Keep your coding agent on a leash.
Block the destructive command before it runs. Cap the runaway session. Keep a
tamper-evident record of everything your AI agent did β and undo it with one command.
Works with Claude Code, Codex, Cursor, Gemini CLI, OpenCode β any harness with hooks.
rm -rf ~ Β· git push --force Β· DROP TABLE Β· curl β¦ | sh Β· writes to .env β blocked, not apologized for.
You let your coding agent run autonomously. It's brilliant 95% of the time. The
other 5% it force-pushes over main, rm -rfs the wrong directory, overwrites
your .env, or burns $40 looping on a bad idea β and you find out after.
Prompts that say "please be careful" don't help. The agent can ignore a prompt.
leash can't be ignored. It's wired into the agent's actual enforcement
point β a PreToolUse hook β so it inspects every action before it executes
and stops the dangerous ones cold.
- π Blocks destructive actions β
rm -rf //~/wildcards,git push --force,git reset --hard,DROP TABLE,terraform destroy,mkfs, fork bombs,curl β¦ | sh, writes to.env/ SSH keys /.git. - βΈοΈ Caps runaway sessions β set a hard ceiling on actions per session.
- π§Ύ Records a tamper-evident log β every action chained with SHA-256, so
leash verifyproves nothing was edited, deleted, or reordered after the fact. - β©οΈ Undo β
leash undorestores the last files the agent touched from snapshots. - π₯οΈ Flight recorder β
leash reportrenders a shareable single-file HTML of everything the agent did.
It's zero-dependency (Node's built-in TypeScript + crypto) and local-first. Your code and logs never leave your machine.
npm install -g leash-agentRuns on stock Node 20+ β no flags, no runtime dependencies.
# from your project root
leash initleash init scaffolds .leash/ and prints a hook block. Drop it into
.claude/settings.json (project) or ~/.claude/settings.json (global):
{
"hooks": {
"PreToolUse": [
{
"matcher": "Bash|Write|Edit|MultiEdit|NotebookEdit",
"hooks": [{ "type": "command", "command": "leash hook" }]
}
]
}
}Now run your agent. That's it.
π leash blocked this: Force-push rewrites shared history. Use --force-with-lease, or push to a branch.
leash status # actions, blocks, chain integrity
leash log 20 # recent actions
leash report # β .leash/report.html (the flight recorder)
leash verify # prove the log wasn't tampered with
leash undo 3 # restore the last 3 files the agent changed
leash check 'rm -rf ~/repo' # dry-run any command against your policyEverything works with safe defaults. To tune, edit .leash/leash.config.json:
{
"deny": ["**/.env", "**/*.pem", "**/.git/**", "infra/prod/**"],
"ask": ["**/migrations/**"],
"blockCommands": true,
"allowCommands": ["git push --force-with-lease"],
"maxActionsPerSession": 300
}deny/askβ file-path globs that block / hold writes for reviewblockCommandsβ toggle the built-in destructive-command patternsallowCommandsβ substrings that force-allow a command (escape hatch)maxActionsPerSessionβ hard ceiling on actions (0= unlimited)
agent wants to act
β
βΌ
PreToolUse hook βββΊ leash policy βββΊ allow β ask β BLOCK
β β
β ββββΊ append signed receipt to .leash/ledger.jsonl
βΌ
(allowed actions proceed; snapshots taken first, so they're undoable)
The policy engine and SHA-256 hash chain are battle-tested primitives β the same tamper-evident ledger pattern used in production agent-governance systems.
The log is a hash chain: each receipt's hash includes the previous one. If the
agent (or anyone) rewrites history to hide what it did, the chain breaks and
leash verify tells you exactly where. Your record of what the agent did is one
thing the agent can't quietly edit.
- Per-command token/$ budgets (today: action-count caps)
- Codex / Cursor / Gemini CLI first-class adapters
leash watchlive TUI- Hosted team dashboard: shared policies, org-wide audit log, anomaly alerts
git clone https://github.com/goderash/leash && cd leash && npm install
npm run dev -- status
# hook command for settings.json:
# node --experimental-strip-types --disable-warning=ExperimentalWarning /abs/path/leash/bin/leash.ts hookNew destructive-command patterns, harness adapters, and bug fixes are very welcome β see CONTRIBUTING.md. Found a bypass? Please report it privately per SECURITY.md.
MIT. Put your agents on a leash β not in a cage.