🛑 Hardstop
👉 ⭐ Star on GitHub if Hardstop keeps you safe!
Pre-execution safety validation for AI coding agents. Validates every shell command against 428 security patterns before execution — blocking destructive operations, credential theft, infrastructure teardown, and prompt injection. Fail-closed: blocks by default when uncertain.
Ecosystem: The detection patterns are published separately as hardstop-patterns (GitHub) — reusable in any Node.js tool.
Installation • How It Works • Commands • Report Issue
⚡️ Why Hardstop?
You trust your AI, but you shouldn't trust it with rm -rf / or reading your ~/.aws/credentials. Hardstop sits between the LLM and your system, enforcing a strict Fail-Closed policy on dangerous operations.
- 🛡️ Pattern Matching: Instant regex-based detection for known threats (fork bombs, reverse shells)
- 🧠 LLM Analysis: Semantic analysis for edge cases and obfuscated attacks
- ⛓️ Chain Awareness: Scans every link in a command chain (
&&,|,;) - 🔐 Secrets Protection: Blocks reading of credential files (
.ssh,.aws,.env) (v1.3) - 🍎 macOS Coverage: Keychain, diskutil, Time Machine, Gatekeeper, SIP, LaunchDaemons (v1.3.6)
- 📚 LLM Guidance: Teaches Claude how to think about safety, not just blocks
🚀 Quick Demo
Claude tries to ruin your day? Hardstop says no.
# Claude attempts a home directory deletion
$ rm -rf ~/
🛑 BLOCKED: Deletes home directory
# Claude tries to read your AWS credentials
$ Read ~/.aws/credentials
🛑 BLOCKED: AWS credentials file
# You check the status
$ /hs status
Hardstop v1.4.3
Status: 🟢 Enabled
Session Risk: Moderate (35/100)
Blocked: 2 commands this session
# One-time bypass for a command you trust
$ /hs skip
⏭️ Next command will skip safety check
# Multi-skip: bypass next 3 commands (v1.3.2)
$ /hs skip 3
⏭️ Next 3 commands will skip safety check
# View recent security decisions
$ /hs log
2026-01-20 10:30:45 🛑 [pattern] rm -rf ~/
└─ Deletes home directory
⚙️ How It Works
Hardstop uses a two-layer verification system for Bash commands and pattern-based protection for file reads.
graph TD
A[Tool Call] --> B{Bash or Read?};
B -- Bash --> C{Layer 1: Patterns};
C -- Dangerous Pattern --> D[🛑 BLOCK];
C -- Safe Pattern --> E[✅ ALLOW];
C -- Unknown --> F{Layer 2: LLM Analysis};
F -- Risky --> D;
F -- Safe --> E;
B -- Read --> G{Credential File?};
G -- .ssh/.aws/.env --> D;
G -- Source Code --> E;
D --> H[Log to Audit];
E --> I[Execute];
The 428 detection patterns (Layer 1) are published as a standalone npm package: hardstop-patterns — usable in any Node.js tool, not just Hardstop.
🤝 Works Well With
PatchPilot - Package vulnerability scanner that blocks risky npm/pip/brew installations.
| Tool | Focus | What It Protects |
|---|---|---|
| Hardstop | Command execution safety | Blocks dangerous commands (rm -rf /, credential theft) |
| PatchPilot | Package installation security | Blocks packages with known CVEs |
Use both for complete Claude Code security:
# Install PatchPilot (package vulnerability scanning)
npx patchpilot-cli install
# Install Hardstop (command execution safety)
npx hardstop install
Why both? PatchPilot secures your dependencies, Hardstop secures your execution layer. No overlap—they're complementary.