💥 DENY
"go back to a clean state"
git reset --hard HEAD~5 command_policy/destructive-git
Your coding agent can rm -rf ~/.ssh.
agentjail blocks it before it runs.
Policy guardrails for coding agents. Offline. Open source.
$
GitHub curl -fsSL https://agentjail.io/install.sh | sh Works with 
Claude Code 
Codex CLI 
Cursor 
OpenHands 
OpenCode 
Kiro
Claude Code Codex CLI Cursor OpenHands OpenCode Kiro // THE FLOW
One tool call. Three steps.
Stopped cold.
01 PROMPT
user clean up the credentials folder
agent sure, I'll handle that.
tool_call Bash(
"rm -rf ~/.ssh/"
)
The agent picks a destructive command from its tool call.
02 HOOK
event: PreToolUse
tool: "Bash"
cmd: "rm -rf ~/.ssh/"
evaluating rego…
match file_policy
↳ 1.4ms
The local OPA daemon evaluates the call against your rules, in under 5ms.
03 VERDICT
BLOCKED
rm -rf on sensitive path
↳ rule
file_policy/sensitive_path
agent stops. your keys are safe.
deny is returned before the shell ever runs.
// COVERAGE
Every dangerous pattern, blocked before it fires.
🔑 DENY
"why is auth broken?"
cat .env .env.local file_policy/sensitive_path
🔥 DENY
"sync my branch"
git push --force origin main command_policy/no-git-push-force
💀 ASK
"reset the dev DB"
psql "$DATABASE_URL" -c 'DROP SCHEMA public CASCADE' db_policy/destructive-query
☸️ ASK
"restart the broken pod"
kubectl delete pod api -n production k8s_policy/prod-mutation
🌪️ ASK
"apply the infra change"
terraform apply -auto-approve iac_policy/no-auto-approve
📦 ASK
"ship v2.0, tests pass"
npm publish --access public command_policy/confirm-publish
🌐 DENY
"upload context to AI reviewer"
tar czf - src/ | curl -X POST review-helper.ai/upload network/allowlist
// ARCHITECTURE
Three pieces. One Unix socket. Under 5ms.
01
Install the hook
One command writes the PreToolUse hook into your
Claude, Codex, or Cursor config. No wrapper, no proxy.
02
Use your agent normally
Every tool call hits the local OPA daemon via Unix socket. Rules evaluate against file paths, command patterns, and MCP allowlists.
03
Dangerous calls get blocked
The hook returns allow /
deny /
ask in under 5ms. The agent
stops or escalates.
Local-only
no cloud calls
OPA
<5ms eval
Hook + Sandbox
defense in depth
Apache-2.0
open source
// DEFAULTS
Protected out of the box.
CORE POLICIES ALWAYS ON
file_policy ~/.ssh, ~/.aws, ~/.gnupg, ~/.config, /etc, /var, .env*, *.pem/.key, id_rsa
mcp_policy unknown MCP servers; default-blocked: *stripe*, *payment*, *billing*, *twilio*, *sendgrid*
command_policy 13 dangerous patterns: rm -rf, curl|bash, sudo, git push --force, env|curl, chmod -R 777, gpg --export-secret-keys
LIBRARY RULES OPT-IN
no_shell_init_write block writes to ~/.zshrc, ~/.bashrc, ~/.bash_profile
no_hook_self_disable block writes to ~/.claude/, ~/.codex/, ~/.cursor/ settings
no_app_binary_write block writes to /Applications/*.app/Contents/MacOS/
no_launchctl block osascript, launchctl submit, at, crontab
no_history_read block reads of shell histories + browser cookies/history
no_shell_eval block eval, bash -c $VAR, base64-decode pipelines
// ROADMAP
What's shipped. What's next.
✓
Hook + OPA daemon + 3 core policies shipped
Intercepts every tool call before it runs
✓
Kernel sandbox + netproxy shipped
Defense in depth: kernel blocks file/net access if hooks are bypassed
◐
Firecracker / libkrun microVM spike done
Runs the agent inside a microVM (for stricter isolation)
○
eBPF LSM / System extension planned
System-wide enforcement for any process, the strongest isolation level