Skip to main content

AI IDE security hook: blocks directories, scans secrets, and protects AI interactions

Project description

AI Guardian

AI Guardian Logo

AI IDE security hook: controls MCP/skill permissions, blocks directories, detects prompt injection, scans secrets

License Python 3.9+ PyPI version

AI Guardian provides comprehensive protection for AI IDE interactions through multiple security layers.

Security Disclaimer

AI Guardian is not a silver bullet and cannot guarantee detection of all security threats.

  • Prompt injection detection may miss novel or obfuscated attacks
  • Secret scanning depends on scanner patterns and may miss custom secret formats
  • Attackers evolve continuously — new bypass techniques emerge constantly
  • Fail-open by design — prioritizes availability over security (errors allow operations)

Use AI Guardian as ONE layer in a defense-in-depth security strategy, not as your only protection.

Combine with:

  • Code review processes
  • CI/CD security scanning
  • Network security (firewalls, egress rules)
  • Secret management (Vault, AWS Secrets Manager)

See Security Design for limitations and architecture.

Quick Start

One-line install (creates config, installs scanner, sets up hooks):

curl -fsSL https://raw.githubusercontent.com/itdove/ai-guardian/main/install.sh | bash -s -- --ide claude

Or install manually:

pip install ai-guardian
ai-guardian setup --ide claude --create-config --install-scanner

This:

  • Installs a scanner engine (gitleaks)
  • Creates ai-guardian.json config with secure defaults
  • Installs IDE hooks (PreToolUse, PostToolUse, UserPromptSubmit)
  • Sets up the MCP security advisor for AI-aware protection

MCP servers and Skills are blocked by default. Built-in tools (Bash, Read, Write, Edit) are allowed and scanned by hooks, but MCP servers and Skills require explicit allow rules. See Tool Policy for why and how to allow them.

Daemon & Tray

The daemon provides faster hook processing. The tray is a separate process that discovers and manages daemons across local, Podman/Docker containers, and Kubernetes pods:

ai-guardian daemon start          # Start headless daemon (background: -b)
ai-guardian tray start -b         # Start system tray in background
ai-guardian tray stop             # Stop the tray
ai-guardian tray --install --autostart  # Add desktop shortcut + launch on login

The tray auto-discovers running daemons and shows per-daemon submenus with Statistics, Console, Pause/Resume, and Start/Stop controls. On first launch, the tray will offer to create a desktop shortcut automatically. See Multi-Daemon Tray for full documentation.

Breaking change in v1.8.0: daemon start no longer launches the tray automatically. Run ai-guardian tray start -b separately, or use ai-guardian tray --install --autostart for a permanent desktop shortcut with login startup.

Security Profiles

Choose a profile that matches your environment:

ai-guardian setup --ide claude --create-config --profile @minimal --install-scanner
ai-guardian setup --ide claude --create-config --profile @strict --install-scanner
Profile Secrets PII Prompt Injection SSRF
@minimal block warn low warn
@standard (default) block block medium block
@strict block block high block

Features

Feature Description Docs
Secret Scanning Multi-layered detection of API keys, tokens, passwords docs/security/SECRET_SCANNING.md
PII Detection Detect personally identifiable information docs/security/SECRET_SCANNING.md
Prompt Injection Language-aware detection with tree-sitter AST parsing and configurable sensitivity docs/security/PROMPT_INJECTION.md
Image Scanning OCR-based secret and PII detection in screenshots and images docs/security/IMAGE_SCANNING.md
Unicode Attack Detection Zero-width chars, bidi override, homoglyphs docs/security/UNICODE_ATTACKS.md
SSRF Protection Block private IPs, cloud metadata, dangerous schemes docs/security/SSRF_PROTECTION.md
Config File Scanning Detect exfiltration of sensitive config files docs/security/CREDENTIAL_EXFILTRATION.md
Directory Blocking .ai-read-deny markers + config-based rules docs/security/DIRECTORY_RULES.md
Tool Permissions Allow/deny lists for Skills, MCP, Bash, Write docs/TOOL_POLICY.md
Violation Logging JSON audit trail of all blocked operations docs/VIOLATION_LOGGING.md
Sanitize Command Clean sensitive data from files docs/security/SECRET_REDACTION.md
Interactive Console TUI for managing configuration visually docs/CONSOLE.md
Scanner Management Install and manage 8 scanner engines (including built-in toml-patterns) docs/SCANNER_INSTALLATION.md
Pre-commit Hook Scan staged files for secrets before commit docs/PRE_COMMIT.md
Inline Annotations Suppress false positives with ai-guardian:allow and block annotations docs/ANNOTATIONS.md
Self-Protection Prevents AI from disabling its own security controls docs/SECURITY_DESIGN.md
MCP Security Advisor Read-only security tools for AI agents (proactive checks) docs/MCP_SERVER.md
MCP Security Scanning Audit MCP server configs and source code for supply chain risks docs/MCP_SERVER.md
Project Config Overlay Per-repo config with immutable fields and global-only section protection docs/CONFIGURATION.md
Multi-Daemon Tray Discover and manage daemons across local, Podman/Docker, and Kubernetes docs/MULTI_DAEMON_TRAY.md
Desktop Shortcut & Autostart Install tray as desktop app with optional login startup docs/MULTI_DAEMON_TRAY.md
Tray Plugins Custom menu items with native tkinter popup forms (Textual terminal fallback), platform-aware commands docs/MULTI_DAEMON_TRAY.md
TOML Pattern Engine Built-in Python scanner with 267 pre-compiled patterns, no binary required docs/TOML_PATTERNS.md
Multi-Agent Support Hook adapters for 12 AI coding agents with normalized input/output docs/AGENT_SUPPORT.md

Default Behavior (No Configuration File)

ai-guardian provides protection immediately with zero configuration:

Feature Default Notes
Secret scanning Enabled Requires gitleaks/scanner installed
Prompt injection detection Enabled Heuristic detector
Config file scanning Enabled Detects exfiltration patterns
SSRF protection Enabled Blocks private IPs, metadata endpoints
Immutable file protection Enabled Cannot be disabled
.ai-read-deny markers Enabled Always respected
Violation logging Enabled Logs to ~/.local/state/ai-guardian/violations.jsonl
Built-in tool permissions Allowed Bash, Read, Write, Edit — protected by hooks
MCP server permissions Blocked Require explicit allow rules (third-party code)
Skill permissions Blocked Require explicit allow rules (can override AI behavior)
Directory rules Allow all Configure directory_rules to restrict

Configuration

Config file: ~/.config/ai-guardian/ai-guardian.json (or $XDG_CONFIG_HOME/ai-guardian/)

ai-guardian setup --create-config                          # Secure defaults (Skills/MCP blocked)
ai-guardian setup --create-config --permissive              # Permissive (all tools allowed)
ai-guardian setup --create-config --profile @minimal        # Personal projects, low friction
ai-guardian setup --create-config --profile @strict         # Enterprise SOC2/compliance
ai-guardian setup --list-profiles                           # List available profiles

Configuration Locations (Precedence Order)

  1. User config: ~/.config/ai-guardian/ai-guardian.json (base)
  2. Project config: .ai-guardian/ai-guardian.json (merged on top of user config, see docs)
  3. Remote configs (highest, permissions only): Fetched from URLs in remote_configs
  4. Defaults: Built-in defaults when no config exists

Setup Command

ai-guardian setup                    # Auto-detect IDE
ai-guardian setup --ide claude       # Claude Code
ai-guardian setup --ide cursor       # Cursor IDE
ai-guardian setup --ide copilot      # GitHub Copilot
ai-guardian setup --dry-run          # Preview changes
ai-guardian setup --ide claude --mcp # Enable MCP security advisor (opt-in)
ai-guardian setup --remote-config-url https://example.com/policy.json

Run ai-guardian setup after upgrading to get the latest hooks. Use --mcp to enable the MCP security advisor server — the AI can then check security proactively before acting. See docs/MCP_SERVER.md for details and docs/CONFIGURATION.md for other setup options.

Action Modes

Each security policy supports three enforcement levels:

Mode Execution User Warning Use Case
block Blocked Error shown Enforce policy (default)
warn Allowed Warning shown Educate during rollout
log-only Allowed Silent Monitor silently

See docs/CONFIGURATION.md for per-feature action mode configuration.

Integration

IDE Prompt Scanning File Scanning Output Scanning Status
Claude Code CLI Yes Yes PostToolUse (ready) Full support
VS Code Claude Yes Yes PostToolUse (ready) Full support
Cursor IDE Yes Yes Yes Full support
GitHub Copilot Yes Yes Planned Full support
Aider No Yes (commit-time) No Git hook

How It Works

User prompt / Tool use
       |
  [MCP Advisor] -----> AI checks proactively (optional)
       |
  [AI Guardian Hook] -- Enforcement (mandatory)
       |
  MCP/Skill check --> Not allowed? --> BLOCK
       |
  Directory check --> .ai-read-deny? --> BLOCK
       |
  Prompt injection --> Detected? -----> BLOCK
       |
  Secret scan ------> Found? --------> BLOCK
       |
  ALLOW --> Send to AI / Execute tool

The MCP advisor lets the AI check before acting (advisory). Hooks enforce during execution (mandatory). PostToolUse hooks scan tool outputs using the same pipeline. See docs/MCP_SERVER.md for the MCP server and docs/SECURITY_DESIGN.md for full architecture.

Environment Variables

Variable Description Default
AI_GUARDIAN_CONFIG_DIR Custom config directory ~/.config/ai-guardian
AI_GUARDIAN_STATE_DIR State directory (logs, violations) ~/.local/state/ai-guardian
AI_GUARDIAN_CACHE_DIR Cache directory (patterns) ~/.cache/ai-guardian
AI_GUARDIAN_IDE_TYPE Override IDE auto-detection Auto-detect
AI_GUARDIAN_PATTERN_TOKEN Default pattern server auth token (all sections) None

Each detection feature (secret_scanning, secret_redaction, ssrf_protection, config_file_scanning) can use its own pattern server with independent auth via token_env or token_file. See docs/PATTERN_SERVER.md.

Requirements

  • Python 3.9+ (3.10+ highly recommended — several features including AST-aware scanning, MCP server, and web console require Python 3.10+)
  • Scanner engine: gitleaks, betterleaks, leaktk, trufflehog, detect-secrets, secretlint, or gitguardian
  • GNOME Linux: AppIndicator extension for system tray icon (setup steps)

See docs/SCANNER_INSTALLATION.md for installation instructions.

Installation

pip install ai-guardian                   # Stable release from PyPI
pip install ai-guardian[skill-discovery]  # With auto-discovery from GitHub/GitLab
# Optional: tkinter for native tray plugin popup dialogs (see docs/MULTI_DAEMON_TRAY.md)
# RHEL/Fedora: dnf install python3-tkinter | Debian: apt install python3-tk
# macOS: included with system Python; pyenv users need tcl-tk (brew install tcl-tk)

Warning: The main branch contains unreleased development code. Always install stable releases from PyPI (pip install ai-guardian). Do not git clone + pip install -e . for production use — development builds may contain breaking changes, incomplete features, or experimental code that has not been release-tested.

For development and contributing:

git clone https://github.com/itdove/ai-guardian.git
cd ai-guardian && pip install -e .

Dev builds: CI builds a wheel on every PR and merge. Download from the Actions tab for testing only; use PyPI for stable releases.

Testing

pip install ai-guardian[dev]                     # Install test dependencies
pytest                                          # Run all tests
pytest --cov=ai_guardian --cov-report=term      # With coverage

Or using uv:

uv run --extra dev python -m pytest             # Run all tests
uv run --extra dev python -m pytest --cov=ai_guardian --cov-report=term  # With coverage

See AGENTS.md for testing guidelines and CI/CD details.

Contributing

We welcome contributions! This repo uses interaction limits, so:

  • Bug reports & feature requests -- use GitHub Discussions
  • Code contributions -- fork + PR (not affected by interaction limits)
gh repo fork itdove/ai-guardian --clone
cd ai-guardian
git checkout -b feature-name
# Make changes, commit, push
gh pr create --web

See CONTRIBUTING.md for complete guidelines.

Documentation

Full documentation is available in the docs/ folder:

FAQ

Q: Why no prompt injection examples in the docs? Publishing attack patterns makes them easier to misuse and would cause ai-guardian to block its own documentation. Use test: prefixed strings for testing. See OWASP LLM Top 10 for research.

Q: What's permissions vs permissions_directories vs directory_rules? permissions = which tools can run. permissions_directories = auto-discover tool permissions from repos. directory_rules = which paths can be accessed. See docs/TOOL_POLICY.md and docs/security/DIRECTORY_RULES.md.

License

Apache 2.0 - see LICENSE file for details.

Acknowledgments

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ai_guardian-1.10.0.tar.gz (10.2 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ai_guardian-1.10.0-py3-none-any.whl (9.6 MB view details)

Uploaded Python 3

File details

Details for the file ai_guardian-1.10.0.tar.gz.

File metadata

  • Download URL: ai_guardian-1.10.0.tar.gz
  • Upload date:
  • Size: 10.2 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ai_guardian-1.10.0.tar.gz
Algorithm Hash digest
SHA256 570f448feb2c5b1f53907bc8ab023670a47db37c7122e99902c59ffa59e9eb4e
MD5 7fbe8b24c4e42904e04ec8e78e16ded5
BLAKE2b-256 12b531cdd2f3c66d1e9a86f3868e4427047b0c34ac134e7855973ee4770df666

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_guardian-1.10.0.tar.gz:

Publisher: publish.yml on itdove/ai-guardian

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ai_guardian-1.10.0-py3-none-any.whl.

File metadata

  • Download URL: ai_guardian-1.10.0-py3-none-any.whl
  • Upload date:
  • Size: 9.6 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for ai_guardian-1.10.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2f9027c420d7938a80aaf99d0ce7444d16483a9876ed052770293b58c893dcb6
MD5 f3e3d435407c9a654c7401f6af20a0e2
BLAKE2b-256 82b6ef46e9ffdd7737c61e850e0641839772519a1feea2bbb575456796098928

See more details on using hashes here.

Provenance

The following attestation bundles were made for ai_guardian-1.10.0-py3-none-any.whl:

Publisher: publish.yml on itdove/ai-guardian

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page