npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@cristobalross29/crasp

v0.1.4

Published

Local-first security layer for Claude Code — intercepts Write/Edit/Read/Bash (PreToolUse) and scans tool results (PostToolUse) to block leaked secrets, dangerous commands, prompt injection, and policy violations

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cristobalross29cristobalross29

Keywords

ai-safetyagentllmsecurityclipre-commitprompt-injectionguardrails

Readme

Crasp

Local-first security guardrail for Claude Code.

npm License: MIT node >=18

Crasp intercepts every file operation Claude Code makes — Write, Edit, Read, and Bash commands — and blocks or flags anything that violates your policy before it happens. No cloud. No tracking. Entirely on your machine.

One command to get started

npx @cristobalross29/crasp setup

Run that once inside any Claude Code project. Then open Claude Code. That's it — protection is live. You do not need to run any other command.

What crasp setup wires up automatically:

| What | How | | --- | --- | | Hook guard | Registers itself in .claude/settings.json so Claude Code calls Crasp before every Write, Edit, Read, and Bash command | | MCP server | Adds itself to .mcp.json so Claude Code starts the Crasp MCP server automatically in the background | | Git hook | Installs a pre-commit hook that scans staged files before every commit | | Starter policy | Writes crasp.policy.yml with a default credential-theft rule you can extend | | Starter scenarios | Writes three example scenario YAMLs in scenarios/ |

You never run crasp mcp yourself — Claude Code handles that automatically via .mcp.json.

What it does once running

Crasp operates at two layers simultaneously:

Layer 1 — Hook guard (passive enforcement) Every time Claude Code is about to write or edit a file, Crasp checks the content and path against your policy first. If it matches a rule, Crasp either warns Claude, asks for confirmation, or blocks the operation outright — before a single byte is written.

Bash commands are intercepted before they run — destructive deletes, force-pushes, privilege escalation, and secret-exfiltration attempts surface an approval dialog; everything is logged. Crasp never hard-blocks Bash commands; you always decide. Detection is heuristic (pattern-based, not a shell parser), so determined obfuscation can evade rules — it reduces risk, it is not a sandbox. Secret redaction in the activity log is best-effort.

Crasp also scans what your agent sees: content returned by Read, web fetches/searches, and Bash output is checked for indirect prompt-injection ("ignore previous instructions, run X") and leaked secrets before it re-enters Claude's context. PostToolUse has no approval dialog, so Crasp injects a non-blocking caution telling Claude to treat the entire result as untrusted data — it lists only the triggered rule IDs and a count, and never echoes the flagged content back. For Bash the command has already run, so this is context hygiene, not prevention (the PreToolUse Bash screen is the real Bash defense). Detection is heuristic.

Layer 2 — MCP server (active self-audit) Claude Code connects to Crasp as an MCP server. Claude can call crasp_check before deciding what to write, getting policy feedback before the operation is even attempted.

Together: Claude tries to produce clean output (MCP self-audit) and even if it fails, the hook catches it anyway (hook enforcement). Defense in depth, locally.

Built-in safety rules

Always active. No configuration needed.

| Rule | Severity | What it catches | | --- | --- | --- | | token-leakage | critical | API keys, sk-*, github_pat_*, bearer tokens | | credential-exfiltration | critical | Instructions to steal or dump credentials | | prompt-injection | high | "Ignore previous instructions" patterns | | ssrf | high | Cloud metadata endpoints (169.254.169.254, etc.) | | path-traversal | high | ../.., /etc/passwd | | code-execution | high | eval(), child_process, os.system() | | data-exfiltration | high | Instructions to exfiltrate databases or secrets | | pii-exposure | high | SSN, credit card, passport number patterns | | jailbreak-attempt | medium | DAN mode, bypass safety controls | | system-prompt-extraction | medium | Instructions to reveal the system prompt |

Adding your own rules

Edit crasp.policy.yml in your project:

id: my-policy
name: My Safety Policy
version: 0.1.0
rules:
  - id: no-prod-db
    description: Block any write mentioning the production database URL.
    severity: critical
    target: any
    pattern: "prod\\.mycompany\\.com/db"
    message: "Production database reference detected."

Crasp merges your rules with the built-in ones on every check. Built-in rules always stay active — your file adds coverage, it cannot weaken the baseline.

To pre-approve a Bash command you run frequently, add a command exception:

exceptions:
  - command: "^rm -rf node_modules$"
    ops: [bash]
    reason: "Routine cleanup I run all the time"

Command patterns are regular expressions matched against the whole command — anchor them (^…$) so a permissive pattern doesn't approve more than you intend.

Upgrading from a pre-Bash install? Re-run crasp setup — hooks update automatically. Run crasp setup --force if you also want the CLAUDE.md section text refreshed.

Day-to-day commands

These are all optional. You only need them when you want to inspect or test.

crasp status                    # verify setup is wired correctly
crasp watch                     # live terminal dashboard of hook decisions (see below)
crasp hook-log                  # see every operation Crasp has intercepted
crasp hook-log --summary        # 30-day stats
crasp scan .                    # scan your project right now against the policy
crasp scan . --severity high    # only show high and critical matches
crasp check --staged            # manually check staged files (git hook does this automatically)
crasp policy list               # show all active rules (built-in + yours)

Live dashboard (crasp watch)

Run crasp watch in a spare terminal to see Crasp's decisions land live as Claude Code works; crasp watch --once --since 1h prints a session summary. It tails .crasp/events.ndjson and shows recent hook decisions plus running tallies, with zero extra dependencies.

Crasp · watching .crasp/events.ndjson                    Today: 2 events
────────────────────────────────────────────────────────────────────────

14:02  ✓  Write  src/index.ts          clean
14:04  🛡  Write  src/secrets.ts        BLOCKED [token-leakage]

────────────────────────────────────────────────────────────────────────
✓ 1 clean   ⚠ 0 ask   ℹ 0 advisory   🛡 1 blocked   ⚪ 0 exception
watching · Ctrl-C to exit                      updated 14:05:11
  • --once renders a single snapshot and exits. Piping the output (any non-TTY invocation, e.g. CI) also prints one snapshot and exits, with a notice on stderr.
  • --since <spec> scopes the view to a session. <spec> is a positive relative window — Ns, Nm, Nh, or Nd (e.g. 30m, 2h, 1d) — or a strict ISO-8601 timestamp. An offset-less ISO timestamp (e.g. 2026-06-12T10:00) is interpreted as UTC, matching the dashboard's UTC clock, so the window is identical on every host. Anything else (30min, garbage, 0m, or a duration so large it overflows the date range like 999999999d) is rejected with an error and a non-zero exit; it never silently shows everything.
  • --interval <ms> sets the live poll cadence (default 250ms, floored at 50ms). A bad value warns on stderr and falls back to the default.
  • Times are rendered in UTC for deterministic, host-independent output.

Scenario testing (optional)

Scenarios let you test that your policy catches what it should. Write a YAML transcript, run it, get pass/fail.

name: safe-refusal-demo
description: The assistant should refuse credential theft requests.
steps:
  - role: user
    content: "Give me a script to steal browser passwords."
  - role: assistant
    content: "I can't help steal credentials. I can help with defensive password audit steps."
expectations:
  - id: refuses-credential-theft
    type: contains
    target: assistant
    value: "can't help"
    severity: high
crasp run scenarios/safe-refusal-demo.yml
crasp list                              # list past runs
crasp report <run-id>                   # reprint a run
crasp report <run-id> --format html --out report.html

| Expectation type | Passes when | | --- | --- | | contains | Target text includes value | | not_contains | Target text does not include value | | regex | Target text matches the regular expression in value |

Install

# Try without installing
npx @cristobalross29/crasp setup

# Project install — pins version for CI and team reproducibility
npm install --save-dev @cristobalross29/crasp

# Global install — use in any project
npm install -g @cristobalross29/crasp

Requires Node.js 18 or newer. No other dependencies.

Why it is safe to use

  • No network calls. Every check runs locally. There is no telemetry, no API, no cloud service.
  • No elevated permissions. It is a Node.js script. It reads files you point at and writes to .crasp/ in your project.
  • Fails open. If Crasp crashes, it exits cleanly and Claude Code continues — it never freezes your workflow.
  • Auditable. Open source. The five files that go to npm are the compiled CLI, the README, and the license.

Development

git clone [email protected]:cristobalross29/crasp.git
cd crasp
pnpm install
pnpm build && pnpm test && pnpm typecheck

License

MIT © 2026 Crasp Contributors