Kintsugi intercepts dangerous shell commands from AI agents with deterministic rules

Kintsugi, posted to Hacker News by author arr0wassass1n, is an early-release, MIT-licensed Rust tool designed as a safety net for AI coding agents that execute real shell commands. It intercepts commands before they run, explains them in plain English, makes destructive actions reversible via just-in-time snapshots, and records every command to an append-only, hash-chained log stored entirely on the local machine — no cloud account or network egress required. The tool also functions as a passive recorder for human shell sessions (bash/zsh), allowing `kintsugi undo` to roll back a human's accidental `rm -rf` the same way it rolls back an agent's.

The core design principle is that blocking decisions are made exclusively by deterministic, human-written rules.

The core design principle is that blocking decisions are made exclusively by deterministic, human-written rules. An optional local GGUF model can sharpen plain-English command summaries and add caution flags to ambiguous cases, but it cannot unlock or downgrade a rule-based block — meaning the block cannot be circumvented by prompt injection or adversarial inputs. Shell parsing uses two passes: a fast tokenizer and a full bash AST parser (`brush-parser`, pure Rust), with the more cautious verdict applied. This catches dangerous commands embedded in `$(...)` subshells, here-docs, and `if`/`for`/`while` blocks. Lines the parser cannot fully understand are held rather than assumed safe.

Native pre-tool hooks cover Claude Code, Cursor, Codex, Qwen, Gemini, Copilot, and OpenCode, with a `$PATH` shim and MCP server extending coverage to arbitrary processes including raw bash scripts and Makefiles — all wired by a single `kintsugi init` command. The post is explicit about the threat model's limits: hooks can be bypassed by a process calling a binary by absolute path or running in auto-approve mode, so the guarantee is "nothing is unrecoverable," not "nothing runs un-warned." An admin lock can seal settings behind a password with daemon-side brute-force lockout, but does not stop root. An adversarial assessment against a MITRE ATT&CK + GTFOBins corpus produced 0/176 dangerous commands leaking to "safe" across 1.4M fuzz inputs, surfaced one heap-DoS (now fixed), and zero crashes since.

Key facts

1. 01Kintsugi intercepts shell commands from AI agents before execution, creates just-in-time snapshots for reversibility, and logs all commands to an append-only, hash-chained log.
2. 02Blocking decisions are made by deterministic, human-written rules only — a local GGUF model can explain commands but cannot override a block.
3. 03Two-pass shell parsing uses a fast tokenizer and a `brush-parser` Rust AST parser, catching dangerous commands inside subshells, here-docs, and control-flow blocks.
4. 04Lines the parser cannot fully understand are held as potentially dangerous, never assumed safe.
5. 05Native pre-tool hooks support Claude Code, Cursor, Codex, Qwen, Gemini, Copilot, and OpenCode; a `$PATH` shim and MCP server cover everything else.
6. 06Adversarial assessment against a MITRE ATT&CK + GTFOBins corpus found 0/176 dangerous commands classified as safe across 1.4M fuzz inputs.
7. 07Written in Rust, MIT-licensed, cross-platform (macOS/Linux/Windows); works immediately with no model, installed via a single `curl` command or `cargo install kintsugi`.

Topics