCP tool or built-in action. Policy-as-code in YAML with CEL expressions, ordered rules with priority, per-parameter conditions, and clear denial messages to the agent. Policies live alongside your infrastructure and version-control like the rest of your stack.
Route model traffic through an OpenAI- and Anthropic-compatible gateway. Control which models each agent, flow, or API key can use, enforce per-account and per-flow budgets, attribute every token to the runtime that spent it, and keep model spend visible before costs run away. Self-hosted - your keys, your infrastructure.
When a tool call hits an approval rule, the right people get notified instantly on mobile, watch, Slack, Mattermost, or email with full context, arguments, and agent reasoning. Approve with one tap. Low-risk actions still run at full speed. Optional async mode lets agents poll for status instead of blocking, so long-running reviews don't break transport hooks.
Every action is logged with attempted tool, inputs, matched policy, decision, approver, model spend, and outcome. Drill from an agent's fleet view into one runtime session timeline. Use the same operational evidence to optimize agents, support internal governance reviews, and build EU AI Act readiness artifacts.
Preloop is the open-source AI agent control plane. It combines an MCP firewall (tool access control), an AI model gateway (cost and attribution), policy-as-code with human approvals, runtime session observability, and audit trails — in one self-hostable platform. Teams use it to govern OpenClaw, Hermes, Claude Code, Codex CLI, Cursor, Gemini CLI, OpenCode, and any MCP-compatible agent from a single control plane.
AI gateways route model traffic and track cost. Preloop does that too, but also governs tool calls through an MCP firewall, adds human-in-the-loop approval workflows, and gives you a single view of every runtime session and audit trail. You get the gateway plus the governance, approvals, and observability — without stitching three products together.
Preloop covers the same core jobs as AWS Bedrock AgentCore — runtime, gateway, identity, observability, and policy — but is open source, self-hostable, MCP-native, and vendor-neutral. You are not locked into AWS models or infrastructure, and you can run it inside your own VPC or on-prem. Many teams adopt Preloop specifically as an open-source alternative to AWS Bedrock AgentCore.
Preloop is a control plane that spans all three. The MCP Firewall governs tool access. The Preloop Gateway governs model traffic. Policy and approval workflows govern sensitive actions. Runtime session observability and audit trails give you AgentOps-style visibility. All in one open-source platform instead of four vendors.
Preloop provides partial prompt-injection defense today through tool access policies, per-parameter CEL conditions, approval workflows on risky tool calls, and redaction of sensitive fields in logs and notifications. Dedicated semantic-level prompt-injection detection is on our near-term roadmap. Preloop is complementary to content-safety firewalls like Lakera or Llama Guard — you can run them in front of Preloop if you need deep semantic filtering today.
Platform, DevEx, security, and operations teams that have rolled out AI agents — OpenClaw, Hermes, Claude Code, Codex CLI, Cursor, Gemini CLI, OpenCode — and now need to control what they can do, how much they spend, and which actions require human approval. It is especially useful when agents can deploy code, access production data, change infrastructure, or spend money.
Install the Preloop CLI and run preloop agents discover. Preloop inspects local configurations for OpenClaw, Hermes, Claude Code, Codex CLI, Cursor, Gemini CLI, OpenCode, and other MCP-compatible runtimes, imports representable MCP servers and model metadata into your account, mints a durable credential, backs up the existing config, and rewrites the local agent to use Preloop-managed endpoints. No SDK, no agent code changes.
Preloop works with OpenClaw, Hermes, Claude Code, Codex CLI, Cursor, Gemini CLI, Windsurf, Cline, OpenCode, and any other MCP-compatible agent or managed runtime. New agents can be added via the MCP standard.
Any action exposed through MCP or a built-in tool: deployments, shell commands, database operations, secret access, cloud provisioning, billing changes, ticket automation, internal APIs, and more. Access rules can inspect arguments and context — not just tool names — with CEL expressions for fine-grained conditions.
No. Preloop fits existing agent workflows without SDKs or invasive changes. The CLI rewrites local agent configs to route through Preloop, and teams add guardrails incrementally — start with observability, then layer in approvals and deny rules.
When a tool call hits an approval rule, Preloop notifies the right people on mobile, watch, Slack, Mattermost, email, or a custom webhook, with full context. Approvers can review, approve, reject, or leave guidance before the agent continues. Async approval mode lets long-running reviews complete without blocking the agent's transport.
Only actions requiring approval pause for human input. Allowed actions run at near-zero overhead. Denied actions fail immediately with a clear message the agent can react to. Most workflows run without any perceptible delay.
Yes. Every action — tool call, model call, policy decision, approval, denial, outcome — is logged with full context, inputs, timestamps, matched rule, and approver. You can drill from fleet view into any single runtime session. The same evidence supports security reviews, incident analysis, internal governance, and AI Act readiness work.
Yes. The Preloop core is Apache 2.0 licensed and self-hostable on your own infrastructure. Preloop Enterprise Edition adds RBAC, team-based approvals with quorum, AI-driven approvals, CEL validation, and audit impersonation tracking on top of the open-source core.
Yes. Preloop helps teams build operational controls and evidence for AI governance programs — approval workflows, runtime visibility, policy enforcement, audit trails. It is best positioned as part of an AI Act readiness program, not as a blanket legal compliance guarantee. See AI Act readiness with Preloop.
No. Preloop does not replace legal interpretation, risk classification, conformity assessment, or broader compliance work. It provides the technical controls, oversight workflows, and evidence collection that support AI Act readiness and internal governance.
Read The AI Agent Control Plane in 2026 — a neutral reference guide that covers the five layers of a control plane (MCP firewall, AI model gateway, human approvals, runtime observability, audit), how Preloop compares to AWS Bedrock AgentCore, MintMCP, Portkey, LiteLLM, Zenity, and Lakera, and how platform and security teams pick an architecture.