π Hardstop
π β Star on GitHub if Hardstop keeps you safe!
Pre-execution safety validation for AI coding agents. Validates every shell command against 428 security patterns before execution β blocking destructive operations, credential theft, infrastructure teardown, and prompt injection. Fail-closed: blocks by default when uncertain.
Ecosystem: The detection patterns are published separately as hardstop-patterns (GitHub) β reusable in any Node.js tool.
Installation β’ How It Works β’ Commands β’ Report Issue
β‘οΈ Why Hardstop?
You trust your AI, but you shouldn't trust it with rm -rf / or reading your ~/.aws/credentials. Hardstop sits between the LLM and your system, enforcing a strict Fail-Closed policy on dangerous operations.
- π‘οΈ Pattern Matching: Instant regex-based detection for known threats (fork bombs, reverse shells)
- π§ LLM Analysis: Semantic analysis for edge cases and obfuscated attacks
- βοΈ Chain Awareness: Scans every link in a command chain (
&&, |, ;)
- π Secrets Protection: Blocks reading of credential files (
.ssh, .aws, .env) (v1.3)
- π macOS Coverage: Keychain, diskutil, Time Machine, Gatekeeper, SIP, LaunchDaemons (v1.3.6)
- π LLM Guidance: Teaches Claude how to think about safety, not just blocks
π Quick Demo
Claude tries to ruin your day? Hardstop says no.
# Claude attempts a home directory deletion
$ rm -rf ~/
π BLOCKED: Deletes home directory
# Claude tries to read your AWS credentials
$ Read ~/.aws/credentials
π BLOCKED: AWS credentials file
# You check the status
$ /hs status
Hardstop v1.4.3
Status: π’ Enabled
Session Risk: Moderate (35/100)
Blocked: 2 commands this session
# One-time bypass for a command you trust
$ /hs skip
βοΈ Next command will skip safety check
# Multi-skip: bypass next 3 commands (v1.3.2)
$ /hs skip 3
βοΈ Next 3 commands will skip safety check
# View recent security decisions
$ /hs log
2026-01-20 10:30:45 π [pattern] rm -rf ~/
ββ Deletes home directory
βοΈ How It Works
Hardstop uses a two-layer verification system for Bash commands and pattern-based protection for file reads.
graph TD
A[Tool Call] --> B{Bash or Read?};
B -- Bash --> C{Layer 1: Patterns};
C -- Dangerous Pattern --> D[π BLOCK];
C -- Safe Pattern --> E[β
ALLOW];
C -- Unknown --> F{Layer 2: LLM Analysis};
F -- Risky --> D;
F -- Safe --> E;
B -- Read --> G{Credential File?};
G -- .ssh/.aws/.env --> D;
G -- Source Code --> E;
D --> H[Log to Audit];
E --> I[Execute];
The 428 detection patterns (Layer 1) are published as a standalone npm package: hardstop-patterns β usable in any Node.js tool, not just Hardstop.
π€ Works Well With
PatchPilot - Package vulnerability scanner that blocks risky npm/pip/brew installations.
| Tool | Focus | What It Protects |
|---|
| Hardstop | Command execution safety | Blocks dangerous commands (rm -rf /, credential theft) |
| PatchPilot | Package installation security | Blocks packages with known CVEs |
Use both for complete Claude Code security:
# Install PatchPilot (package vulnerability scanning)
npx patchpilot-cli install
# Install Hardstop (command execution safety)
npx hardstop install
Why both? PatchPilot secures your dependencies, Hardstop secures your execution layer. No overlapβthey're complementary.
