Hurricane AIHurricaneAI
← Back to document history
Document version

Leash in Plain English v1

This is the stored snapshot for the approved document version. The diff below shows what changed from the previous version.

Preview
Source path
leash/PLAINENGLISH.md
Source commit
No commit recorded
Created at
Jun 29, 2026, 6:22 AM UTC
Source digest
18915a0df3375a8f338dc2ccafba973ceb04d1fb449cf66a90c75e7cad8ad417

Document snapshot

Leash in Plain English

Summary

Leash gives a local AI agent its own user account on the machine and keeps it on a short leash. The agent runs as that system user, and Leash decides — for that account — where it's allowed to go, what files it can touch, what programs it can run, and which tools it can use, blocking anything outside those bounds. Because the rules are enforced at the user account itself, the limits hold no matter what the agent tries. Think of it as adopting a puppy and deciding, up front, exactly how far it's allowed to roam.

The puppy

There are four simple questions, and Leash answers each one:

  1. What's his name? You pick one user account on the machine and run the agent as that account. That's your puppy. Everything Leash does is about that account.
  2. What's his domain? You list the places he's allowed to go — which websites and addresses he can reach on the network, and which folders he can open on disk. If it's not on the list, he can't get there.
  3. What can he do there? You say which programs he's allowed to run. You can do this two ways: list only what's allowed (everything else is off-limits), or list only what's banned (everything else is fine).
  4. How can the AI do its work? The agent works by calling "tools" — little actions like "read a file" or "search". You list which tools it may call, and Leash also peeks at what the agent is feeding into those tools and stops anything that looks like a leaked password, personal information, or an attempt to grab extra privileges.

Why it can't be talked around

Leash runs with more authority than the agent does. The puppy is on the leash and can't take it off. Because the rules live in the operating system itself — not inside the agent — the agent can't just ignore them, route around them, or quietly start a helper program to do the forbidden thing for it. (The one exception is the tools check, which works hand-in-hand with the agent's own framework rather than at the operating-system level.)

What happens when he pulls

For now, Leash simply says no. If the agent tries to reach a site that isn't allowed, the connection is cut. If it tries to open a file or run a program it shouldn't, it gets a flat "permission denied". If it calls a tool it isn't allowed to, the call fails. There's no pause, no pop-up, no one to ask — just a clean block, and a note in the log explaining why.

That "stop and ask a human" step — where a blocked action waits for someone to approve it before continuing — is coming later, as part of Sentinel. This first version is about getting the blocking solid and trustworthy first.

Current build

Leash is in preview. This is an early v1 build, it runs on Linux only, and there's no public download — it's set up by hand from the source. An install gives you the enforcement service, a small leash command for adjusting the rules and watching the log, and a clean uninstaller.

Diff from previous

This is the first approved version, so there is no previous diff.