Documentation
01. Installation
Install OpenLeash via Homebrew and wrap your agent execution command.
$ brew install openleash
$ openleash openclaw02. Architecture
OpenLeash operates as a deterministic proxy between the agent process and the host operating system. Every system action is paused, serialized into a standard JSON schema, and transmitted to the configured Decider for evaluation.
03. Pluggable Deciders
The core philosophy of OpenLeash is the strict separation of enforcement from decision-making. The rule engine is entirely replaceable.
Depending on your environment's requirements, you may configure OpenLeash to utilize:
- Local Custom Logic: A lightweight Node.js or Python script for bespoke environmental checks.
- Default Engine (Rego/OPA): The built-in Open Policy Agent engine for declarative, static rules.
- Enterprise Platforms: Integration with Guardian or similar centralized security platforms for fleet-wide rule management and telemetry.
04. Rego Reference (Optional)
If utilizing the default Rego engine, rules are defined declaratively. Note that Rego takes secondary importance to the enforcement proxy; you are not locked into OPA.
rule.rego
deny if {
input.operation == "shell.exec"
input.taint_flag
}