Show HN: Policy enforcement for Claude Code, Cursor, and Codex

Hacker News
Published
0
0
Show HN: Policy enforcement for Claude Code, Cursor, and Codex
Read the full story at Hacker NewsOriginal

Show HN: Runtime authorization for Claude Code, Cursor, and Codex

Hi HN, Fernando and I built Kastra. Kastra intercepts AI agent tool calls and evaluates them against deterministic policies before they execute. This is aimed at developers using coding agents like Claude Code, Codex, Cursor, and OpenClaw.

We built Kastra after one of our Cursor agents almost executed DELETE FROM customers WHERE status='test' against a production database. We caught it before it ran, but it made us realize that nothing in our stack actually decided what the agent was allowed to do. What mattered for us wasn't the mistake; it was realizing nothing in our setup would have stopped it if we weren't actively on top of it. LLMs are probabilistic, and prompts influence behavior, but they don't deterministically decide what an agent is allowed to do. Without a deterministic policy system, nothing could have decided what it was allowed to do.

Kastra pushes an allow, hold, and deny decision before the action runs. You can build these policies in plain English from the web app. The interception engine evaluates the tools, targets, and parameters of every action. We also shipped many policy packs covering common high-risk scenarios, and every decision is recorded in an immutable audit trail. The desktop app, CLI, dashboard, and Recon scan are free to use for developers.

If you often use Claude, Codex, Openclaw, and Cursor, Kastra can run a scan command on which risky actions your agents have already taken and automatically build rules to avoid them from happening again. Recon is a feature of Kastra that scans your local agent history. In order to run this scan, execute the commands below in your coding agent.

brew install kastra-labs/tap/kastra-edge

kastra-edge scan

The scan reads your local agent session history, and it shows all the risky actions your agent has already taken before, the secrets written to tracked files, production databases touched, force pushes, curl-to-shell, and more. This runs on your machine, and secrets never leave. In our own use cases, we kept finding things we'd forgotten or didnt know agents had done.

Each finding can be converted into a runtime policy, letting you delegate more work to AI without trusting the model itself. Kastra intercepts all workloads at runtime and makes sure these policy evaluations typically complete in under a millisecond. Instead of trusting the model, you trust the deterministic rules that govern its actions.

One problem we are still working on to improve the stack is how to manage teams of agents with conflicting policies. We would love feedback from anyone building multi-agent systems. Fernando and I will be reviewing the comments. We are super curious what your first scan finds. Please post results below so we can see what the most common patterns are and adjust policy packs for our users based on your feedback.

Documentation: https://kastra.ai/docs

Download for MacOS Kastra Edge: https://kastra.ai/edge/download.html

Check Kastra in action today: https://www.youtube.com/watch?v=6TUETu5lb3Q&feature=youtu.be


Comments URL: https://news.ycombinator.com/item?id=48847526

Points: 4

# Comments: 0

Related Markets

All Markets
View full chart →
View Full Chart
View full chart →
View Full Chart

Market data may be delayed. Not financial advice.

Reader Reactions
Reading the article

💡 AI analysis provides alternative perspectives on current events

Support Alto & Gab

Alto is funded entirely by readers like you. Your donation helps us continue delivering curated news from a right-wing Christian Nationalist perspective, powered by Gab AI.

Gab Shop

Support free speech with official merchandise

View All Products

Install Alto on Your Phone

Add Alto to your home screen for quick access to breaking news — no app store required.

iPhone & iPad

Using Safari Browser

1

Open alto.gab.com in Safari

alto.gab.com
2

Tap the Share button

at the bottom of Safari
3

Tap "More"

More
4

Scroll and tap "Add to Home Screen"

Add to Home Screen

Tap "Add" to confirm

Alto will appear on your home screen like any other app!

Android

Using Chrome Browser

1

Open alto.gab.com in Chrome

alto.gab.com
2

Tap the menu button

three dots in top right
3

Tap "Add to Home screen"

Add to Home screen

Tap "Add" to confirm

Alto will appear on your home screen like any other app!
gab

Speak Freely

Join millions on the original and only true free speech social network.

What Makes Gab Different

We're not just another social network. We're a platform built on principles that matter.

Freedom of Speech & Reach

All First Amendment protected speech is welcome. No algorithmic throttling or shadow banning.

Family-Friendly Platform

We maintain a clean environment. Explicit adult content is strictly prohibited.

Western Nations Only

Third-world IPs are blocked. No scammers, no spam farms. Built for Western civilization.

Funded By Users

Our users are our investors and customers. You're not the product being sold.

Battle Tested

A decade of standing strong. Banned from app stores, banks—and still here.

American Owned & Operated

We reject foreign censorship demands. Built by Americans, for free people.