Skip to content

goderash/leash

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

34 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ• leash

Keep your coding agent on a leash.
Block the destructive command before it runs. Cap the runaway session. Keep a tamper-evident record of everything your AI agent did β€” and undo it with one command.

Works with Claude Code, Codex, Cursor, Gemini CLI, OpenCode β€” any harness with hooks.

rm -rf ~ Β· git push --force Β· DROP TABLE Β· curl … | sh Β· writes to .env β€” blocked, not apologized for.

npm license node dependencies stars


The problem

You let your coding agent run autonomously. It's brilliant 95% of the time. The other 5% it force-pushes over main, rm -rfs the wrong directory, overwrites your .env, or burns $40 looping on a bad idea β€” and you find out after.

Prompts that say "please be careful" don't help. The agent can ignore a prompt.

leash can't be ignored. It's wired into the agent's actual enforcement point β€” a PreToolUse hook β€” so it inspects every action before it executes and stops the dangerous ones cold.

What it does

  • πŸ›‘ Blocks destructive actions β€” rm -rf //~/wildcards, git push --force, git reset --hard, DROP TABLE, terraform destroy, mkfs, fork bombs, curl … | sh, writes to .env / SSH keys / .git.
  • ⏸️ Caps runaway sessions β€” set a hard ceiling on actions per session.
  • 🧾 Records a tamper-evident log β€” every action chained with SHA-256, so leash verify proves nothing was edited, deleted, or reordered after the fact.
  • ↩️ Undo β€” leash undo restores the last files the agent touched from snapshots.
  • πŸ–₯️ Flight recorder β€” leash report renders a shareable single-file HTML of everything the agent did.

It's zero-dependency (Node's built-in TypeScript + crypto) and local-first. Your code and logs never leave your machine.

Install

npm install -g leash-agent

Runs on stock Node 20+ β€” no flags, no runtime dependencies.

Quick start

# from your project root
leash init

leash init scaffolds .leash/ and prints a hook block. Drop it into .claude/settings.json (project) or ~/.claude/settings.json (global):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash|Write|Edit|MultiEdit|NotebookEdit",
        "hooks": [{ "type": "command", "command": "leash hook" }]
      }
    ]
  }
}

Now run your agent. That's it.

πŸ• leash blocked this: Force-push rewrites shared history. Use --force-with-lease, or push to a branch.

See what your agent did

leash status          # actions, blocks, chain integrity
leash log 20          # recent actions
leash report          # β†’ .leash/report.html  (the flight recorder)
leash verify          # prove the log wasn't tampered with
leash undo 3          # restore the last 3 files the agent changed
leash check 'rm -rf ~/repo'   # dry-run any command against your policy

Configure (optional)

Everything works with safe defaults. To tune, edit .leash/leash.config.json:

{
  "deny": ["**/.env", "**/*.pem", "**/.git/**", "infra/prod/**"],
  "ask": ["**/migrations/**"],
  "blockCommands": true,
  "allowCommands": ["git push --force-with-lease"],
  "maxActionsPerSession": 300
}
  • deny / ask β€” file-path globs that block / hold writes for review
  • blockCommands β€” toggle the built-in destructive-command patterns
  • allowCommands β€” substrings that force-allow a command (escape hatch)
  • maxActionsPerSession β€” hard ceiling on actions (0 = unlimited)

How it works

agent wants to act
        β”‚
        β–Ό
  PreToolUse hook ──► leash policy ──► allow β”‚ ask β”‚ BLOCK
        β”‚                   β”‚
        β”‚                   └──► append signed receipt to .leash/ledger.jsonl
        β–Ό
   (allowed actions proceed; snapshots taken first, so they're undoable)

The policy engine and SHA-256 hash chain are battle-tested primitives β€” the same tamper-evident ledger pattern used in production agent-governance systems.

Why "tamper-evident" matters

The log is a hash chain: each receipt's hash includes the previous one. If the agent (or anyone) rewrites history to hide what it did, the chain breaks and leash verify tells you exactly where. Your record of what the agent did is one thing the agent can't quietly edit.

Roadmap

  • Per-command token/$ budgets (today: action-count caps)
  • Codex / Cursor / Gemini CLI first-class adapters
  • leash watch live TUI
  • Hosted team dashboard: shared policies, org-wide audit log, anomaly alerts

Run from a clone (no global install)

git clone https://github.com/goderash/leash && cd leash && npm install
npm run dev -- status
# hook command for settings.json:
#   node --experimental-strip-types --disable-warning=ExperimentalWarning /abs/path/leash/bin/leash.ts hook

Contributing

New destructive-command patterns, harness adapters, and bug fixes are very welcome β€” see CONTRIBUTING.md. Found a bypass? Please report it privately per SECURITY.md.

License

MIT. Put your agents on a leash β€” not in a cage.

About

No description, website, or topics provided.

Resources

License

Code of conduct

Contributing

Security policy

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors