Sandbox a coding agent's CLI
Stop the agent before it
rm -rfs.
Coding agents have shells. Shells run anything. The CLI Firewall evaluates every candidate command and returns the same three-outcome verdict — passed, corrected, or blocked — before the command ever reaches exec.
1 — Install the wrapper
brew install trinitite-cli-firewall
# or: curl -fsSL https://get.trinitite.ai/cli-firewall | sh
2 — Wire it into your agent runner
# Wrap the agent's exec point
trinitite-cli-firewall exec \
--agent-platform claude_code \
--nhi nhi_claude_code_dev_alex \
-- "$@"
Or call the API directly from any runner:
curl https://api.trinitite.ai/v1/cli/evaluate \
-H "Authorization: Bearer $TRINITITE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"agent_platform": "claude_code",
"nhi": "nhi_claude_code_dev_alex",
"command": "rm -rf /var/lib/postgres",
"cwd": "/repo"
}'
3 — Read the verdict
{
"outcome": "blocked",
"risk_score": 92,
"reason": "Destructive recursive removal of system path",
"ledger_id": "lg_01HZ2P..."
}
Sample corrected outcome — agent typed an unsafe command, Guardian rewrites it:
{
"outcome": "corrected",
"rewritten_command": "trash-put /var/lib/postgres",
"reason": "Substituted reversible delete for hard rm",
"ledger_id": "lg_01HZ2Q..."
}
Per-agent attribution
Set agent_platform on every call so SIEM searches can slice by tool:
agent_platform | Recommended for |
|---|---|
claude_code | Anthropic Claude Code |
cursor | Cursor in-IDE agents |
devin | Cognition Devin |
aider | Aider |
custom | Anything else (set nhi for slicing) |
What's next
→ CLI Firewall — the per-rule architecture.
→ Cookbook: Govern Claude Code — wire CLI + MCP + ledger together.