It's a simple hook that runs before each tool call. Blocks dangerous commands outside the working directory, protects sensitive files like .env and .git even inside the project, and stops destructive git operations like reset --hard or push --force.
Some things it handles that weren't obvious at first: agents doing "cd ~/Downloads && rm -rf folder" to escape the sandbox, compound patterns like "find -delete" or "xargs rm" targeting paths outside the project, and symlink-based escapes.
Works with Claude Code, OpenCode, Pi, and Factory Droid. Setup is just "npm install -g @melihmucuk/leash" followed by "leash --setup claude-code".
Not a full sandbox. If you need real isolation, use containers. This just catches the common hallucination patterns that cause accidental damage.