crasp — local-first security layerspec v0.2.4 · node ≥ 20 · mitno cloud · no telemetry

Local-first security layer for Claude Code

Every write. Every command. Checked first.

Your agent writes files, runs Bash, reads the web. crasp hooks into Claude Code and screens all of it against 55+ built-in rules — leaked secrets, destructive commands, prompt injection — before anything executes. No cloud. No telemetry. One command.

$npx @crasp/cli setup

free · MIT · Node 20+ · zero dependencies · setup verifies itself before claiming success

claude code — guarded by crasp

§ 01 — one command, wired end to end

Run it once. Protection is live before the prompt returns.

npx @crasp/cli setup installs a self-contained binary to ~/.crasp/bin and wires every hook with absolute paths — no PATH luck, no npx at runtime, nothing to keep running.

hook guard
Claude Code calls crasp before every Write, Edit, Read and Bash — and after everything it reads from files, the web, and command output
mcp server
Claude can ask crasp to check content before writing it — self-audit plus enforcement, defense in depth
git pre-commit
staged files scanned before every commit — secrets stop at the boundary
starter policy
crasp.policy.yml you can extend — your rules merge on top of the built-ins and can never weaken them
self-verification
setup fires a synthetic secret through the real installed hook — twice — and refuses to claim success unless it is actually denied

§ 02 — what it catches

Built for the surfaces where agents actually go wrong.

01 / SECRETS

25+ provider-grade secret matchers

AWS, Anthropic, OpenAI, GitHub, Stripe, Slack, database URLs, private keys — denied at write time, plus a Shannon-entropy detector for tokens nobody has a regex for. Findings are born redacted: the secret itself never touches a log.

secret-aws-akiasecret-stripesecret-pem+25 more

02 / BASH

Every command screened first

rm -rf, force-pushes, curl | sh, privilege escalation, secret exfiltration — surfaced as an approval dialog before they run. crasp never hard-blocks Bash: you always make the final call.

ask, not denypre-approve routine commands

03 / INBOUND

Prompt-injection defense

Everything your agent reads — web pages, files, command output — is scanned for injected instructions and planted secrets before it re-enters context. Flagged content is never echoed back; Claude just gets told not to trust it.

read → screened → context

04 / VISIBILITY

See it work, live

crasp panel opens a live web dashboard of every decision across all your protected projects — a verdict at a glance, a streaming event feed, a hover-able chart over any range from 10 to 90 days, and a Live view. crasp status proves the install is healthy and names the exact fix when it is not.

✓ clean⚠ ask🛡 blockedsee the dashboard ↓

§ 03 — verified, not promised

Security tools that fail silently are worse than none.

The most dangerous state a guardrail can be in is looking installed while doing nothing. crasp is built against exactly that failure.

Setup does not report success until it has proven the installed hook blocks a secret: once by spawning the installed binary directly, and once by executing the exact command line written into .claude/settings.json through a real shell — quoting, paths and all.

Months later, crasp status detects rot — a deleted binary, a Node version that got uninstalled, a legacy hook format — and tells you the one command that fixes it.

verified
$ npx @crasp/cli setup
Installed crasp 0.2.4 to ~/.crasp/bin/crasp.js
Verified: installed bundle blocks a test secret.
… wrote policy, scenarios, hooks, MCP server, git hook
Verified: the exact hook command written to .claude/settings.json works.
Crasp setup complete — protection verified.

$ crasp status
"installHealth": {
"ok": true,
"bundleVersion": "0.2.4",
"problems": []
}

§ 04 — the live dashboard

One dashboard for every protected project.

crasp panel opens a local dashboard of everything crasp is doing across all your projects. It binds to 127.0.0.1 only — your activity never leaves your machine.

The verdict at a glance

Today's checked, asked and blocked counters, a verdict banner the moment something needs a look, and a trend of every decision over any range from 10 to 90 days — hover any day for the breakdown, or switch to Live.

✓ clean⚠ asked🛡 blocked
127.0.0.1:4269 — crasp panel
crasp panel overview: verdict banner, today's checked, asked and blocked counters, and a range-selectable activity chart

Every decision, in plain language

One row per check, across all your projects, streaming in as Claude works. Secrets are redacted before they are ever written — the log never holds the real value.

filter: all · flagged · blocked
activity
crasp panel activity feed: checks with asked, clean, noted and blocked outcomes, secrets redacted

§ 05 — caveats, read before trusting

Honest about what it is not.

!

Heuristic, not a sandbox. Detection is pattern-based, not a shell parser — determined obfuscation can evade rules. crasp reduces risk; it does not make an agent safe to run unattended.

!

Bash is ask-only. Dangerous commands surface a dialog — crasp never hard-blocks them. The human stays the authority.

!

Fails open by design. If crasp crashes, Claude Code keeps working rather than freezing your session — and crasp status exists precisely to catch a silently broken install.

!

Local means local. No cloud, no telemetry, no account. The activity log lives in .crasp/ in your project and never leaves your machine.