failproofai
agent
Warn
Health Warn
- License — License: NOASSERTION
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 6 GitHub stars
Code Warn
- process.env — Environment variable access in __tests__/actions/get-telemetry-config.test.ts
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool acts as a reliability and policy enforcement layer for AI agents (specifically Claude Code and the Agents SDK). It intercepts tool calls to block destructive commands, prevent secret leakage, enforce project boundaries, and provides a local dashboard to monitor agent sessions.
Security Assessment
Overall Risk: Medium
The tool inherently requires deep system access to do its job. It executes as a hook inside your Claude settings, meaning it intercepts and reads every tool call your agent makes. The codebase accesses environment variables (specifically found in test files), which is expected for configuration, but users should ensure no production secrets are exposed in testing environments. The documentation claims everything runs locally with no data leaving your machine, which is a strong privacy positive. However, the automated scan returned "NOASSERTION" for the license, while the README claims a "MIT + Commons Clause" license. The Commons Clause restricts selling the software, making it technically source-available rather than truly open-source. No hardcoded secrets or dangerous network requests were detected.
Quality Assessment
Maintenance: Active. The repository received a push today, indicating ongoing development.
License: Conflicts between automated scanning and documentation suggest slight metadata inconsistency, though MIT + Commons Clause is stated in the README.
Community: Very early stage. With only 6 GitHub stars, the project has extremely low visibility and minimal community testing.
CI/CD: Automated testing is integrated and actively running.
Verdict
Use with caution — the concept is highly useful for agent safety, but the low community adoption and deep system hook integration mean you should thoroughly audit its behavior before deploying it in sensitive environments.
This tool acts as a reliability and policy enforcement layer for AI agents (specifically Claude Code and the Agents SDK). It intercepts tool calls to block destructive commands, prevent secret leakage, enforce project boundaries, and provides a local dashboard to monitor agent sessions.
Security Assessment
Overall Risk: Medium
The tool inherently requires deep system access to do its job. It executes as a hook inside your Claude settings, meaning it intercepts and reads every tool call your agent makes. The codebase accesses environment variables (specifically found in test files), which is expected for configuration, but users should ensure no production secrets are exposed in testing environments. The documentation claims everything runs locally with no data leaving your machine, which is a strong privacy positive. However, the automated scan returned "NOASSERTION" for the license, while the README claims a "MIT + Commons Clause" license. The Commons Clause restricts selling the software, making it technically source-available rather than truly open-source. No hardcoded secrets or dangerous network requests were detected.
Quality Assessment
Maintenance: Active. The repository received a push today, indicating ongoing development.
License: Conflicts between automated scanning and documentation suggest slight metadata inconsistency, though MIT + Commons Clause is stated in the README.
Community: Very early stage. With only 6 GitHub stars, the project has extremely low visibility and minimal community testing.
CI/CD: Automated testing is integrated and actively running.
Verdict
Use with caution — the concept is highly useful for agent safety, but the low community adoption and deep system hook integration mean you should thoroughly audit its behavior before deploying it in sensitive environments.
Catch and Kill Agent Failures
README.md
______ _ __ ____ ___ ____
/ ____/___ _(_) /___ _________ ____ / __/ / | / _/
/ /_ / __ `/ / / __ \/ ___/ __ \/ __ \/ /_ / /| | / /
/ __/ / /_/ / / / /_/ / / / /_/ / /_/ / __/ / ___ |_/ /
/_/ \__,_/_/_/ .___/_/ \____/\____/_/ /_/ |_/___/
/_/
Failproof AI
The easiest way to manage policies that keep your AI agents reliable, on-task, and running autonomously - for Claude Code & the Agents SDK.
- 26 Built-in Policies - Catch common agent failure modes out of the box. Block destructive commands, prevent secret leakage, keep agents inside project boundaries, detect loops, and more.
- Custom Policies - Write your own reliability rules in JavaScript. Use the
allow/deny/instructAPI to enforce conventions, prevent drift, gate operations, or integrate with external systems. - Easy Configuration - Tune any policy without writing code. Set allowlists, protected branches, thresholds per-project or globally. Three-scope config merges automatically.
- Agent Monitor - See what your agents did while you were away. Browse sessions, inspect every tool call, and review exactly where policies fired.
Everything runs locally - no data leaves your machine.
Requirements
- Node.js >= 20.9.0
- Bun >= 1.3.0 (optional - only needed for development / building from source)
Install
npm install -g failproofai
# or
bun add -g failproofai
Quick start
1. Enable policies globally
failproofai policies --install
Writes hook entries into ~/.claude/settings.json. Claude Code will now invoke failproofai before and after each tool call.
2. Launch the dashboard
failproofai
Opens http://localhost:8020 - browse sessions, inspect logs, manage policies.
3. Check what's active
failproofai policies
Policy installation
Scopes
| Scope | Command | Where it writes |
|---|---|---|
| Global (default) | failproofai policies --install |
~/.claude/settings.json |
| Project | failproofai policies --install --scope project |
.claude/settings.json |
| Local | failproofai policies --install --scope local |
.claude/settings.local.json |
Install specific policies
failproofai policies --install block-sudo block-rm-rf sanitize-api-keys
Remove policies
failproofai policies --uninstall
# or for a specific scope:
failproofai policies --uninstall --scope project
Configuration
Policy configuration lives in ~/.failproofai/policies-config.json (global) or .failproofai/policies-config.json in your project (per-project).
{
"enabledPolicies": [
"block-sudo",
"block-rm-rf",
"sanitize-api-keys",
"block-push-master",
"block-env-files",
"block-read-outside-cwd"
],
"policyParams": {
"block-sudo": {
"allowPatterns": ["sudo systemctl status", "sudo journalctl"]
},
"block-push-master": {
"protectedBranches": ["main", "release", "prod"]
},
"sanitize-api-keys": {
"additionalPatterns": [
{ "regex": "myco_[A-Za-z0-9]{32}", "label": "MyCo API key" }
]
},
"warn-large-file-write": {
"thresholdKb": 512
}
}
}
Three config scopes are merged automatically (project → local → global). See docs/configuration.mdx for full merge rules.
Built-in policies
| Policy | Description | Configurable |
|---|---|---|
block-sudo |
Prevent agents from running privileged system commands | allowPatterns |
block-rm-rf |
Prevent accidental recursive file deletion | allowPaths |
block-curl-pipe-sh |
Prevent agents from piping untrusted scripts to shell | |
block-failproofai-commands |
Prevent self-uninstallation | |
sanitize-jwt |
Stop JWT tokens from leaking into agent context | |
sanitize-api-keys |
Stop API keys from leaking into agent context | additionalPatterns |
sanitize-connection-strings |
Stop database credentials from leaking into agent context | |
sanitize-private-key-content |
Redact PEM private key blocks from output | |
sanitize-bearer-tokens |
Redact Authorization Bearer tokens from output | |
block-env-files |
Keep agents from reading .env files | |
protect-env-vars |
Prevent agents from printing environment variables | |
block-read-outside-cwd |
Keep agents inside project boundaries | allowPaths |
block-secrets-write |
Prevent writes to private key and certificate files | additionalPatterns |
block-push-master |
Prevent accidental pushes to main/master | protectedBranches |
block-work-on-main |
Keep agents off protected branches | protectedBranches |
block-force-push |
Prevent git push --force |
|
warn-git-amend |
Remind agents before amending commits | |
warn-git-stash-drop |
Remind agents before dropping stashes | |
warn-all-files-staged |
Catch accidental git add -A |
|
warn-destructive-sql |
Catch DROP/DELETE SQL before execution | |
warn-schema-alteration |
Catch ALTER TABLE before execution | |
warn-large-file-write |
Catch unexpectedly large file writes | thresholdKb |
warn-package-publish |
Catch accidental npm publish |
|
warn-background-process |
Catch unintended background process launches | |
warn-global-package-install |
Catch unintended global package installs | |
| …and more |
Full policy details and parameter reference: docs/built-in-policies.mdx
Custom policies
Write your own policies to keep agents reliable and on-task:
import { customPolicies, allow, deny, instruct } from "failproofai";
customPolicies.add({
name: "no-production-writes",
description: "Block writes to paths containing 'production'",
match: { events: ["PreToolUse"] },
fn: async (ctx) => {
if (!["Write", "Edit"].includes(ctx.toolName ?? "")) return allow();
const path = ctx.toolInput?.file_path ?? "";
if (path.includes("production")) return deny("Writes to production paths are blocked");
return allow();
},
});
Install with:
failproofai policies --install --custom ./my-policies.js
Decision helpers
| Function | Effect |
|---|---|
allow() |
Permit the tool call |
deny(message) |
Block the tool call; message shown to Claude |
instruct(message) |
Add context to Claude's prompt; does not block |
Context object (ctx)
| Field | Type | Description |
|---|---|---|
eventType |
string |
"PreToolUse", "PostToolUse", "Notification", "Stop" |
toolName |
string |
Tool being called ("Bash", "Write", "Read", …) |
toolInput |
object |
Tool's input parameters |
payload |
object |
Full raw event payload |
session.cwd |
string |
Working directory of the Claude Code session |
session.sessionId |
string |
Session identifier |
session.transcriptPath |
string |
Path to the session transcript file |
Custom hooks support transitive local imports, async/await, and access to process.env. Errors are fail-open (logged to ~/.failproofai/hook.log, built-in policies continue). See docs/custom-hooks.mdx for the full guide.
Telemetry
Failproof AI collects anonymous usage telemetry via PostHog to understand feature usage. No session content, file names, tool inputs, or personal information is ever sent.
Disable it:
FAILPROOFAI_TELEMETRY_DISABLED=1 failproofai
Documentation
| Guide | Description |
|---|---|
| Getting Started | Installation and first steps |
| Built-in Policies | All 26 built-in policies with parameters |
| Custom Hooks | Write your own policies |
| Configuration | Config file format and scope merging |
| Dashboard | Monitor sessions and review policy activity |
| Architecture | How the hook system works |
| Testing | Running tests and writing new ones |
Contributing
See CONTRIBUTING.md.
License
See LICENSE.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found