npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@authensor/safeclaw

v1.0.0-beta.2

Published

Safe-by-default AI agent. Gates every action through Authensor before it executes. Supports Claude and OpenAI.

Readme

SafeClaw

node license: MIT

AI agents that ask before they act.

SafeClaw intercepts every action your AI agent tries to take (file writes, shell commands, network requests) and checks it against a safety policy before it executes. If something looks risky, you get asked first. Nothing runs without your say-so.

Works with Claude and OpenAI. Open-source client. Free tier included.

Part of the Authensor Safety Stack

SafeClaw is part of Authensor -- the open-source safety stack for AI agents. SafeClaw defaults to a self-hosted control plane at http://localhost:3000. Start one by cloning AUTHENSOR/AUTHENSOR and running docker compose up -d (it serves http://localhost:3000), then run SafeClaw -- no external services required.

  • Authensor - Policy engine & control plane for agent action authorization
  • SafeClaw - Local agent gating with approval workflows (you are here)

SafeClaw dashboard

Install

npx @authensor/safeclaw

Your browser opens. A wizard walks you through everything: pick your AI provider, paste your API key, and you're running.

Need Node.js? Download it at nodejs.org (v20+). That's the only prerequisite.

First run (no control plane yet)

You can try SafeClaw before standing up a control plane. Once the wizard (or safeclaw init) has saved your provider API key, this works standalone and exits 0:

safeclaw run --dry-run "Summarize README.md"

It prints your provider, profile, and a policy simulation -- no agent is started and nothing leaves your machine. Read-only tasks (Read, Glob, Grep, ...) also run locally without a control plane.

What to expect until a control plane is up, all by design:

  • Write / exec / network actions fail closed. SafeClaw denies anything that isn't a local read until it can check it against a policy. That's the point -- nothing risky runs unchecked.
  • safeclaw doctor shows a [WARN] on "Authensor connectivity" ("Control plane unreachable"). Every other check still passes once your API key is set. This warning is expected, not an error.
  • safeclaw health reports "Control plane unreachable" and exits non-zero. health is a pure connectivity probe -- a non-zero exit here just means no control plane is running yet.

To progress past read-only and dry-run actions, start a control plane (see Part of the Authensor Safety Stack above) and re-run.

Other install options

GUI (no terminal): Download the release, extract, double-click the launcher.

Clone and run:

git clone https://github.com/AUTHENSOR/SafeClaw.git && cd SafeClaw
npm install && npm start

How it works

Every tool call your AI agent makes goes through SafeClaw's gateway before it executes:

You give the agent a task
  → Agent decides to take an action (write a file, run a command, etc.)
  → SafeClaw intercepts it
  → Checks it against your policy: allow / deny / require approval
  → If approval needed: you get notified, agent waits for your decision
  → Action only runs after you approve

What leaves your machine: Action metadata only (e.g., "filesystem.write /tmp/output.txt") What stays local: Your API keys, your files, your data. Always.

Features

  • Multi-provider: Claude (Anthropic SDK) and OpenAI (GPT-4o, custom loop)
  • Browser dashboard: setup wizard, task runner, approval center, analytics, policy editor, settings
  • Policy engine: deny-by-default rules, visual editor, versioning, rollback, dry-run simulation, time-based rules
  • Audit ledger: append-only JSONL with SHA-256 hash chain, tamper detection via audit verify
  • Analytics: cost tracking, approval metrics, tool usage, MCP server breakdown, CSV/JSON export
  • Budget controls: spending caps (daily/weekly/monthly) with warn/require_approval/block actions
  • Scheduler: cron-based recurring tasks with quiet hours
  • Container mode: Docker/Podman sandboxed execution with filesystem isolation
  • Mobile PWA: installable, responsive, swipe-to-approve
  • SMS notifications: Twilio integration for approval alerts
  • Webhooks: Slack, Discord, and generic HTTP notifications
  • Offline cache: cached allow decisions for Authensor downtime (fail-safe: denies never cached)
  • Workspace scoping: project boundary detection, path restriction enforcement
  • Risk signals: advisory badges on approvals for obfuscated execution, credential access, pipe-to-external, destructive commands, and persistence mechanisms

Security model

  • Deny by default: unknown actions are blocked
  • CSRF protection: all write endpoints require X-Requested-With: SafeClaw header
  • ReDoS protection: user-supplied regex patterns in policy rules validated for nested quantifiers before execution
  • Secrets redaction: API keys stripped from SSE output before reaching the browser
  • File permissions: all sensitive files written with mode 0o600
  • Rate limiting: sliding window limits on all write API endpoints
  • Fail closed: if Authensor is unreachable and no cached allow exists, actions are denied
  • Local pre-filter: safe.read.* tools (Read, Glob, Grep, TodoWrite, AskUserQuestion, Skill, TaskOutput) are allowed locally without a control plane call. All other tools always go through Authensor
  • Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, X-XSS-Protection
  • Audit integrity: SHA-256 hash chain on every audit entry, verifiable via safeclaw audit verify

Default policy

| Action type | Effect | Examples | |------------|--------|----------| | safe.read.* | Allow (local pre-filter) | Read, Glob, Grep, TodoWrite, AskUserQuestion, Skill | | filesystem.* | Require approval | Write/edit files | | code.* | Require approval | Bash commands | | network.* | Require approval | HTTP requests, web search | | secrets.* | Require approval | Access secrets | | mcp.* | Require approval | MCP tool calls | | Everything else | Deny | - |

Commands

safeclaw                          # Open the browser dashboard
safeclaw init                     # Set up a profile (default: Claude)
safeclaw init --provider openai   # Set up with OpenAI/GPT-4o
safeclaw init --workspace         # Initialize workspace scoping
safeclaw run "task"               # Run a task locally
safeclaw run --container "task"   # Run inside Docker/Podman
safeclaw run --dry-run "task"     # Preview config + policy simulation (no agent started)
safeclaw approvals                # List pending approvals
safeclaw approvals approve <id>   # Approve
safeclaw approvals reject <id>    # Reject
safeclaw receipts                 # View audit trail
safeclaw audit                    # View recent audit log
safeclaw audit verify             # Verify audit hash chain integrity
safeclaw history                  # View task history
safeclaw policy show|apply|help   # Manage policy
safeclaw profile list|use <name>  # Manage profiles
safeclaw health                   # Check Authensor connectivity
safeclaw doctor                   # Run 10 diagnostic checks
safeclaw config show              # Show current config
safeclaw --version                # Show version

Flags

| Flag | Description | |------|-------------| | --verbose, -v | Show detailed output | | --provider <name> | AI provider: claude (default) or openai | | --model <model> | Model override (e.g. gpt-4o, gpt-4o-mini) | | --container | Run inside Docker/Podman | | --workspace <path> | Workspace directory for container mode | | --rebuild | Rebuild container image before running | | --dry-run | Show task config + policy simulation without running | | --no-open | Start dashboard without opening browser |

Architecture

src/
  cli.js          CLI entry point
  server.js       Localhost dashboard server (Node http, zero deps)
  agent.js        Agent runner with provider dispatch + secrets redaction
  openai-agent.js Custom agent loop for OpenAI/GPT (raw fetch, zero deps)
  gateway.js      PreToolUse hook → Authensor policy check + SMS + audit
  classifier.js   Tool name → action type mapping
  authensor.js    Authensor control plane API client
  container.js    Docker/Podman container runner
  notify.js       Twilio SMS notifications
  config.js       Profile, config, and .env management
  policy.js       Policy file management, versioning, simulation, ReDoS protection
  templates.js    Default policy template
  audit.js        Append-only JSONL audit ledger with SHA-256 hash chain
  session.js      Per-task session history
  workspace.js    Workspace detection and path scoping
  settings.js     Settings management with validation
  analytics.js    Cost summary, approval metrics, tool usage, MCP analytics
  cache.js        Offline decision cache (memory + disk, TTL-based)
  rate-limit.js   Sliding window rate limiter
  webhook.js      Slack/Discord/generic webhook notifications
  budget.js       Budget enforcement and cost estimation
  doctor.js       10 diagnostic checks for setup health
  scheduler.js    Cron-based recurring task scheduler with quiet hours
  validate.js     Input validation, ReDoS protection, secrets redaction
  logger.js       Structured JSON logging to stderr
ui/dashboard/     Browser dashboard (PWA, mobile-responsive, swipe approvals)
ui/               Standalone approvals UI (auto-refreshes every 5s)
policies/         Policy templates and schema
tests/            446 tests across 24 files
Dockerfile        Container image for sandboxed execution

Configuration

All config is stored in ~/.safeclaw/:

| File | Purpose | |------|---------| | config.json | Profiles, provider, control plane URL | | .env | API keys (chmod 600, never sent anywhere) | | settings.json | Timeouts, retention, cache, budget, webhooks | | policy.json | Active policy rules | | audit.jsonl | Append-only audit ledger with hash chain | | sessions/ | Per-task session history | | schedules.json | Cron-based scheduled tasks | | decision-cache.json | Offline allow cache |

What stays private

SafeClaw's client is fully open source: the agent, classifier, policy engine, dashboard, and all 446 tests are right here on GitHub. The Authensor control plane runs locally by default (http://localhost:3000) and evaluates action metadata against your policy. It only sees what the agent wants to do (e.g., "write a file to /tmp"), never your API keys, file contents, or data. Start the control plane by cloning AUTHENSOR/AUTHENSOR and running docker compose up -d.

If the control plane is unreachable, SafeClaw fails closed. Every action is denied. Nothing slips through.

License

MIT

Powered by Authensor