Skip to content
/
Tier A A11 Governance

leash (strongdm)

leash-strongdm · strongdm/leash · ★ 565 · last commit 2026-04-06

Primitive shape
No installable primitives
00

Summary

leash (strongdm) — Summary

Leash by StrongDM is a Go-compiled CLI tool that wraps AI coding agents (Claude, Codex, Gemini, Qwen, OpenCode) in containers (Docker/Podman/OrbStack) with real-time Cedar policy enforcement via eBPF LSM and an HTTP MITM proxy, providing full monitoring of filesystem access, network connections, MCP tool calls, and a web-based Control UI at localhost:18080.

Problem it solves: AI coding agents running on the host machine have unlimited filesystem and network access — they can exfiltrate data, execute malicious commands, or access resources outside the project directory. Leash enforces deterministic Cedar policies at the kernel level (eBPF), making policy violations structurally impossible rather than probabilistically unlikely.

Distinctive trait: Cedar policy enforcement via eBPF LSM — not prompt-level guidance, not YAML allow-lists, but actual kernel-level system call interception. The Control UI includes a Monaco-based Cedar policy editor with live autocomplete, syntax highlighting, inline validation, and a real-time event stream from the eBPF monitor.

Target audience: Security-conscious organizations and developers who want to run AI coding agents with verifiable containment guarantees — the same teams that use StrongDM's PAM/zero-trust infrastructure products.

Production-readiness: Active (565 stars, Apache-2.0, Go, last commit 2026-04-06). Ships as npm package, Homebrew cask, and pre-built binaries. Run by StrongDM (enterprise infrastructure company).

Differs from seeds: No seed framework provides anything comparable. Leash operates at the OS/container layer, below all other frameworks in the corpus. Unlike claude-code-guardrails (which blocks specific write operations via hooks), Leash monitors and enforces at the system call level. Unlike agent-governance-toolkit (which enforces at the API call layer in application code), Leash enforces at the filesystem and network layer independent of the agent's code.

01

Overview

leash (strongdm) — Overview

Origin

Created by StrongDM, an enterprise Privileged Access Management (PAM) and zero-trust infrastructure company. Leash applies StrongDM's core competency (policy-controlled access to infrastructure) to AI coding agents. Apache-2.0 license.

Philosophy

From the README:

"Leash wraps AI coding agents in containers and monitors their activity. You define policies in Cedar; Leash enforces them instantly."

The core premise: "prompt-level safety is not a control surface." Cedar policies enforced via eBPF make violations structurally impossible, not just unlikely.

Key Concepts (from README)

  • Full monitoring: Captures every filesystem access and network connection initiated by the agent so Cedar policies and audit trails operate on complete telemetry.
  • Agent container: Runs your command with the current directory bind-mounted, so tools see the same file tree they would on the host.
  • Leash container: Monitors system calls, applies Cedar policies, and exposes the Control UI at http://localhost:18080.
  • Mount prompts: Remember whether to forward host agent credentials.

Cedar Policy Language

Cedar (AWS open-source policy language) provides:

permit (
    principal,
    action == Action::"FileOpen",
    resource
) when {
    resource in [ Dir::"/workspace" ]
};

Actions: FileOpen, ProcessExec, NetworkConnect, HttpRewrite, MCP tool calls

MCP Observer

From the docs:

"Leash includes a Model Context Protocol (MCP) observer that inspects, records, and enforces MCP tool calls made by the agent. Requests flowing through supported MCP transports are correlated with filesystem and network telemetry, enabling Cedar policies to govern tool use alongside core runtime activity."

Telemetry

Privacy-preserving: only os, arch, mode, Leash version, hashed workspace ID, and session duration are transmitted (no file paths, no policy contents). Disabled via LEASH_DISABLE_TELEMETRY.

02

Architecture

leash (strongdm) — Architecture

Distribution

  • Type: CLI tool (Go binary + npm wrapper + Homebrew cask)
  • License: Apache-2.0
  • Language: Go
  • Binary: leash

Install Methods

# npm (recommended)
npm install -g @strongdm/leash

# Homebrew (macOS)
brew tap strongdm/tap
brew install --cask leash-app

# Pre-built binary from GitHub releases

Required Runtime

  • Docker, Podman, or OrbStack
  • macOS or Linux (WSL supported)
  • The macOS app installs a helper for native eBPF monitoring

Architecture

User runs: leash --open claude

┌─────────────────────────────┐   ┌──────────────────────────────┐
│     Agent Container          │   │     Leash Container           │
│  ┌─────────────────────┐    │   │  ┌────────────────────────┐  │
│  │  AI Agent (claude,  │    │   │  │  eBPF LSM Programs     │  │
│  │  codex, gemini...)  │    │   │  │  (filesystem monitor)  │  │
│  │  + current dir      │    │   │  ├────────────────────────┤  │
│  │    bind-mounted     │    │   │  │  HTTP MITM Proxy       │  │
│  └─────────────────────┘    │   │  │  (network + MCP)       │  │
│                              │   │  ├────────────────────────┤  │
│                              │   │  │  Cedar Policy Engine   │  │
│                              │   │  │  (transpile → IR)      │  │
│                              │   │  ├────────────────────────┤  │
│                              │   │  │  Control UI (Next.js)  │  │
│                              │   │  │  localhost:18080       │  │
│                              │   │  └────────────────────────┘  │
└─────────────────────────────┘   └──────────────────────────────┘

Control UI (Web Dashboard)

  • Port: 18080
  • Stack: Next.js + React (from controlui/web/package.json structure)
  • Features:
    • Monaco-based Cedar policy editor (autocomplete, validation, syntax highlighting)
    • Real-time event stream from eBPF monitor (filesystem, network, MCP)
    • Policy update endpoint: POST /api/policies
    • Policy completion: POST /api/policies/complete
    • Policy validation: POST /api/policies/validate

Config Files

~/.config/leash/config.toml

[leash]
codex = true

[projects."/absolute/path/to/project"]
target_image = "ghcr.io/example/dev:latest"

Supported AI Agents (built into default coder image)

claude, codex, gemini, qwen, opencode

Default Image

public.ecr.aws/s5i7k8t3/strongdm/coder — pre-built with all supported agents

03

Components

leash (strongdm) — Components

CLI Binary

Command Purpose
leash claude Launch Claude in Leash container with monitoring
leash codex Launch Codex in Leash container
leash gemini Launch Gemini CLI in Leash container
leash qwen Launch Qwen in Leash container
leash opencode Launch OpenCode in Leash container
leash --open <agent> Launch agent + auto-open Control UI in browser
leash --help List all flags and environment variables
leash <any command> Launch any command in monitored container

Cedar Policy Actions (enforced at kernel level)

Action What it governs
FileOpen Filesystem read/write access
ProcessExec Process execution
NetworkConnect Network connections by host/IP
HttpRewrite HTTP header/value rewriting via MITM proxy
MCP tool calls MCP protocol messages (via HTTP proxy)

Control UI Components

Component Purpose
Cedar Policy Editor Monaco-based editor with context-aware autocomplete
Event Stream Real-time filesystem + network + MCP activity feed
Policy API POST /api/policies — update Cedar policy at runtime
Completion API POST /api/policies/complete — IDE-like autocomplete
Validation API POST /api/policies/validate — lint Cedar inline

Configuration System

Element Purpose
~/.config/leash/config.toml Global config: default images, project-specific images, volume mounts
Mount prompts Per-session: remember whether to forward ~/.claude, ~/.codex, etc.
Environment forwarding Auto-maps ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, DASHSCOPE_API_KEY
-v src:dst flag Additional bind mounts
-e KEY=value flag Additional environment variables

No Hooks, No Skills, No Commands (Agent-Side)

Leash operates at the OS/container layer. It has no Claude Code hooks, no SKILL.md files, no slash commands. The agent runs normally inside the container — Leash is transparent to the agent.

05

Prompts

leash (strongdm) — Prompts

Leash has no AI prompt files, no SKILL.md, no CLAUDE.md templates. The "policy language" is Cedar, not natural language.

Policy 1: Default Quick-Start Cedar Policy (from docs/design/CEDAR.md)

Technique: Declarative ACL with structural enforcement (not a prompt to an LLM).

permit (
    principal,
    action == Action::"FileOpen",
    resource
) when {
    resource in [ Dir::"/workspace" ]
};

This permits file access only within /workspace. Anything outside is denied structurally.

Policy 2: Example MCP Tool Restriction

permit (
    principal,
    action == Action::"McpToolCall",
    resource
) when {
    resource == McpTool::"web_search"
};

forbid (
    principal,
    action == Action::"McpToolCall",
    resource
) when {
    resource == McpTool::"shell_exec"
};

Policy 3: Network Restriction

forbid (
    principal,
    action == Action::"NetworkConnect",
    resource
) when {
    !(resource in [ Host::"api.anthropic.com", Host::"github.com" ])
};

Cedar Statement Anatomy

permit | forbid (
    principal,
    action == Action::"PascalCase",
    resource
) when {
    resource in [ Dir::"/path" ]
};

Key: effect (permit/forbid), action (PascalCase Cedar entity), resource (typed: Dir::, File::, Host::, McpTool::), conditions (optional when { ... } block).

Note: Leash enforces Cedar policies at the kernel/proxy layer — the AI agent receives no prompt about what it can or cannot do. It simply receives EPERM when it tries to access a denied resource.

09

Uniqueness

leash (strongdm) — Uniqueness

Differs from Seeds

No seed framework operates at Leash's layer. Every seed framework works above the OS (prompts, hooks, skills) — Leash works at the OS/container layer. The closest in spirit is kiro's proprietary enforcement hooks (which block agent actions before execution) but Leash uses actual kernel-level enforcement via eBPF rather than IDE hook exit codes. Unlike claude-code-guardrails (which blocks specific file writes via Claude Code's PreToolUse hooks), Leash blocks at the syscall level — the agent cannot even attempt the forbidden operation, rather than receiving an exit code from a hook. Unlike agent-governance-toolkit (which enforces at the API/application layer in your code), Leash enforces at the infrastructure layer independent of the agent's codebase.

Key Differentiators

  1. eBPF LSM kernel enforcement: The only framework in the corpus that uses kernel-level system call monitoring. Policy violations are EPERM — structurally impossible, not just blocked by a hook.
  2. Cedar policy language: Declarative, auditable, versioned security policy rather than bash if-statements or hook exit codes.
  3. MCP observer: Correlates MCP tool calls with filesystem and network telemetry — cross-layer visibility unique in the corpus.
  4. Control UI at localhost:18080: The only framework in the corpus with a dedicated real-time web dashboard for live monitoring (Next.js, Monaco editor, live event stream).
  5. Truly agent-agnostic: leash bash, leash python3 agent.py — any command can be monitored. Not tied to Claude Code hooks.
  6. Commercial company: Backed by StrongDM, bringing enterprise PAM/zero-trust engineering to AI agent containment.

Positioning

Leash is the only "security infrastructure" framework in the corpus — it's not a methodology, not a quality gate, not a TDD enforcer. It is a containment system that makes AI agent misbehavior structurally impossible within defined bounds. The natural enterprise pairing with agent-governance-toolkit (application layer) + Leash (infrastructure layer) covers the full stack.

Observable Failure Modes

  • Default permissive policy: Leash starts with permit all — teams that install it without configuring Cedar policies get monitoring with no enforcement.
  • Docker requirement: Adds container infrastructure overhead. Not suitable for constrained environments (some CI systems, resource-limited hosts).
  • eBPF lint limitation: Cedar statements that eBPF "cannot evaluate" must be translated to the available enforcement techniques — some Cedar semantics may not map cleanly.
  • macOS native mode is experimental: eBPF on macOS is not native; the macOS app is a separate, less mature path.
  • Single policy file per session: Policies are updated at runtime via API but start from a single .cedar file — complex multi-tenant scenarios need careful design.

Explicit Antipatterns

  • Prompt-level safety ("please follow the rules") instead of structural enforcement
  • Running AI agents with unlimited filesystem and network access
  • Sharing API keys across multiple agent processes (no identity isolation)
04

Workflow

leash (strongdm) — Workflow

Session Workflow

1. User runs: leash --open claude (or codex, gemini, etc.)

2. Leash spins up two containers:
   - Agent container: agent binary + current dir bind-mounted
   - Leash container: eBPF LSM + HTTP MITM proxy + Cedar engine + Control UI

3. Mount prompt: "Mount ~/.claude into container? [yes/no/remember-global/remember-project]"

4. Cedar policy loaded from /cfg/leash.cedar
   - Default: permissive (allow all) — user must customize
   - Update at runtime: Control UI at localhost:18080 or POST /api/policies

5. Agent runs normally — unaware of Leash monitoring

6. Every action intercepted:
   - FileOpen → Cedar evaluates → permit or forbid
   - NetworkConnect → Cedar evaluates → permit or forbid
   - ProcessExec → Cedar evaluates → permit or forbid
   - MCP tool call → HTTP proxy intercepts → Cedar evaluates

7. Forbidden actions → immediate denial (structurally impossible)
   Permitted actions → execute + logged to audit trail

8. Control UI shows live event stream: what agent is doing in real time

9. Session ends → Leash container stops → audit log preserved

Policy Update Workflow

# Update policy via HTTP API (no restart needed)
curl -X POST -H 'Content-Type: text/plain' \
  --data-binary @./my-policy.cedar \
  http://localhost:18080/api/policies

Or edit via Control UI Monaco editor — changes apply instantly.

Phase-to-Artifact Map

Phase Artifact
Container start Cedar policy loaded into eBPF LSM programs
Session running Real-time event stream (filesystem + network + MCP)
Policy violation Immediate deny + logged event
Session end Audit trail (format varies by deployment)

Approval Gates

Gate Trigger Type
Mount prompt First run per project yes-no
Policy configuration User's responsibility (default: permissive) manual

No AI-Specific Workflow

Leash has no workflow phases, no spec generation, no task management. It is purely an execution environment — a security wrapper around any AI agent command.

06

Memory Context

leash (strongdm) — Memory & Context

State Storage

Storage Path Purpose
Config ~/.config/leash/config.toml Persistent mount decisions, project-specific images, volume configs
Cedar policy /cfg/leash.cedar (in Leash container) Active policy, updated at runtime via API
Audit trail Container logs (format varies) Record of all monitored events

Persistence Model

  • Global config: Mount decisions remembered globally or per-project
  • Session-scoped: eBPF monitoring state is per-container session
  • No cross-session AI memory: Leash has no AI context, memory, or handoff system — it's purely infrastructure

Context Injection

None — Leash is transparent to the agent. The agent running inside the container has no awareness of Leash monitoring.

Cross-Session Handoff

Not applicable — Leash is stateless across sessions beyond config persistence.

Security Properties of State

  • No file paths transmitted in telemetry
  • No policy contents transmitted
  • No usernames or hostnames in telemetry
  • Config file at ~/.config/leash/config.toml is local-only
07

Orchestration

leash (strongdm) — Orchestration

Multi-Agent

Not in the AI sense. Leash can wrap any agent command — if you run multiple agents simultaneously, each would need its own Leash container invocation.

Orchestration Pattern

None — Leash is an execution environment wrapper, not an orchestration system.

Execution Mode

Interactive-loop (wraps an interactive agent CLI session).

Multi-Model

No preference — Leash is model-agnostic. It wraps whatever binary is provided.

Isolation Mechanism

Container (Docker/Podman/OrbStack) + eBPF LSM kernel-level enforcement. This is the deepest isolation in the entire corpus — not just git worktrees or process separation, but full container isolation with kernel-enforced system call policies.

Enforcement Mechanism

From CEDAR.md:

"Because Leash relies on enforcement mechanisms (e.g. eBPF) which cannot evaluate Cedar policy, we translate Cedar intents into the available enforcement techniques. At policy authoring and validation time, we lint and validate the Cedar statements to ensure only those statements which are enforceable are saved and applied."

The Cedar engine translates policies into eBPF LSM rules and HTTP MITM proxy rules. Policy violations result in EPERM (permission denied) at the kernel level — not a message to the agent, not a hook exit code.

Consensus Mechanism

None.

Prompt Chaining

No.

Crash Recovery

The Leash container continues monitoring even if the agent process crashes and restarts within the session.

Cross-Tool Portability

High — Leash wraps any command: leash bash, leash python3 my_agent.py, leash any-command. Not limited to specific AI tools.

08

Ui Cli Surface

leash (strongdm) — UI / CLI Surface

CLI Binary

Binary Purpose
leash Main entry point — wraps agent commands in monitored containers

Key flags:

  • --open — launch agent + auto-open Control UI in browser
  • --image / LEASH_TARGET_IMAGE — specify custom container image
  • --policy / LEASH_POLICY_FILE — mount specific Cedar policy
  • --listen / LEASH_LISTEN — Control UI bind address (default: 127.0.0.1:18080)
  • -v src:dst[:ro] — additional bind mounts
  • -e KEY=value — environment variable forwarding
  • --no-interactive — non-interactive mode

Local Web Dashboard (Control UI)

Attribute Value
Port 18080
Stack Next.js + React (from controlui/web/ structure)
Access http://localhost:18080
Auto-open --open flag launches browser automatically

Features:

  • Cedar Policy Editor: Monaco-based with context-aware autocomplete, syntax highlighting, bracket handling, tab-to-commit snippets, inline validation markers
  • Event Stream: Real-time feed of filesystem, network, and MCP activity
  • Policy API (POST /api/policies): Update Cedar policy at runtime without restart
  • Completion API (POST /api/policies/complete): IDE-style autocompletion for Cedar
  • Validation API (POST /api/policies/validate): Inline lint of Cedar policies

Autocomplete Intelligence

From CEDAR.md:

"Suggestions are context-aware and cover keywords, actions, resources, MCP identifiers, HTTP rewrite snippets, and contextual keys such as context.header. The completion engine blends static catalogs with runtime hints: active policy resources, recent hostnames and header names observed by the websocket event ring, MCP servers and tools captured by the proxy observer."

mac-leash (macOS native mode)

A separate macOS app (mac-leash/) that enables "experimental native mode" — running agents without Docker by using macOS sandbox/security APIs. See docs/MACOS.md.

IDE Integration

None — Leash operates at the terminal/container layer, not inside an IDE.

Related frameworks

same archetype · same primary tool · same memory type

OpenHarness ★ 13k
A11 Governance

Open-source Python agent runtime providing complete harness infrastructure: tools, memory, governance, swarm coordination, and…

Trae Agent ★ 12k
A11 Governance

Research-friendly open-source CLI coding agent by ByteDance, designed for academic ablation studies and modular LLM provider…

Sweep AI ★ 7.7k
A11 Governance

Autonomous GitHub bot that converts issues to pull requests using a sequential multi-agent pipeline.

Agent Governance Toolkit (microsoft) ★ 2.3k
A11 Governance

Enterprise-grade AI agent governance: YAML policy enforcement, 12-vector prompt injection defense, zero-trust identity,…

TDD Guard ★ 2.1k
A11 Governance

Mechanically enforces the Red-Green-Refactor TDD cycle by blocking file writes that violate TDD principles via a PreToolUse hook…

Agentic Coding Flywheel Setup (ACFS) ★ 1.5k
A11 Governance

Take a complete beginner from laptop to three AI coding agents running on a VPS in 30 minutes via an idempotent manifest-driven…