This page gets you from zero to a live, blocked tool call in about two minutes. For a more detailed setup walkthrough, see Installation.
Prerequisites: macOS (arm64 or amd64). Claude Code is the only supported agent today; Codex and Cursor support is not yet available.
1. Install agentjail
curl -fsSL https://agentjail.io/install.sh | shThis downloads the release tarball, verifies its SHA256 checksum, and installs
the agentjail binaries to ~/.agentjail/bin/.
2. Confirm the install
agentjail --versionThen check that the default policies are loaded:
agentjail policy listYou should see the core policies (such as file_policy) listed in the output.
3. Wire it into Claude Code
agentjail install --for claude-codeThis starts the background daemon (agentjail-daemon) and registers
agentjail-hook as a PreToolUse hook in ~/.claude/settings.json. From
this point on, every tool call Claude Code is about to make is evaluated against
your policy before it runs. Denied calls never reach the shell.
4. See a denial in action
With the daemon running, pipe a PreToolUse payload directly to agentjail-hook
to confirm the policy is working:
echo '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"rm -rf ~/.ssh/"}}' \
| agentjail-hookYou should get a nonzero exit code and a message like:
DENY: Blocked: command targets sensitive path ~/.ssh/The call is blocked. Because agentjail-hook is wired into Claude Code’s
PreToolUse hook, the same evaluation happens automatically for every tool call
Claude Code tries to make.
Next steps
- How it works: understand the tool-call boundary and how evaluation runs offline.
- Installation: the full setup guide, including binary paths and policy bundle details.