OpenLatch is a thin, open-source security forwarder that plugs into AI agents via their native lifecycle hooks. One command installs protection across all your agents — no proxies, no code changes, no configuration.

npx @openlatch/client init

That's it. init auto-detects your installed agents, writes the hook configs, and starts the daemon that forwards events to the cloud for real-time security analysis.

Why OpenLatch?

AI agents execute shell commands, read files, call APIs, and install tools — all with your permissions. Most users have zero visibility into what their agents actually do.

OpenLatch gives you:

• Visibility — audit logs of every tool call, shell command, and file access across all your agents
• Protection — real-time detection of tool poisoning, credential leakage, prompt injection, and dangerous shell commands
• Zero friction — deploys from inside your agent in one command, auto-detects platforms, requires no security expertise

Supported Platforms

OpenLatch works across 3 operating systems and 8 agent platforms from day one.

| Agent Platform | macOS | Windows | Linux | Hook Events | | -------------- | :---: | :-----: | :---: | ----------: | | Claude Code | :white_check_mark: | :white_check_mark: | :white_check_mark: | 24 | | Cursor | :white_check_mark: | :white_check_mark: | :white_check_mark: | 5 | | Windsurf | :white_check_mark: | :white_check_mark: | :white_check_mark: | 5 | | GitHub Copilot | :white_check_mark: | :white_check_mark: | :white_check_mark: | 6 | | Codex CLI | :white_check_mark: | :white_check_mark: | :white_check_mark: | 4 | | Gemini CLI | :white_check_mark: | :white_check_mark: | :white_check_mark: | 4 | | Cline | :white_check_mark: | :white_check_mark: | :white_check_mark: | 4 | | OpenClaw | :white_check_mark: | :white_check_mark: | :white_check_mark: | 4 |

Threat Coverage

| Threat Category | What it catches | | --------------- | --------------- | | Tool Poisoning | Malicious MCP servers, tampered tool definitions, supply chain attacks on agent tooling | | PII & Credential Leakage | API keys, tokens, passwords, and personal data leaving your machine via agent actions | | Prompt Injection | Injected instructions hidden in files, tool outputs, or web content that hijack agent behavior | | Shell Command Guardrails | Destructive commands (rm -rf /), privilege escalation, crypto miners, reverse shells | | Supply Chain | Compromised dependencies, typosquatted packages, unsigned binaries | | Attack Path Analysis | Multi-step attack chains that combine individually benign actions into a malicious sequence |

Quick Start

Install via npm (recommended)

npx @openlatch/client init

Install via Cargo

cargo install openlatch-client
openlatch init

Download binary

Pre-built binaries for macOS (ARM, Intel), Linux (x86_64, ARM), and Windows are available on the Releases page. After the binary is on your PATH, run openlatch init to auto-detect agents and install hooks.

Usage

# Auto-detect agents, install hooks, and start the daemon
openlatch init

# Check daemon status, uptime, and event counts
openlatch status

# View the 20 most recent security events
openlatch logs

# Tail events in real time
openlatch logs -f

# Show events from the last hour
openlatch logs --since 1h

# Start/stop/restart the daemon
openlatch start
openlatch stop
openlatch restart

# Run daemon in foreground (useful for debugging)
openlatch start --foreground

# Diagnose configuration and connectivity issues
openlatch doctor

# Remove hooks and stop daemon
openlatch uninstall

# Remove hooks, stop daemon, and delete all data (~/.openlatch/)
openlatch uninstall --purge

# Open documentation in browser
openlatch docs

Command Reference

| Command | Description | | ------- | ----------- | | openlatch init | Auto-detect agents, install hooks, start daemon. Safe to re-run. | | openlatch status | Show daemon status, uptime, and event counts | | openlatch start [--foreground] | Start the daemon (or run in foreground) | | openlatch stop | Stop the daemon | | openlatch restart | Restart the daemon | | openlatch logs [-f] [-n N] [--since T] | View event logs. -f follows, -n limits count, --since filters by time | | openlatch doctor | Diagnose configuration and connectivity issues | | openlatch doctor --fix | Auto-heal common issues (config, hooks, daemon, binary). Creates .bak siblings and a journal so changes can be reverted with --restore. | | openlatch doctor --restore | Reverse the most recent --fix run. Surgical merge for ~/.claude/settings.json preserves user edits to non-OpenLatch hooks. | | openlatch doctor --rescue [--since 24h] [--output PATH] [--yes] | Bundle a redacted diagnostic ZIP for sharing with support. Privacy filter runs on every text file; tokens are hard-redacted. | | openlatch uninstall [--purge] [--yes] | Remove hooks and stop daemon. --purge deletes all data | | openlatch supervision {install,uninstall,enable,disable,status} | Manage the OS-native supervisor that keeps the daemon alive after reboot (launchd / systemd --user / Task Scheduler). Installed by default during openlatch init; opt out with openlatch init --no-persistence. | | openlatch docs | Open documentation in browser |

Noun-verb aliases are also available: openlatch hooks install = init, openlatch hooks uninstall = uninstall, openlatch daemon start = start, etc.

Persistence

openlatch init registers an OS-native supervisor by default so the daemon auto-starts when you log in or reboot — persistence is a security property, not a convenience. All three backends (macOS launchd, Linux systemd --user, Windows Task Scheduler) are user-scope only; no admin prompt, no sudo. Opt out with openlatch init --no-persistence, or toggle later with openlatch supervision disable / enable. openlatch uninstall always tears the supervisor down before stopping the daemon so it cannot auto-restart underneath you.

Troubleshooting

When something goes wrong, prefer this order:

1. Diagnose — openlatch doctor lists every check that's failing (8 today: agent detection, config file, crash-report consent, auth token, daemon liveness, cloud reachability, hook installation, and recent fallback-log activity).
2. Heal — openlatch doctor --fix rewrites broken state files (config, token, hooks) and restarts the daemon. Every mutation is backed up to a .bak sibling and a journal at ~/.openlatch/fix-journal.json. Exit code is 0 when post-fix checks all pass and 1 otherwise.
3. Roll back — openlatch doctor --restore reads the journal and reverses each reversible action. ~/.claude/settings.json is restored via a surgical merge — non-OpenLatch hook entries you've added since --fix are preserved.
4. Bundle for support — openlatch doctor --rescue --yes produces openlatch-rescue-<ts>-<machid>.zip in $PWD. The bundle includes redacted state files, daemon /health + /metrics snapshots, binary metadata (SHA256 only — never bytes), and a per-pattern privacy-filter hit summary in MANIFEST.json. The bearer token in daemon.token is hard-redacted; absolute paths are anonymised to ~.

Combined openlatch doctor --fix --rescue runs the rescue first to snapshot the pre-fix state, then heals.

Global Flags

| Flag | Description | | ---- | ----------- | | --json | Machine-readable JSON output (parseable by jq) | | --verbose / -v | Show extra operational detail | | --debug | Show internal state and timings (implies --verbose) | | --quiet / -q | Suppress all output except errors | | --no-color | Disable colored output |

Exit Codes

| Code | Meaning | | ---- | ------- | | 0 | Success | | 1 | Security findings detected | | 2 | Usage error (invalid arguments) | | 3 | Resource not found | | 4 | Permission denied | | 5 | Conflict | | 130 | Interrupted (Ctrl+C) |

Binaries

OpenLatch ships two binaries:

• openlatch (<30MB) — full CLI for setup, daemon management, and log viewing.
• openlatch-hook (<20MB) — minimal hook handler spawned by agent hooks. Reads event JSON from stdin, forwards to the daemon on localhost:7443, and writes the verdict to stdout. If the daemon is unreachable, it fails open (returns allow) and logs to ~/.openlatch/logs/fallback.jsonl. Not invoked directly by users.

How It Works

OpenLatch uses a three-layer architecture — hooks live inside your agents, the client forwards events, and the cloud runs detection:

┌─────────────────────────────────────────────────────────────────┐
│  Your Machine                                                   │
│                                                                 │
│  ┌──────────┐  hook event   ┌──────────────────────────────┐    │
│  │  Claude   │─────────────▶│                              │    │
│  │  Code     │              │   OpenLatch Client           │    │
│  ├──────────┤              │   (localhost:7443)            │    │
│  │  Cursor   │─────────────▶│                              │    │
│  ├──────────┤              │   1. Wrap in envelope         │    │
│  │  Copilot  │─────────────▶│   2. Redact credentials      │    │
│  ├──────────┤              │   3. Forward to cloud         │────┼──▶  OpenLatch Cloud
│  │  Gemini   │─────────────▶│   4. Return verdict          │◀───┼──   (allow / deny)
│  │  CLI      │              │   5. Write local audit log   │    │
│  ├──────────┤              │                              │    │
│  │  ...      │─────────────▶│                              │    │
│  └──────────┘  ◀─ verdict ─ └──────────────────────────────┘    │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Key design decisions:

• Hook-native — OpenLatch plugs into each agent's official hook/extension system. It runs inside the agent runtime, not as a network proxy. Events cannot be bypassed.
• Thin client, smart cloud — the client wraps events in a standard envelope and forwards them. All detection, normalization, and analysis happens cloud-side.
• Privacy-first — credentials and secrets are redacted locally via regex-based filtering before anything leaves your machine.
• Fail-open — if the cloud is unreachable, agents continue working normally. Events are logged locally and synced later.

Configuration

OpenLatch works with zero configuration. For advanced use cases:

# Configuration precedence (highest to lowest):
# 1. CLI flags
# 2. Environment variables (OPENLATCH_*)
# 3. Project config (.openlatch.json)
# 4. User config (~/.openlatch/config.toml)
# 5. Defaults

| Environment Variable | Description | Default | | -------------------- | ----------- | ------- | | OPENLATCH_API_KEY | Your OpenLatch API key | — | | OPENLATCH_API_URL | Cloud API base URL. Callers append /api/v1/... path segments. | https://app.openlatch.ai | | OPENLATCH_APP_URL | Web app URL used for browser auth. Falls back to OPENLATCH_API_URL (with a trailing /api stripped, for back-compat with overrides). | https://app.openlatch.ai | | OPENLATCH_LOG_LEVEL | Logging verbosity | info | | OPENLATCH_FAIL_MODE | Behavior when cloud is unreachable | open |

Security

OpenLatch is a security product — we hold ourselves to a high standard:

• Responsible disclosure — report vulnerabilities to [email protected]
• Private vulnerability reporting enabled on this repository
• All releases are built with SLSA provenance via GitHub Actions
• See SECURITY.md for our full security policy

Contributing

We welcome contributions! Whether it's bug fixes, new agent integrations, or documentation improvements.

• Read our Contributing Guide to get started
• Check good first issues for entry points
• Join our Slack to connect with the team

License

Licensed under the Apache License 2.0.

Links

| Resource | URL | | -------- | --- | | Website | openlatch.ai | | Documentation | docs.openlatch.ai | | Slack | openlatch.slack.com | | Twitter / X | @openlatch | | GitHub | github.com/OpenLatch |