Vigil
Open source · Single binary · Free for individuals

The seatbelt for your agent fleet.

Vigil is the agent-aware data plane that sits between your AI agents and your databases, APIs, and services. Per-agent identity, smart rate limiting, fan-out coalescing, signed audit. Open source. Single binary. Free for individuals.

View on GitHub
Vigil sits between AI agents and your data storesAGENTSClaude CodeCursorCodexCopilotClineand moreVIGILidentity · rate-limit · coalesce · blast-radius · auditDATA PATHpostgresredisrest APIgRPCservicesone binary, in the data path
The problem

Today’s infrastructure was built for humans. Agents look like a DDoS.

Postgres, Redis, Cloudflare rate limiters, AWS API Gateway were tuned for human-shaped traffic. Agents shift the shape from one user, one request to one goal, thousands of sub-requests, many of them redundant.

Humans
  • Click a button, wait for one response
  • One person = one identity
  • Don’t repeat themselves
  • Rarely take down their own DB
Agents
  • Fire 50 queries in 2 seconds
  • 5 agents share one API key, indistinguishable
  • Re-fire the same query 200 times because the LLM forgot
  • Do it casually
What it does

Five primitives, one binary in your data path.

  1. 01

    Per-agent identity

    Every agent gets a stable ID issued by Vigil. The proxy attaches it to every request. Now the database, the logs, and the rate limiter can all distinguish “Claude doing the refactor” from “Cursor running tests” from “your production web traffic.”

  2. 02

    Per-agent rate limiting

    Token-bucket throttling that knows which agent is which. The analytics agent gets 100 q/sec, the refactor agent gets 20 q/sec. They don’t starve each other and they don’t starve production.

  3. 03

    Fan-out coalescing

    When an agent fires the same query repeatedly (which they do constantly), Vigil deduplicates and serves cached results. The single biggest cost-saver: cuts agent infrastructure costs 40–80% in early benchmarks.

  4. 04

    Blast-radius control (coming next)

    Coming in v0.1.0e. “Agent X cannot DELETE from production. Agent Y cannot touch the migrations folder. Agent Z requires human approval before touching auth.” Policies enforced at the proxy, not in the agent’s prompt where it can be jailbroken out of.

  5. 05

    Audit trail

    Every action — what agent, what request, what response, was it cached, was it rate-limited, was it blocked by policy — is signed and logged. When something does go wrong, you can replay it. When auditors come, you have answers.

Blast radius

Each agent runs inside a scope it can’t escape.

Permissions are enforced at the proxy, not in the agent’s prompt. An agent can issue any query it wants — Vigil decides whether the query reaches the data store.

Each agent runs inside a scope it can’t escapeFULL DATABASEREAD-ONLY SCOPEREFACTOR AGENTSELECTUPDATE (src/*)cannot DELETE · cannot touchmigrations · cannot DROPANALYTICS AGENTSELECT (replica)EXPLAINcannot WRITE · cannot readauth tables · sample 1%enforced at the proxy, not in the prompt
A concrete scenario

10-person startup. Postgres, Redis, five coding agents.

Same Tuesday morning, told two ways.

Without Vigil
  • 11:30Agent A is refactoring. It runs SELECT * FROM users WHERE email = ? 200 times in 30 seconds because the LLM keeps “rediscovering” the same query.
  • 11:31Agent B starts an analytics task. Giant aggregation query against the same table.
  • 11:32Postgres CPU hits 100%. Query latency goes from 5ms to 800ms.
  • 11:33Your production website starts timing out. Customers complain.
  • 11:35Slack war room. Three engineers stop what they’re doing.
  • 11:50Database load is the obvious culprit, but nobody knows which agent did what. They all share the same DB credentials.
  • 12:15Identified and killed.
  • 12:30Postmortem. “We need rate limits.” Cloudflare rate limits are per-IP. All your agents come from the same Kubernetes pod.
With Vigil
  • 11:30Agent A makes its 1st query. Vigil sees the agent’s identity, runs the query.
  • 11:30Agent A makes its 11th identical query. Vigil notices, serves cached result instantly. Logs “Coalesced 10 redundant queries from Agent A.”
  • 11:31Agent B starts the analytics aggregation. Vigil sees it competing with Agent A’s hammering and throttles Agent A first — Agent A is in a low-priority pool.
  • 11:31Production web traffic is isolated in a separate rate-limit pool entirely. Untouched.
  • 11:32Postgres CPU stays at 30%. Customers don’t notice anything.
  • 12:00You glance at the Vigil dashboard out of curiosity: Agent A: 437 queries → 89 actually executed (348 deduplicated, 0 rate-limited). Agent B: 14 queries → 14 executed. Production: unaffected.
  • 12:05You realize you saved yourself a war room.

Not glamorous. Deeply useful.

Where we sit

In the request path, not adjacent to it.

Orchestration, observability, and identity tools watch agents from the side. Vigil is in the line between every agent request and the system that answers it.

Vigil sits in the request path; adjacent tools sit beside itAGENTSClaude Code · Cursor · Codex · Copilot · Cline · and moreADJACENTOrchestrationspawns and routes agentsObservabilitywatches what agents didIdentityknows who agents areVIGILagent-aware data planeidentity · rate-limit · coalesce · blast-radius · auditYOUR SYSTEMSpostgres · redis · APIs · gRPC · servicesin the request path, not adjacent to it
Early access

First in line when v1 ships.

Vigil ships as a single Go binary you drop between an agent and your data store. v0.1.0d delivers identity, rate limiting, fan-out coalescing, and a signed audit trail; blast-radius policy enforcement is the next milestone. Free for individuals; paid tiers when you need team policy + cloud retention.

Drop your work email. We’ll let you know the moment the proxy is ready — plus the on-call playbook.

No spam. Unsubscribe in one click.