OpenLatch is a thin, open-source security forwarder that plugs into AI agents via their native lifecycle hooks. One command installs protection across all your agents — no proxies, no code changes, no configuration.
That's it. OpenLatch auto-detects your installed agents, writes the hook configs, and starts forwarding events to the cloud for real-time security analysis.
Why OpenLatch?
AI agents execute shell commands, read files, call APIs, and install tools — all with your permissions. Most users have zero visibility into what their agents actually do.
OpenLatch gives you:
- Visibility — audit logs of every tool call, shell command, and file access across all your agents
- Protection — real-time detection of tool poisoning, credential leakage, prompt injection, and dangerous shell commands
- Zero friction — deploys from inside your agent in one command, auto-detects platforms, requires no security expertise
Supported Platforms
OpenLatch works across 3 operating systems and 8 agent platforms from day one.
| Agent Platform | macOS | Windows | Linux | Hook Events |
|---|---|---|---|---|
| Claude Code | :white_check_mark: | :white_check_mark: | :white_check_mark: | 24 |
| Cursor | :white_check_mark: | :white_check_mark: | :white_check_mark: | 5 |
| Windsurf | :white_check_mark: | :white_check_mark: | :white_check_mark: | 5 |
| GitHub Copilot | :white_check_mark: | :white_check_mark: | :white_check_mark: | 6 |
| Codex CLI | :white_check_mark: | :white_check_mark: | :white_check_mark: | 4 |
| Gemini CLI | :white_check_mark: | :white_check_mark: | :white_check_mark: | 4 |
| Cline | :white_check_mark: | :white_check_mark: | :white_check_mark: | 4 |
| OpenClaw | :white_check_mark: | :white_check_mark: | :white_check_mark: | 4 |
Threat Coverage
| Threat Category | What it catches |
|---|---|
| Tool Poisoning | Malicious MCP servers, tampered tool definitions, supply chain attacks on agent tooling |
| PII & Credential Leakage | API keys, tokens, passwords, and personal data leaving your machine via agent actions |
| Prompt Injection | Injected instructions hidden in files, tool outputs, or web content that hijack agent behavior |
| Shell Command Guardrails | Destructive commands (rm -rf /), privilege escalation, crypto miners, reverse shells |
| Supply Chain | Compromised dependencies, typosquatted packages, unsigned binaries |
| Attack Path Analysis | Multi-step attack chains that combine individually benign actions into a malicious sequence |
Quick Start
Install via npm (recommended)
Install via Cargo
Download binary
Pre-built binaries for macOS (ARM, Intel), Linux (x86_64, ARM), and Windows are available on the Releases page.
Usage
# Auto-detect agents, install hooks, and start the daemon
# Check daemon status, uptime, and event counts
# View the 20 most recent security events
# Tail events in real time
# Show events from the last hour
# Start/stop/restart the daemon
# Run daemon in foreground (useful for debugging)
# Diagnose configuration and connectivity issues
# Remove hooks and stop daemon
# Remove hooks, stop daemon, and delete all data (~/.openlatch/)
# Open documentation in browser
Command Reference
| Command | Description |
|---|---|
openlatch init |
Auto-detect agents, install hooks, start daemon. Safe to re-run. |
openlatch status |
Show daemon status, uptime, and event counts |
openlatch start [--foreground] |
Start the daemon (or run in foreground) |
openlatch stop |
Stop the daemon |
openlatch restart |
Restart the daemon |
openlatch logs [-f] [-n N] [--since T] |
View event logs. -f follows, -n limits count, --since filters by time |
openlatch doctor |
Diagnose configuration and connectivity issues |
openlatch uninstall [--purge] [--yes] |
Remove hooks and stop daemon. --purge deletes all data |
openlatch docs |
Open documentation in browser |
Noun-verb aliases are also available: openlatch hooks install = init, openlatch hooks uninstall = uninstall, openlatch daemon start = start, etc.
Global Flags
| Flag | Description |
|---|---|
--json |
Machine-readable JSON output (parseable by jq) |
--verbose / -v |
Show extra operational detail |
--debug |
Show internal state and timings (implies --verbose) |
--quiet / -q |
Suppress all output except errors |
--no-color |
Disable colored output |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Security findings detected |
| 2 | Usage error (invalid arguments) |
| 3 | Resource not found |
| 4 | Permission denied |
| 5 | Conflict |
| 130 | Interrupted (Ctrl+C) |
Binaries
OpenLatch ships two binaries:
openlatch(~10MB) — full CLI for setup, daemon management, and log viewing.openlatch-hook(<1MB) — minimal hook handler spawned by agent hooks. Reads event JSON from stdin, forwards to the daemon onlocalhost:7443, and writes the verdict to stdout. If the daemon is unreachable, it fails open (returns allow) and logs to~/.openlatch/logs/fallback.jsonl. Not invoked directly by users.
How It Works
OpenLatch uses a three-layer architecture — hooks live inside your agents, the client forwards events, and the cloud runs detection:
┌─────────────────────────────────────────────────────────────────┐
│ Your Machine │
│ │
│ ┌──────────┐ hook event ┌──────────────────────────────┐ │
│ │ Claude │─────────────▶│ │ │
│ │ Code │ │ OpenLatch Client │ │
│ ├──────────┤ │ (localhost:7443) │ │
│ │ Cursor │─────────────▶│ │ │
│ ├──────────┤ │ 1. Wrap in envelope │ │
│ │ Copilot │─────────────▶│ 2. Redact credentials │ │
│ ├──────────┤ │ 3. Forward to cloud │────┼──▶ OpenLatch Cloud
│ │ Gemini │─────────────▶│ 4. Return verdict │◀───┼── (allow / deny)
│ │ CLI │ │ 5. Write local audit log │ │
│ ├──────────┤ │ │ │
│ │ ... │─────────────▶│ │ │
│ └──────────┘ ◀─ verdict ─ └──────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Key design decisions:
- Hook-native — OpenLatch plugs into each agent's official hook/extension system. It runs inside the agent runtime, not as a network proxy. Events cannot be bypassed.
- Thin client, smart cloud — the client wraps events in a standard envelope and forwards them. All detection, normalization, and analysis happens cloud-side.
- Privacy-first — credentials and secrets are redacted locally via regex-based filtering before anything leaves your machine.
- Fail-open — if the cloud is unreachable, agents continue working normally. Events are logged locally and synced later.
Configuration
OpenLatch works with zero configuration. For advanced use cases:
# Configuration precedence (highest to lowest):
# 1. CLI flags
# 2. Environment variables (OPENLATCH_*)
# 3. Project config (.openlatch.json)
# 4. User config (~/.openlatch/config.toml)
# 5. Defaults
| Environment Variable | Description | Default |
|---|---|---|
OPENLATCH_API_KEY |
Your OpenLatch API key | — |
OPENLATCH_ENDPOINT |
Cloud endpoint URL | https://api.openlatch.ai |
OPENLATCH_LOG_LEVEL |
Logging verbosity | info |
OPENLATCH_FAIL_MODE |
Behavior when cloud is unreachable | open |
Security
OpenLatch is a security product — we hold ourselves to a high standard:
- Responsible disclosure — report vulnerabilities to security@openlatch.ai
- Private vulnerability reporting enabled on this repository
- All releases are built with SLSA provenance via GitHub Actions
- See SECURITY.md for our full security policy
Contributing
We welcome contributions! Whether it's bug fixes, new agent integrations, or documentation improvements.
- Read our Contributing Guide to get started
- Check good first issues for entry points
- Join our Slack to connect with the team
License
Licensed under the Apache License 2.0.
Links
| Resource | URL |
|---|---|
| Website | openlatch.ai |
| Documentation | docs.openlatch.ai |
| Slack | openlatch.slack.com |
| Twitter / X | @openlatch |
| GitHub | github.com/OpenLatch |