repo-seatbelt
Generates a GitHub Actions workflow that runs safety scans on pushes and PRs, posts PR comments with safety scores, and fails CI on high-risk changes.
Installs a Git pre-commit hook that runs diff analysis and blocks commits with high risk.
π repo-seatbelt
A safety layer for AI coding agents. Before they touch your repo.
AI coding agents are powerful. Maybe too powerful.
repo-seatbelt scans your project, detects risky areas, generates safety rules for 7 AI tools,
exposes a runtime MCP guardrail server, ships a pre-commit hook + GitHub Action, and gives your
repo an AI Safety Score out of 100 β in your language.
Before AI touches your repo, buckle up.
Quick Start · Commands · MCP Server · Presets · CI / Hooks · Score System · Türkçe
Table of Contents
Why this exists
AI coding tools like Claude Code, Cursor, Codex, Gemini CLI, Windsurf, Aider, Cline, and Zed are genuinely useful. But they don't know what's sacred in your repo. Without guardrails, an agent might:
π₯ Overwrite your
.envwith test valuesπ₯ Delete database migration files that can't come back
π₯ Rewrite your auth middleware "to clean it up"
π₯ Run
prisma migrate reseton a production databaseπ₯ Add 12 new dependencies to fix one bug
π₯ Refactor 30 files when you asked to change one string
repo-seatbelt solves this with a four-layer defense:
Layer | What it does | Where it runs |
1. Static rules | Generates |
|
2. Runtime MCP guardrail | A live MCP server agents call at decision-time: |
|
3. Pre-commit hook | Blocks high-risk commits locally before they leave the developer's machine. |
|
4. CI gate | GitHub Action posts a PR comment with the safety score and fails on high-risk diffs. |
|
Quick Start
# Zero install
npx repo-seatbelt init # interactive setup
npx repo-seatbelt init --preset nextjs-stripe # or apply a preset
# Day-to-day
npx repo-seatbelt scan # AI Safety Score + risks
npx repo-seatbelt diff # review AI changes pre-commit
npx repo-seatbelt doctor # prioritized action plan
# Lock it down
npx repo-seatbelt install-hooks # block high-risk commits
npx repo-seatbelt ci # add a GitHub Action
npx repo-seatbelt mcp --print # configure runtime MCPWhat you get
.repo-seatbelt.json β machine-readable config (the source of truth)
CLAUDE.md β rules for Claude Code
AGENTS.md β rules for any AGENTS.md-aware tool (Codex, Aider, Gemini)
CONVENTIONS.md β rules for Aider
.cursorrules β rules for Cursor
.windsurfrules β rules for Windsurf
.clinerules β rules for Cline
.rules β rules for Zed AI assistant
.git/hooks/pre-commit β (optional) blocks high-risk commits
.github/workflows/ β (optional) CI gate with PR comments
docs/repo-seatbelt-report.md β markdown safety report
docs/repo-seatbelt-dashboard.html β interactive HTML dashboardPlus a runtime MCP server any agent can call mid-session.
Supported AI Tools
Tool | Rule file | Generator | Runtime MCP |
Claude Code / Claude Desktop |
| β | β |
Cursor |
| β | β |
Codex / ChatGPT |
| β | β |
Gemini CLI |
| β | β |
Windsurf |
| β | β |
Aider |
| β | β |
Cline |
| β | β |
Zed AI |
| β | β |
Any MCP-capable host (Claude Desktop, Claude Code, Continue.dev, etc.) can talk to the repo-seatbelt MCP server for live, decision-time enforcement.
Commands
repo-seatbelt init # interactive
repo-seatbelt init --yes # non-interactive defaults
repo-seatbelt init --preset nextjs-stripe # apply a preset
repo-seatbelt init --lang tr # Turkish outputWrites .repo-seatbelt.json, CLAUDE.md, AGENTS.md (and .cursorrules if you select Cursor).
repo-seatbelt scan
repo-seatbelt scan --json # machine-readable
repo-seatbelt scan --verbose # full details
repo-seatbelt scan --no-color # plain output for logsDetects framework, package manager, databases, auth & payment providers, env hygiene, production config, and AI rule files. Outputs a 0β100 score and a categorized risk list.
repo-seatbelt doctor
repo-seatbelt doctor --jsonSame data as scan, but rendered as a prioritized to-do list. Best for first-time setup.
repo-seatbelt diff # human-readable
repo-seatbelt diff --json # used by the pre-commit hookInspects current git changes. Flags .env mods, auth/payment touches, migration changes,
new dependencies, large refactors, and missing test coverage. Returns an overallRisk of
info | low | medium | high.
repo-seatbelt rules # interactive picker
repo-seatbelt rules --all # all 7 tools
repo-seatbelt rules --tool claude,cursor,windsurf # comma-separated
repo-seatbelt rules --tool aider # single
repo-seatbelt rules --json # all + JSON manifestExisting files are backed up to *.bak before overwrite.
repo-seatbelt protect # list current protections
repo-seatbelt protect "config/secrets/**" # add a glob
repo-seatbelt protect --json # JSON outputrepo-seatbelt check-command "rm -rf node_modules"
repo-seatbelt check-command "git push --force" --jsonReturns safe | dangerous with reasons. Combines built-in patterns with your
configured blockedCommands.
repo-seatbelt install-hooks # install git pre-commit hook
repo-seatbelt install-hooks --force # overwrite existing hook (.bak saved)
repo-seatbelt install-hooks --uninstall # remove the hookThe installed hook runs repo-seatbelt diff --json and blocks the commit when
overallRisk === "high". Bypassable with git commit --no-verify if needed.
repo-seatbelt ci # writes .github/workflows/seatbelt.yml
repo-seatbelt ci --force # overwrite
repo-seatbelt ci --output ./custom.yml # custom pathThe generated workflow:
runs
scanon every push and PRruns
diffon PRs and posts a sticky comment with the safety score and findingsfails CI when the diff is
overallRisk === "high"
repo-seatbelt watch # default 500ms debounce
repo-seatbelt watch --debounce 1500Detects new sensitive folders (auth/, payment/, stripe/, β¦) and .env* files
appearing in the repo, updates .repo-seatbelt.json, and regenerates every rule file
that already exists. Zero extra dependencies β uses Node's built-in fs.watch.
repo-seatbelt audit # last 500 commits
repo-seatbelt audit --since "1 month ago"
repo-seatbelt audit --limit 1000 --jsonScans git history for:
.envfiles committedprotected files touched
traces of
blockedCommandsin commit subjects"large refactor" commits (β₯25 files)
Excellent for adopting repo-seatbelt on an existing repo to see what AI (or humans) did
before you locked things down.
repo-seatbelt update # show diffs, ask for confirmation
repo-seatbelt update --yes # apply without prompting
repo-seatbelt update --diff-only # show diffs, don't write
repo-seatbelt update --json # machine outputRecomputes every rule file from .repo-seatbelt.json and prints +N -M summaries with
sample lines. Existing files are backed up to *.bak.
repo-seatbelt mcp # run the stdio MCP server
repo-seatbelt mcp --print # print client-config snippet
repo-seatbelt mcp --print --json # JSON snippetSee MCP Server for full details.
repo-seatbelt badge # README badge from latest scan
repo-seatbelt badge --score 92 --json
repo-seatbelt report # docs/repo-seatbelt-report.md
repo-seatbelt dashboard # docs/repo-seatbelt-dashboard.htmlPresets
Skip the busywork. Apply a preset that knows what's sensitive in your stack.
Preset | What it adds |
| Protects |
| Protects |
| Protects |
| Protects |
| Adds workspace-aware protection for |
| Protects |
npx repo-seatbelt init --preset nextjs-stripePresets are additive β they merge into your config rather than replacing it.
MCP Server β Runtime Guardrails
Static rule files only help if the agent reads them. The MCP server is a live JSON-RPC service that AI agents (Claude Desktop, Claude Code, Continue.dev, any MCP host) can call at decision-time to ask:
"Is it safe for me to edit this file?" "Is this shell command allowed in this repo?"
Available tools
Tool | Purpose |
| Returns |
| Returns |
| Lists protected files, approval-required globs, blocked commands, and active mode. |
| Runs the full safety scan and returns the score + risks. |
Wire it into Claude Desktop
npx repo-seatbelt mcp --printAdd the printed snippet to ~/Library/Application Support/Claude/claude_desktop_config.json
(macOS) or the equivalent on your platform:
{
"mcpServers": {
"repo-seatbelt": {
"command": "npx",
"args": ["-y", "repo-seatbelt-mcp"]
}
}
}Wire it into Claude Code
claude mcp add repo-seatbelt -- npx -y repo-seatbelt-mcpSmoke-test it manually
echo '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"check_command","arguments":{"command":"rm -rf /"}}}' \
| npx repo-seatbelt mcpYou'll get back something like:
{ "decision": "block", "reasons": ["Recursive force delete", "Matches blocked command: \"rm -rf\""] }The MCP server is dependency-free β minimal JSON-RPC over stdio, no SDK weight.
CI/CD & Git Hooks
Pre-commit hook (local, before push)
npx repo-seatbelt install-hooksNow every git commit runs repo-seatbelt diff --json. If overallRisk === "high",
the commit is blocked with a clear message. To bypass intentionally:
git commit --no-verify -m "intentional high-risk commit"GitHub Action (remote, on every PR)
npx repo-seatbelt ci
git add .github/workflows/seatbelt.yml
git commit -m "chore: add repo-seatbelt CI"The workflow:
Runs
scanon every push/PRRuns
diffon PRs and posts a sticky comment with the score + top high-risk findingsFails the check if the diff is high-risk
Example PR comment:
## π‘οΈ repo-seatbelt report
**Score:** 71/100 β 4 risk(s) found
### High-risk findings
- .env file modified (`.env.production`)
- Auth files were modified (`src/auth/middleware.ts`)
**Diff risk:** high
- .env files were modified
- Auth files were modifiedWatch Mode
npx repo-seatbelt watchKeeps your rule files in sync as the repo grows. Runs forever, debounces filesystem
events, and auto-regenerates CLAUDE.md, AGENTS.md, .cursorrules, etc. when:
a new
auth/,payment/,stripe/,billing/folder appears under repo root orsrc/,app/,lib/a new
.env*file is created in the repo root
Output:
[14:23:01] Updated config + 5 rule file(s)
+approval: src/payment/**
+protected: .env.stagingAudit Mode
npx repo-seatbelt audit --since "3 months ago"Scans git history for risky patterns. Useful when:
adopting
repo-seatbelton an existing repo and you want to see past damagedoing a security review on a contractor's branch
generating evidence for a postmortem
Sample output:
π΄ env-committed (2)
2024-09-12 a3f81de alice: .env.local
2024-11-01 9c1d2bb bob: .env.production
π protected-touched (5)
2025-02-04 4d8e7a1 ai-bot: prisma/migrations/20240204_drop_users/migration.sql
...
π‘ large-refactor (1)
2025-03-18 8b22f9c claude: 47 files changedAI Safety Score
repo-seatbelt rates your repo against a checklist that signals "AI-friendly":
Range | Verdict | Meaning |
80 β 100 | π’ AI Safe | Solid guardrails. Most agents will behave responsibly. |
60 β 79 | π‘ Needs attention | A few risk areas β review and patch before a long AI session. |
40 β 59 | π Risky | Significant gaps. Run |
0 β 39 | π΄ Not AI Ready | Don't let agents loose without |
The score is computed from weighted checkpoints (env hygiene, AI rule files, dangerous
scripts, framework risk, monorepo structure, β¦). Run scan --verbose to see the
breakdown.
Add a badge
npx repo-seatbelt badgeCopy-paste the markdown into your README.
Dashboard & Reports
npx repo-seatbelt report # docs/repo-seatbelt-report.md
npx repo-seatbelt dashboard # docs/repo-seatbelt-dashboard.htmlThe HTML dashboard is fully static (no build step, no JS framework) and shows your score, risk breakdown, project info, and configured protections at a glance. Drop it into your internal docs or open it locally with any browser.
Configuration Reference
.repo-seatbelt.json:
{
"version": "1",
"mode": "strict", // "solo" | "team" | "strict"
"language": "en", // "en" | "tr"
"projectType": "nextjs",
"selectedTools": ["claude", "cursor"],
"protectedFiles": [ // never read/edit/delete without approval
".env", ".env.*",
"prisma/migrations/**",
"config/credentials.yml.enc"
],
"approvalRequired": [ // edits require explicit human approval
"auth/**", "lib/auth/**",
"payment/**", "stripe/**",
"middleware.ts"
],
"blockedCommands": [ // shell commands the AI must refuse
"rm -rf",
"DROP TABLE",
"prisma migrate reset",
"git push --force"
],
"ignoredPaths": [], // glob patterns the scanner skips
"riskThresholds": { // score β verdict mapping
"low": 60, "medium": 40, "high": 0
},
"presets": ["nextjs-stripe"]
}Edit by hand or via repo-seatbelt protect / repo-seatbelt init.
JSON Output
Every command supports --json for scripting and CI:
repo-seatbelt scan --json | jq '.score'
repo-seatbelt diff --json | jq '.overallRisk'
repo-seatbelt audit --json --since "1 week ago" | jq '.findings | length'
repo-seatbelt rules --json | jq '.written[] | .file'
repo-seatbelt badge --score 92 --jsonThis is what powers the pre-commit hook and the GitHub Action.
Architecture
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β .repo-seatbelt.json β
β (single source of truth β your contract) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββΊ Static generators (init / rules / update)
β ββ CLAUDE.md
β ββ AGENTS.md
β ββ .cursorrules / .windsurfrules
β ββ CONVENTIONS.md / .clinerules / .rules
β
βββββββββββββββΊ Scanners (scan / doctor / diff / audit)
β ββ env hygiene
β ββ auth / payment / db detection
β ββ production config detection
β ββ AI-rules presence + git history
β
βββββββββββββββΊ Enforcement layer
β ββ pre-commit hook (install-hooks)
β ββ GitHub Action (ci)
β ββ watch (auto-regen)
β
βββββββββββββββΊ MCP server (mcp)
ββ check_file_access
ββ check_command
ββ list_protections
ββ scan_repoFAQ
The static rule files are read once at session start β zero runtime cost. The MCP server
adds a few milliseconds per check_file_access call, which is negligible compared to a
single LLM token.
The static rules are advisory β well-behaved agents respect them. For hard enforcement,
combine the MCP server (decision-time) with the pre-commit hook (machine-time). The
hook is bypassable with --no-verify, but that's a deliberate human action you can audit.
You can. But repo-seatbelt keeps 7 different rule files in sync from one config,
ships an MCP server, gates CI, and audits history. That's hours of work per project,
saved.
The CLI is Node-based, but the rules it generates are language-agnostic markdown. Every
preset (django, rails, fastapi, expo, β¦) is for non-Node stacks.
npx repo-seatbelt install-hooks --uninstall
rm .repo-seatbelt.json CLAUDE.md AGENTS.md .cursorrules .windsurfrules \
CONVENTIONS.md .clinerules .rules
rm -rf .github/workflows/seatbelt.ymlRoadmap
Static rule generators (Claude, Cursor, AGENTS.md)
Generators for Windsurf, Aider, Cline, Zed
Pre-commit hook installer
GitHub Action generator with PR comments
Watch mode (auto-regen on filesystem changes)
Git-history audit
Update command with diff preview
Project presets (Next.js + Stripe, Django, Rails, Expo, FastAPI, Monorepo)
MCP runtime guardrail server
JSON output for every command
VS Code extension (in-editor warnings + dashboard)
Telemetry opt-in (anonymous "guardrails caught X" stats)
Custom rule plugins
More languages (German, French, Spanish)
GitLab CI / Bitbucket Pipelines templates
Contributing
Issues and PRs are welcome. Please open an issue before submitting large changes.
git clone https://github.com/berkcangumusisik/repo-seatbelt.git
cd repo-seatbelt
npm install
npm run build
node dist/cli.js scanSee CONTRIBUTING.md for the full guide.
Share
If repo-seatbelt saved your repo from a bad AI session:
Just ran
npx repo-seatbelt scanbefore letting Claude Code loose on my codebase. Found 3 high-risk areas I had no idea about. Then wired up the MCP server and the pre-commit hook so my agent literally can't touch.envor runprisma migrate reset. This should be mandatory before any AI coding session.github.com/berkcangumusisik/repo-seatbelt
Star History
License
MIT β use it, fork it, build on it.
Made with care for everyone shipping code with AI. Star this repo if it saved your bacon. β
This server cannot be installed
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/berkcangumusisik/repo-seatbelt'
If you have feedback or need assistance with the MCP directory API, please join our Discord server