RipStop is a node package implementing a set of rules that consumers can use to protect their repos from wilder actions by LLM agents. A consumer needs only a few lines of code to configure the rules they wish to apply. Example rules: no PII in commits, no Git actions that interfere with the Git history and thus might impact your ability to recover from problems.

I built this for two main reasons: - in my own repos I had a few incidents - in one Claude Code erased some un-staged changes, and in another started trying to roll back some commits. - I was reflecting on why agentic development is slow on the uptake in corporate environments. One possibility is fear of the wilder actions LLMs take - so I thought it might be helpful to illustrate how to control these.

The security model is as follows: - Layer 1 - guidance to the LLM in AGENTS.md or CLAUDE.md. This is of course guidance, and gets forgotten if context rot sets in. - Layer 2 - Git controls, via hooks that get fired automatically on various actions. Higher hurdle - the LLM would need to generate very specific commands to get round these. This is the space I am aiming at. BTW we also generate a file to go into AGENTS.md to tell the agent the environment it is working in and the controls the consumer has chosen, so there is a bit of layer 1. - Layer 3 - containers with hard configuration. Not trying to go this far in this package. This is really the space the major labs are going after with cloud agents.

I think it might be useful in two domains: - People running local agents who want a little more safety - A POC for corporate controls

Feel free to look, provide commentary, and use.

Jon