Skip to content

Home

OpenAgentLock

Detect local agent harnesses, gate risky tool calls with a deterministic YAML policy, and anchor every decision in a tamper-evident Merkle ledger. Install once and keep working in Claude Code, Codex CLI, Cursor, and Gemini CLI as normal — your workflow does not change.

Get started GitHub

Why

Coding agents pip install dependencies, read .env files, push to remotes, and call MCP tools you've never pinned. OpenAgentLock catches those calls at the harness hook layer, applies a deterministic YAML policy, and signs every decision to a local Merkle ledger you can verify after the fact.

What ships today

Detection

agentlock detect

Eight harness detectors registered: Claude Code, Codex CLI, Cursor, OpenCode, Cline, Continue.dev, Gemini CLI, VS Code Copilot.

Install plan / apply

agentlock install

Interactive multi-select. Posts to /v1/install/plan, renders the diff, applies on confirm. Real install paths live for Claude Code, Codex CLI, Cursor, and Gemini CLI.

Registry-first policy

agentlock rules install

First boot includes a thirteen-gate enforce-mode baseline for destructive shell, supply-chain RCE, secret reads, evasion, infra deletes, and persistence across supported harnesses. Add extras from openagentlock/rules with agentlock rules sync && agentlock rules install <id>.

Tamper-evident ledger

/v1/ledger/*

Rust crate. SHA-256 leaf hashing, Merkle root, inclusion proofs, verification. Ten tests pass.

Dashboard

127.0.0.1:7879 · agentlock dashboard

Read logs, author rules, watch live activity. Web SPA at :7879, or a terminal TUI via agentlock dashboard.

Signers

/v1/sessions

Software (dev/CI) and TOTP shipped. OS keychain and YubiKey land next.

Community rules registry

openagentlock/rules

Browse and install community-maintained gates with agentlock rules install <id>. Search the catalog at openagentlock.github.io/rules — or point the CLI at any Git repo to run a private registry.

Agent skills

openagentlock/skills

Claude Code / Cursor / Codex skills that turn "block X" intent into a policy gate, run agentlock rules install, and verify the deny fires.

How it works

flowchart LR
    subgraph host["Your host"]
      H["Agent harness<br/><i>Claude Code · Codex CLI · Cursor</i>"]
      CLI["agentlock CLI<br/><i>owns long-lived signing key</i>"]
    end
    subgraph docker["Docker (127.0.0.1)"]
      CP[":7878 control plane<br/><i>policy · install · ledger appender</i>"]
      DB[":7879 web dashboard"]
      L[("Merkle ledger<br/>Rust crate via FFI")]
    end
    H -->|"pre-tool hook"| CP
    CP -->|"verdict"| H
    CLI -->|"signed session"| CP
    CP --> L
    CP --- DB

Three languages, one repo. The CLI runs on your host and owns the YubiKey path. The control plane runs in Docker and evaluates policy. The ledger is a Rust crate linked into Go via FFI so verification logic exists in exactly one place.

Get started

Three steps:

# 1. Pull the control-plane image
docker pull ghcr.io/openagentlock/agentlockd:latest

# 2. Start it (drops a docker-compose example in your CWD)
curl -O https://raw.githubusercontent.com/openagentlock/openagentlock/main/docker-compose.yml
# Optional external guardrails:
# export NVIDIA_API_KEY=...
# export OPENROUTER_API_KEY=...
docker compose up -d

# 3. Install the CLI and wire up your agents
npm i -g @openagentlock/cli
agentlock detect
agentlock install

See Installation for source builds and platform notes.

Status

This project is pre-1.0. See the status page for the live shipped/not-yet matrix.