Non-custodial spend governance for autonomous AI agents.
Budget caps, scoped credentials, kill-switch, signed audit trail. Bitcoin Lightning and stablecoins. MCP-native.
Website · Docs · FAQ · Community
Autonomous AI agents now discover services, buy compute, and pay other agents on their own. The moment you give an agent a wallet, one prompt injection, one dependency exploit, or one runaway loop can drain it. Probabilistic guardrails in the model are not a control. You need a deterministic gate between the agent and the money.
leashd is a bouncer with a rulebook standing between your AI agent and your funds. The agent asks to pay, leashd checks your policy (budget left, recipient allowed, under the limit, kill-switch off), then authorises or blocks it, and writes every decision to a signed log. It is non-custodial: leashd runs on your own machine and holds your wallet connection locally. It never touches your funds or keys.
AI agent ──pay 50 sat──▶ leashd (your machine)
│ check policy (caps · allowlist · rate · kill-switch)
├─ allowed ─▶ your wallet (NWC) ──▶ api.foo.com
├─ capped / denied ─▶ structured refusal to the agent
└─ signed audit event ──▶ control plane feed
The agent never gets your wallet. It gets a policy-gated pay tool over MCP that points at leashd. Funds settle directly between your own wallet and the counterparty. leashd sits in the policy path, never the custody path.
| Budget caps | per transaction, per task, rolling hourly / daily / monthly |
| Scoped credentials | allowlists and denylists for endpoints, domains, Lightning addresses, mints |
| Rate limits | cap transactions per window |
| Time windows | only let agents spend when you allow |
| Approval thresholds | human-in-the-loop above a value you set |
| Graded shutdown | a dimmer, not just a kill-switch: attenuate scope, drop tools, escalate approvals |
| Signed audit trail | append-only, tamper-evident, exportable. EU AI Act Article 12 grade |
| Multi-rail | Bitcoin Lightning and L402, Cashu ecash, stablecoins over x402. BTC-first |
| MCP-native | drops into Claude Code or any MCP host |
# install the sidecar
curl -fsSL https://leashd.dev/install.sh | sh
# run it with your env (token + control plane URL)
LEASH_AGENT_TOKEN=lsh_live_xxxxxxxx \
LEASH_API_URL=https://leashd.dev \
leashdWire it into Claude Code via .mcp.json:
{
"mcpServers": {
"leashd": {
"command": "leashd",
"args": ["--mcp"],
"env": {
"LEASH_AGENT_TOKEN": "lsh_live_xxxxxxxx",
"LEASH_API_URL": "https://leashd.dev"
}
}
}
}Then create a workspace and agent, set a policy, and your agent's pay calls are policy-gated. Full guide at leashd.dev/docs.
leashd is open core. The local sidecar and the policy engine are open source under AGPL-3.0. The hosted control plane (policy authoring, audit aggregation, team, billing) is available at leashd.dev, and a commercial license is available (see COMMERCIAL.md).
packages/
leash-core/ deterministic policy engine + shared contract (zod)
leashd/ the local sidecar: MCP server, governor, rail adapters, audit
apps/
web/ the control plane (Next.js)
Stack: TypeScript, Next.js, Turborepo, Drizzle, node:sqlite. Zero native build for the sidecar.
You hold the keys. leashd holds the policy. The control plane stores only policies and the audit log, never funds or keys. Even a full compromise of leashd, or of the control plane, cannot move your money, because the keys never leave your machine. leashd is not a money transmitter.
- Lightning / L402 rail, policy engine, MCP server, signed audit
- Cashu ecash rail
- x402 / stablecoin rail
- Approval workflow UI, team and RBAC, alerting
PRs welcome. See CONTRIBUTING.md. The one invariant you must never break: leashd stays non-custodial. Report vulnerabilities per SECURITY.md.
leashd is built in the open by an indie solo-dev. If it saves your agents from spending your sats, send some back:
⚡ leashd@walletofsatoshi.com (TODO: replace with the real Lightning address)
A GitHub sponsor button is set up via .github/FUNDING.yml.
AGPL-3.0. Commercial licenses available, see COMMERCIAL.md.
Built by BrainBytes Studio, an indie solo-dev shop.