Skip to main content

Guardrails for the vibe coding era — real-time AI agent guardian with MCP write interception, git hooks, and quarantine

This project has been archived.

The maintainers of this project have marked this project as archived. No new releases are expected.

Project description

deadpush

GitHub stars License: MIT

Your personal AI Agent Guardian.
Protects you from the mistakes, secrets, and context pollution that AI coding agents (Claude, Cursor, Windsurf, etc.) inevitably create — even when you're not watching.

Run it once with deadpush protect --daemon and it runs in the background forever, monitoring your filesystem in real time.


The Problem (2026 AI Coding Reality)

You tell your agent to "add the new feature" and walk away.

30 minutes later you come back to:

  • A claude.md or .cursorrules file committed to the repo
  • Hardcoded API keys in .env files the agent "helpfully" created
  • 47 new "temporary" scripts and scratchpads
  • LLM context files like CLAUDE.md or agents.md committed to the repo

deadpush is the always-on guardian that catches this the moment it happens.

One Command. Real Protection.

pip install deadpush
deadpush protect --daemon

That's it.

It will:

  • Install a smart pre-push git hook
  • Merge AI-specific ignore patterns into .cursorignore, .claudeignore, and .gitignore
  • Start a persistent background process that watches your entire repo
  • Automatically quarantine dangerous files the second they appear
  • Track a Safety Score that reacts intelligently when multiple agents are going wild

While you're at the gym, in a meeting, or sleeping, deadpush is on duty.

See It In Action

# After running protect --daemon, try simulating an agent:
mkdir -p .deadpush-e2e-sandbox
touch .deadpush-e2e-sandbox/claude.md
echo 'OPENAI_API_KEY=sk-...' > .deadpush-e2e-sandbox/.env.bad

deadpush status
deadpush quarantine list

You'll see the guardian react, drop the Safety Score, and quarantine the files.

For a full automated demo of guardian features (burst simulation, hooks, MCP):

python scripts/full_e2e_test.py --simulate-agent --burst

Key Features

  • True background guardian — Survives terminal close, supports systemd/launchd autostart
  • Smart multi-agent Safety Score — Penalizes bursts of dangerous activity from parallel agents
  • Automatic quarantine (never hard-delete) — Easy deadpush quarantine list / restore
  • Local Control Interface for agents — Your AI coding agents can query the guardian themselves (GET /status, /quarantine-list, etc. on localhost)
  • Cross-platform git hooks — Pre-commit, post-commit, and pre-push guardrails
  • Debris detection — LLM context files, vibe scratchpads, hardcoded secrets

Commands You'll Actually Use

deadpush protect --daemon     # The one command you run per repo
deadpush status               # Is the guardian alive? What's the Safety Score?
deadpush quarantine list      # See what it caught
deadpush doctor               # Health check (hooks, MCP, guardian)
deadpush mcp                  # MCP server for AI agents (guardrailed writes)

Why This Matters in the AI Era

AI agents are incredible productivity multipliers.

They are also incredibly good at creating technical debt, leaking secrets, and polluting your context — especially when you give them long-running tasks and step away.

deadpush is the missing safety net.

Installation

pip install deadpush

Then run deadpush protect --daemon in any repo you care about.

Windows Users

The pre-push hook ships as a Python script + .cmd shim. It works from PowerShell, Command Prompt, and Git Bash. The deadpush protect command records the exact Python interpreter so everything works even inside virtualenvs.

Development

git clone https://github.com/harris-ahmad/deadpush
cd deadpush
./scripts/dev_install.sh

On macOS, use dev_install.sh instead of bare pip install -e . — see CONTRIBUTING.md if imports fail outside the repo.

Validating hardened mode

Hardened mode's guarantees (privilege separation, an agent-unkillable daemon, root-immutable schg hooks, repo ACLs, real-time quarantine, hook self-heal, and a clean teardown) require root and a real service manager, so CI can't verify them. Run the end-to-end QA harness manually on a clean machine or VM:

./scripts/hardened_qa.sh

It provisions a throwaway repo, runs deadpush protect --hardened, asserts every guarantee against live system state, then uninstalls and verifies nothing is left behind. Run it as your normal user (not root); it escalates with sudo only where needed. It refuses to run if a _deadpush account already exists, so it can't disturb a real hardened install (pass --allow-existing to override, --keep to skip teardown for inspection).

Architecture

deadpush is a closed-loop guardian with four cooperating layers:

1. Intercept Layer (deadpush/intercept.py)

The real-time guardrail engine. Every file write is checked via enforce_content():

  • Security guardrails: eval, subprocess, pickle deserialization, SQL injection patterns
  • Secret detection: Hardcoded API keys, tokens, passwords (with path-aware lowering in test/mock files)
  • Prompt injection: AI prompt manipulation patterns
  • Destructive change detection: Near-empty rewrites, >50% line reduction
  • Sensitive config protection: CI/CD, deployment, Docker files
  • Layer violations: Architecture import rules
  • Debris detection: LLM context files, scratchpads, secrets

Learned false positive suppression: Adjudicated false positives persist to .deadpush/learned_patterns.json and auto-suppress on future checks.

2. Guardian Daemon (deadpush/guard.py)

Filesystem watcher that quarantines dangerous writes, maintains the Safety Score, and exposes a local control API for agents.

3. Git Hooks (deadpush/hooks.py)

Pre-commit, post-commit, and pre-push hooks all call the same enforce_content() kernel — no bypass between MCP, daemon, and git.

4. MCP Server (deadpush/mcp_server.py)

Stdio MCP server exposing guardian tools: write_file, check_file, verify_write, quarantine management, feedback loops, and danger-gated config tools.

Data Flow

Agent writes file (MCP write_file or native editor)
       ↓
enforce_content() — same kernel for MCP, hooks, and guardian
       ↓
Approved?  →  Blocked → Quarantine + Feedback + Safety Score drop
  Yes
       ↓
verify_write (optional) → Run tests → Pass? → Write
                                              Fail → Quarantine + Restore from git
       ↓
git commit → pre-commit hook → post-commit hook
git push   → pre-push hook (server-side GitHub Action available)

Philosophy

Set it and forget it.

The best guardian is one you forget exists — until the moment it saves you from your own agent.


Star the repo if you think every developer running AI coding agents in 2026 should have this running in the background.

For the complete source and architecture, see the implementation notes in the repo.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

deadpush-0.2.3.tar.gz (190.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

deadpush-0.2.3-py3-none-any.whl (99.7 kB view details)

Uploaded Python 3

File details

Details for the file deadpush-0.2.3.tar.gz.

File metadata

  • Download URL: deadpush-0.2.3.tar.gz
  • Upload date:
  • Size: 190.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for deadpush-0.2.3.tar.gz
Algorithm Hash digest
SHA256 fb699f29aff5f5c766a31292e8d9ac62fe530587ed6aaea1758ae3d0502078c9
MD5 355553202ee64a1c8e0e34fbeb6190f1
BLAKE2b-256 813125b0a4708e2ae5bba6a50f34da68a2a341e7ee35885b3ac377dc76b448d1

See more details on using hashes here.

File details

Details for the file deadpush-0.2.3-py3-none-any.whl.

File metadata

  • Download URL: deadpush-0.2.3-py3-none-any.whl
  • Upload date:
  • Size: 99.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for deadpush-0.2.3-py3-none-any.whl
Algorithm Hash digest
SHA256 a417380b619e72121299716337f20c154c18b042a74fe78077579370fc93c592
MD5 b0286da6005a1e894b45eb3de8c5e0f8
BLAKE2b-256 57d7d1d48ada54db62b1730a4c9cd71f27ca19c4d9fd33e53519f4299acec0f9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page