Leash
Open-source agent policy enforcement from StrongDM. Wraps AI coding agents in containers and monitors runtime behavior via kernel-level eBPF/LSM hooks. Policies in Cedar. Includes an MCP observer that inspects and enforces tool calls in real time.
Leash is StrongDM’s answer to the question: once you remove human code review, how do you enforce security policy on what agents can do?
Available via npm install -g @strongdm/leash.
What It Does
Leash wraps AI coding agents (Claude Code, Cursor, others) in containers and monitors their runtime behavior at the kernel level via eBPF/LSM hooks. Policy is defined in Cedar (Amazon’s open-source authorization policy language).
The MCP Observer component inspects, records, and enforces MCP tool calls in real time — the specific integration layer where AI agents interact with external services.
Why This Matters for Dark Factories
The Level 5 dark factory removes human code review from the loop. Leash is one answer to “what replaces human oversight?” — not a human reading diffs, but policy-enforced constraints on what the agent can actually do at runtime.
Key capabilities:
- Container-level isolation of agent execution
- Kernel-level visibility into system calls
- MCP call interception and logging
- Cedar policy: declarative, auditable, version-controllable
The Broader Question
Leash represents a different philosophy than the StrongDM factory’s core approach. The factory says: trust the process (external scenarios, holdout validation). Leash says: trust the process and enforce runtime constraints. Both are compatible — and together they address different failure modes.
Runtime policy enforcement (Leash) catches: unexpected side effects, scope creep, security-policy violations at execution time.
External scenario testing catches: incorrect implementation, functional regressions, gaming.
Neither catches: systematic model blind spots. That’s the open problem.