Local-first security layer for Claude Code
Every write. Every command. Checked first.
Your agent writes files, runs Bash, reads the web. crasp hooks into Claude Code and screens all of it against 55+ built-in rules — leaked secrets, destructive commands, prompt injection — before anything executes. No cloud. No telemetry. One command.
§ 01 — one command, wired end to end
Run it once. Protection is live before the prompt returns.
npx @crasp/cli setup installs a self-contained binary to ~/.crasp/bin and wires every hook with absolute paths — no PATH luck, no npx at runtime, nothing to keep running.
Write, Edit, Read and Bash — and after everything it reads from files, the web, and command outputcrasp.policy.yml you can extend — your rules merge on top of the built-ins and can never weaken them§ 02 — what it catches
Built for the surfaces where agents actually go wrong.
01 / SECRETS
25+ provider-grade secret matchers
AWS, Anthropic, OpenAI, GitHub, Stripe, Slack, database URLs, private keys — denied at write time, plus a Shannon-entropy detector for tokens nobody has a regex for. Findings are born redacted: the secret itself never touches a log.
02 / BASH
Every command screened first
rm -rf, force-pushes, curl | sh, privilege escalation, secret exfiltration — surfaced as an approval dialog before they run. crasp never hard-blocks Bash: you always make the final call.
03 / INBOUND
Prompt-injection defense
Everything your agent reads — web pages, files, command output — is scanned for injected instructions and planted secrets before it re-enters context. Flagged content is never echoed back; Claude just gets told not to trust it.
04 / VISIBILITY
See it work, live
crasp panel opens a live web dashboard of every decision across all your protected projects — a verdict at a glance, a streaming event feed, a hover-able chart over any range from 10 to 90 days, and a Live view. crasp status proves the install is healthy and names the exact fix when it is not.
§ 03 — verified, not promised
Security tools that fail silently are worse than none.
The most dangerous state a guardrail can be in is looking installed while doing nothing. crasp is built against exactly that failure.
Setup does not report success until it has proven the installed hook blocks a secret: once by spawning the installed binary directly, and once by executing the exact command line written into .claude/settings.json through a real shell — quoting, paths and all.
Months later, crasp status detects rot — a deleted binary, a Node version that got uninstalled, a legacy hook format — and tells you the one command that fixes it.
§ 04 — the live dashboard
One dashboard for every protected project.
crasp panel opens a local dashboard of everything crasp is doing across all your projects. It binds to 127.0.0.1 only — your activity never leaves your machine.
The verdict at a glance
Today's checked, asked and blocked counters, a verdict banner the moment something needs a look, and a trend of every decision over any range from 10 to 90 days — hover any day for the breakdown, or switch to Live.

Every decision, in plain language
One row per check, across all your projects, streaming in as Claude works. Secrets are redacted before they are ever written — the log never holds the real value.

§ 05 — caveats, read before trusting
Honest about what it is not.
Heuristic, not a sandbox. Detection is pattern-based, not a shell parser — determined obfuscation can evade rules. crasp reduces risk; it does not make an agent safe to run unattended.
Bash is ask-only. Dangerous commands surface a dialog — crasp never hard-blocks them. The human stays the authority.
Fails open by design. If crasp crashes, Claude Code keeps working rather than freezing your session — and crasp status exists precisely to catch a silently broken install.
Local means local. No cloud, no telemetry, no account. The activity log lives in .crasp/ in your project and never leaves your machine.