OpenAgentLock
Health Warn
- License — License: NOASSERTION
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Warn
- fs module — File system access in cli/package.json
Permissions Pass
- Permissions — No dangerous permissions requested
This tool acts as a locally-hosted firewall for AI coding agents. It intercepts and gates risky tool calls using a deterministic YAML policy, logging every decision into a tamper-evident Merkle ledger.
Security Assessment
The daemon is designed to monitor your file system and local AI tools, which naturally requires reading sensitive local data to function. Installation involves a CLI package that includes file system access. While no hardcoded secrets or dangerous broad permissions were detected, users must exercise caution with the startup passphrase shown in the documentation. It binds exclusively to localhost (127.0.0.1), keeping external network exposure to a minimum. Overall risk is rated as Medium due to the highly sensitive nature of the local system access required to fulfill its core role as a security gate.
Quality Assessment
The project is very new and currently has low community visibility with only 5 stars. However, it shows strong signs of professional maintenance, featuring active CI pipelines, Docker publishing workflows, and comprehensive documentation. The repository lacks a standardized SPDX license identifier, noting it simply as "NOASSERTION," although badges indicate the use of FSL-1.1-Apache-2.0. You should verify this license to ensure it aligns with your commercial or open-source needs before adopting it.
Verdict
Use with caution — the architecture is solid and well-documented, but the project's early stage and low adoption mean it should be thoroughly evaluated before being deployed in critical production environments.
A locally-hosted, open-source firewall for AI coding agents. Detects local agent harnesses, gates risky tool calls via deterministic YAML policy, and signs every decision into a tamper-evident Merkle ledger.
A locally-hosted, open-source firewall for AI coding agents.
Documentation · Getting started · Rules registry · Status · Architecture
OpenAgentLock detects local AI coding agent harnesses (Claude Code, Codex CLI, Cursor, OpenCode, Cline, Gemini CLI, Continue.dev, VS Code Copilot), gates risky tool calls with a deterministic YAML policy, and anchors every decision in a tamper-evident Merkle ledger. Install once and keep working in your harness as normal — your workflow does not change.
Quick start
# 1. Pull and start the daemon
docker pull ghcr.io/openagentlock/agentlockd:latest
docker run -d --name agentlock \
-p 127.0.0.1:7878:7878 \
-p 127.0.0.1:7879:7879 \
-v agentlock-state:/var/lib/agentlock \
ghcr.io/openagentlock/agentlockd:latest
# 2. Install the CLI
npm i -g @openagentlock/cli
# or: bun add -g @openagentlock/cli
# 3. Enroll a signer (TOTP — recommended for prod)
agentlock signer enroll --tier totp --passphrase 'your-passphrase-here'
# scan the otpauth:// QR with Google Authenticator / 1Password / Authy.
# 4. Wire your harnesses with a TOTP-attested session
agentlock detect
agentlock install --tier totp --code 123456 --passphrase 'your-passphrase-here'
For a quick eval without a signer (dev only): start the daemon with -e AGENTLOCK_ALLOW_UNATTESTED=1, then agentlock install (defaults to unattested).
Open the local web dashboard at http://127.0.0.1:7879/.
Full walkthrough at https://openagentlock.github.io/OpenAgentLock/guide/getting-started/.
Community rules registry
Need more gates than the five baseline ones? Browse the community catalog at https://openagentlock.github.io/rules/ — secret reads, force-push to shared branches, network exfil, untrusted eval. Install with one command:
agentlock rules sync
agentlock rules search exfil
agentlock rules install rogue.secret-read
Or run your own private registry — any Git repo with the same layout works. Source: openagentlock/rules.
For agents that need to author new rules from natural-language intent, see openagentlock/skills — Claude Code / Cursor / Codex skills that drive the agentlock rules CLI.
What ships today
| Surface | Status |
|---|---|
agentlock detect |
 |
agentlock install (Claude Code, Codex CLI, Cursor) |
|
agentlock install --tier {unattested,software,totp} |
|
agentlock install (OpenCode, Cline, Gemini CLI, Continue, VS Code Copilot) |
 |
| Five baseline gates in monitor mode | |
| Tamper-evident Merkle ledger | |
| Local web dashboard | |
Software + TOTP signers (with signer enroll + session mint) |
|
| OS keychain signer, hardware-key (YubiKey PIV / FIDO2) | |
| OIDC SSO + RBAC + LDAP | |
| Signed PDF audit report | |
The complete shipped/not-yet matrix lives at https://openagentlock.github.io/OpenAgentLock/status/.
How it works
flowchart LR
subgraph host["Your host"]
H["Agent harness<br/><i>Claude Code · Codex CLI · Cursor</i>"]
CLI["agentlock CLI<br/><i>owns long-lived signing key</i>"]
end
subgraph docker["Docker (127.0.0.1)"]
CP[":7878 control plane<br/><i>policy · install · ledger appender</i>"]
DB[":7879 web dashboard"]
L[("Merkle ledger<br/>Rust crate via FFI")]
end
H -->|"pre-tool hook"| CP
CP -->|"verdict<br/>allow / deny"| H
CLI -->|"signed session"| CP
CP --> L
CP --- DB
Three languages, one repo:
cli/— TypeScript on Bun, runs on your host. Owns the long-lived signing key.control-plane/— Go HTTP service in Docker. Evaluates policy, drives install plan/apply, appends to ledger.ledger/— Rust crate. Merkle log + verification, exposed to Go via FFI so verification logic exists in exactly one place.
See Architecture overview for the why behind the split.
The five gates
Every install ships policies/default.yaml with five gates in monitor mode:
| Gate | What it catches |
|---|---|
supply-chain.pkg-install |
pip install, npm install, brew install, cargo install |
supply-chain.untrusted-mcp |
MCP server with an unpinned public key |
rogue.secret-read |
reads of .env, ~/.ssh, ~/.aws/credentials, anywhere a secret-shaped path appears |
rogue.net-egress |
curl, wget, MCP HTTP tools |
rogue.destructive-bash |
rm -rf, git push --force, DROP TABLE, kubectl delete |
See Policies and the five gates for the rule schema and authoring rules.
Repository layout
cli/ TypeScript + Bun + OpenTUI — @openagentlock/cli
control-plane/ Go HTTP service in Docker — ghcr.io/openagentlock/agentlockd
api/openapi.yaml source-of-truth API contract
Dockerfile, docker-compose.yml
dashboard-ui/ Vite SPA embedded into the Go binary
ledger/ Rust crate (lib + cdylib + staticlib) — openagentlock-ledger
policies/default.yaml baseline policy shipped with every install
docs/ MkDocs Material site (deployed to openagentlock.github.io/OpenAgentLock)
assets/ logo, favicon, social card
docker-compose.yml one-command control-plane bring-up
scripts/install.sh one-shot installer
.github/workflows/ ci · docker-publish · npm-publish · pages
Status
Pre-1.0.
We try not to break anything that already works. Surfaces marked "shipped" have tests; surfaces marked "not yet" exist as scaffolding or stubs and are explicitly disabled in the user-facing path.
Contributing
See CONTRIBUTING.md for development setup and the workflow.
By contributing you agree your contributions are licensed under the FSL-1.1-Apache-2.0 found in LICENSE.
We follow the Contributor Covenant 2.1. For security disclosures see SECURITY.md.
License
Functional Source License 1.1, Apache 2.0 Future License (FSL-1.1-Apache-2.0).
Permits any non-competitive use today; auto-converts to Apache 2.0 two years after each release.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found