agentctl: A local security layer for coding agents with replay | Toronto .
Cities (231)

Members-Only

Recent Talks & Demos are for members only

Exclusive feed

You must be an AI Tinkerers active member to view these talks and demos.

Sign in View FAQ
May 28, 2026 · Toronto

agentctl: Local Agent Security Layer

Explore a local security layer for coding agents, gating risky actions like package installs and shell execution, with replayable JSONL traces for policy testing.

Go YAML Model Context Protocol (MCP) JSONL charmbracelet/bubbletea
Overview

agentctl is a local Go security control tool for coding agents (Claude Code, Codex) that I built to explore one question.

  • What’s the smallest useful security layer you can put between a coding agent and the things that can actually hurt your machine?

It gates 5 risky action categories (package installs, shell execution, secret access, file writes, outbound API calls), writes a JSONL trace for every decision, and replays past sessions against a different policy.yaml to see what would have been blocked, escalated, or approved differently. No daemon, no cloud, no repo-local config. Everything lives in ~/.agentctl/.

Live, I’ll attach it to Claude Code, run an agent task that tries to hit an external API, watch the hook block or escalate those actions inline, then edit policy.yaml to tighten the rules and replay the same session under the new policy, showing the decision diff. On screen: the hook config, the policy YAML, raw traces.jsonl, the replay output, and the terminal UI.

Links
Tech stack
Events Gallery FAQ Sponsor