Kintsugi sits between the agent and your system. It catches the dangerous command before it runs, explains it in one plain sentence, makes destructive actions reversible with a snapshot, and writes every command every agent ran to an append-only, hash-chained log you own. Local-first: no cloud, no account, nothing leaves the machine.
It's not only for AI. A passive bash/zsh recorder (no agent involved) puts every command a person runs on the same tamper-evident log and snapshots the destructive ones just-in-time — so `kintsugi undo` rolls back a DBA's fat-fingered rm -rf or clobbering overwrite the same way it rolls back an agent's. On a managed host you can seal the settings behind an admin password, enforced daemon-side with brute-force lockout, so an agent or a normal user can't quietly turn it off.
The design rule I cared most about: the decision to block a catastrophic command is made by deterministic rules a human wrote — never an LLM. A local model can only explain a command and add caution to the ambiguous middle; it can never unlock or downgrade a rule-based block. So the block is predictable and can't be talked out of by a clever prompt.
A few things that turned out to matter:
- It parses real shell structure, not text. Two passes — a fast tokenizer and a true bash AST parser (brush-parser, pure Rust) — and it takes the more cautious verdict. That catches commands hidden inside $(...), here-docs, subshells, and if/for/while blocks, which substring scanners wave through. echo "$(rm -rf /)" is caught. - It fails toward caution. A line the parser can't fully understand is held, never assumed safe. The hard invariant, enforced by a golden corpus, is zero catastrophic-classified-as-safe. - It works at the process/PATH layer, not as a per-tool plugin. Native pre-tool hooks for Claude Code, Cursor, Codex, Qwen, Gemini, Copilot, OpenCode — plus a $PATH shim and an MCP server for everything else, including a raw bash script or a Makefile. `kintsugi init` wires them in one command.
I want to be honest about the guarantee, because a lot of tools in this space oversell. Kintsugi is a seatbelt, not a kernel firewall. Hooks are an interception layer — an agent in a yolo/auto-approve mode, or a process that calls a binary by absolute path, can bypass them. That's exactly why there's a filesystem-watcher backstop: the promise is "nothing is unrecoverable," NOT "nothing runs un-warned." And the admin lock defeats an agent or a non-root user — it does not stop root. It guards against mistakes, not a malicious same-user process with root.
I ran an adversarial assessment against it: 0/176 dangerous commands leaked to "safe" across a MITRE ATT&CK + GTFOBins corpus, 1.4M fuzz inputs — which surfaced one real heap-DoS, now fixed, and no crashes since — and zero unsafe blocks. Every figure is reproduced by a committed test.
It's Rust, MIT, cross-platform (macOS/Linux/Windows). Install is one line and it works immediately with no model — an optional local GGUF just sharpens the plain-English summaries:
curl -fsSL https://github.com/arrowassassin/kintsugi/releases/latest/download/install.sh | sh
# or, from source:
cargo install kintsugi