KINTSUGI
The dangerous command, caught before it runs.
Let AI agents — and your team — move fast, without wrecking the machine. Kintsugi catches an agent's catastrophic command before it executes and makes it reversible; for the humans on the box (DBAs, operators) it keeps a tamper-evident audit trail with one-command undo. Everything every agent and person did, on one hash-chained log. Local-first.
macOS · Linux · Windows · works with every agent · nothing leaves your machine
★ if Kintsugi is useful to you, leave a star — it helps others find it.
> what is it
AI coding agents now run real commands on real machines — rm -rf, git push --force, terraform destroy, drop table — faster than you can read a confirmation. Kintsugi sits on that one chokepoint: the command line. It warns in plain English before execution, holds the dangerous ones for a one-key decision, makes destructive actions reversible, and keeps a tamper-evident record of everything every agent did.
Agent-agnostic from day one, with a native pre-tool hook
for each: Claude Code, Qwen Code, Gemini CLI, GitHub Copilot CLI, Cursor CLI,
Codex CLI, and OpenCode — plus any custom/MCP agent and any raw shell
via the $PATH shim. kintsugi init detects what you have and wires
each one. Protection lives at the process layer, not inside any one tool.
> how it works
AGENT
proposes a command
INTERCEPT
hook · MCP · $PATH shim → one event
DECIDE
Tier-1 rules; Tier-2 model scores the middle
SNAPSHOT + LOG
reversible + hash-chained
SAFE auto-allows on a model-free fast path (~microseconds). CATASTROPHIC is a hard floor. AMBIGUOUS is held for you — or scored against a threshold when you're away.
> watch the flow
Agent proposes rm -rf src → Kintsugi holds it → you deny → it's on the timeline. (Animated; pure SVG, no JS.)
> the live TUI
A real ratatui app over the live event log — bordered panels, a detail pane, severity colors, and a risk gauge. Navigate, filter, open detail, approve/deny a held action, undo — all without leaving the terminal.
Real rendered output. Calm by default; the one danger accent appears only when it must. Honors NO_COLOR; reflows from 80×24 up.
> why it's different
Stops it before it happens
Rules block — not an LLM rolling the dice. The decision is predictable and can't be talked out of by a clever prompt. Zero catastrophic-as-safe, enforced by a golden corpus + property tests.
Works with every agent
Native hooks for Claude Code, Cursor, Codex, Qwen, Gemini, Copilot & OpenCode — or any raw shell. One layer at the process level, wired in a single kintsugi init.
Reversible by default
Snapshots before destructive ops (reflink CoW). kintsugi undo brings files back; a filesystem backstop catches what slips past.
Private & auditable
No cloud, no account, no telemetry. Every command lands on one hash-chained, tamper-evident log you own.
Calm, then loud
Safe commands fly through in sub-millisecond time; Kintsugi only interrupts for the ones that can actually hurt you.
When Kintsugi blocks a catastrophic command, the agent stops and you decide — kintsugi run <id> runs it yourself, reversibly. See that and every feature, each with a real captured frame → features.
> for shared & production hosts
Run Kintsugi as a managed, audited control — not just an agent guard.
Password to stop
Settings sealed behind an admin password (argon2id + XChaCha20-Poly1305, one-time recovery key). Once locked, stopping or disabling Kintsugi needs the password — an agent or normal user can't quietly turn it off.
Auto-restart watchdog
Runs under systemd / launchd with restart-always, so a kill / pkill relaunches it within seconds.
Passive session recorder
Logs every human shell command — no AI agent — onto the same tamper-evident audit chain for compliance. Redacts command-line secrets before hashing; blocks nothing.
Plus a branded control-room TUI with Timeline / Audit / Recorder views. Honest scope: this defeats an agent or non-root user and makes a forced shutdown logged + recoverable — it does not stop root. Full detail → enterprise.