Browse by type
A cross-platform CLI that implements a two-person rule for running potentially destructive commands from AI coding agents.
When an agent wants to run something risky (e.g., rm -rf, git push --force, kubectl delete, DROP TABLE), slb requires peer review and explicit approval before execution.
Coding agents can get tunnel vision, hallucinate, or misunderstand context. A second reviewer (ideally with a different model/tooling) catches mistakes before they become irreversible.
slb is built for multi-agent workflows where many agent terminals run in parallel and a single bad command could destroy work, data, or infrastructure.
.slb/state.db| Tier | Approvals | Auto-approve | Examples |
|---|---|---|---|
| CRITICAL | 2+ | Never | rm -rf /, DROP DATABASE, terraform destroy, git push --force |
| DANGEROUS | 1 | Never | rm -rf ./build, git reset --hard, kubectl delete, DROP TABLE |
| CAUTION | 0 | After 30s | rm file.txt, git branch -d, npm uninstall |
| SAFE | 0 | Immediately | rm *.log, git stash, kubectl delete pod |
brew install dicklesworthstone/tap/slb
This method provides:
- Automatic updates via brew upgrade
- Dependency management
- Easy uninstall via brew uninstall
scoop bucket add dicklesworthstone https://github.com/Dicklesworthstone/scoop-bucket
scoop install dicklesworthstone/slb
Download the latest release for your platform: - Linux x86_64 - macOS Intel - macOS ARM - Windows
curl -fsSL "https://raw.githubusercontent.com/Dicklesworthstone/slb/main/scripts/install.sh?$(date +%s)" | bash
git clone https://github.com/Dicklesworthstone/slb.git
cd slb && make build
go install github.com/Dicklesworthstone/slb/cmd/slb@latest
cd /path/to/your/project
slb init
This creates a .slb/ directory with:
- state.db - SQLite database for requests, reviews, and sessions
- config.toml - Project-specific configuration
- pending/ - JSON files for pending requests (for watching/interop)
# 1. Start a session (as an AI agent)
slb session start --agent "GreenLake" --program "claude-code" --model "opus"
# Returns: session_id and session_key
# 2. Run a dangerous command (blocks until approved)
slb run "rm -rf ./build" --reason "Clean build artifacts before fresh compile" --session-id <id>
# 3. Another agent reviews and approves
slb pending # See what's waiting for review
slb review <request-id> # View full details
slb approve <request-id> --session-id <reviewer-id> --comment "Looks safe"
# 4. Original command executes automatically after approval
slb session start --agent <name> --program <prog> --model <model>
slb session end --session-id <id>
slb session resume --agent <name> # Resume after crash
slb session list # Show active sessions
slb session heartbeat --session-id <id> # Keep session alive
# Primary command (atomic: check, request, wait, execute)
slb run "<command>" --reason "..." [--session-id <id>]
# Plumbing commands
slb request "<command>" --reason "..." # Create request only
slb status <request-id> [--wait] # Check status
slb pending [--all-projects] # List pending requests
slb cancel <request-id> # Cancel own request
slb review <request-id> # Show full details
slb approve <request-id> --session-id <id> # Approve request
slb reject <request-id> --session-id <id> --reason "..."
slb execute <request-id> # Execute approved request
slb emergency-execute "<cmd>" --reason "..." # Human override (logged)
slb rollback <request-id> # Rollback if captured
slb patterns list [--tier critical|dangerous|caution|safe]
slb patterns test "<command>" # Check what tier a command would be
slb patterns add --tier dangerous "<pattern>" # Agents can add patterns
slb daemon start [--foreground] # Start background daemon
slb daemon stop # Stop daemon
slb daemon status # Check daemon status
slb tui # Launch interactive TUI
slb watch --session-id <id> --json # Stream events for agents
Configuration is hierarchical (lowest to highest priority):
1. Built-in defaults
2. User config (~/.slb/config.toml)
3. Project config (.slb/config.toml)
4. Environment variables (SLB_*)
5. Command-line flags
[general]
min_approvals = 2
request_timeout = 1800 # 30 minutes
approval_ttl_minutes = 30
timeout_action = "escalate" # or "auto_reject", "auto_approve_warn"
[rate_limits]
max_pending_per_session = 5
max_requests_per_minute = 10
[notifications]
desktop_enabled = true
desktop_delay_seconds = 60
[daemon]
tcp_addr = "" # For Docker/remote agents
tcp_require_auth = true
| Pattern | Description |
|---|---|
rm -rf /... |
Recursive delete on system paths |
DROP DATABASE/SCHEMA |
SQL database destruction |
TRUNCATE TABLE |
SQL data destruction |
terraform destroy |
Infrastructure destruction |
kubectl delete node/namespace/pv/pvc |
Kubernetes critical resources |
git push --force |
Force push (not with-lease) |
aws terminate-instances |
Cloud resource destruction |
dd ... of=/dev/ |
Direct disk writes |
| Pattern | Description |
|---|---|
rm -rf |
Recursive force delete |
git reset --hard |
Discard all changes |
git clean -fd |
Remove untracked files |
kubectl delete |
Delete Kubernetes resources |
terraform destroy -target |
Targeted destroy |
DROP TABLE |
SQL table destruction |
chmod -R, chown -R |
Recursive permission changes |
| Pattern | Description |
|---|---|
rm <file> |
Single file deletion |
git stash drop |
Discard stashed changes |
git branch -d |
Delete local branch |
npm/pip uninstall |
Package removal |
| Pattern | Description |
|---|---|
rm *.log, rm *.tmp, rm *.bak |
Temporary file cleanup |
git stash |
Stash changes (not drop) |
kubectl delete pod |
Pod deletion (pods are ephemeral) |
npm cache clean |
Cache cleanup |
Add to your AGENTS.md:
## SLB Integration
Before running any destructive command, use slb:
\`\`\`bash
# Instead of running directly:
rm -rf ./build
# Use slb:
slb run "rm -rf ./build" --reason "Clean build before fresh compile"
\`\`\`
All DANGEROUS and CRITICAL commands must go through slb review.
Generate Claude Code hooks:
slb integrations claude-hooks > ~/.claude/hooks.json
Generate Cursor rules:
slb integrations cursor-rules > .cursorrules
# zsh (~/.zshrc)
eval "$(slb completion zsh)"
# bash (~/.bashrc)
eval "$(slb completion bash)"
# fish (~/.config/fish/config.fish)
slb completion fish | source
.slb/
├── state.db # SQLite database (source of truth)
├── config.toml # Project configuration
├── pending/ # JSON snapshots for watching
│ └── req-<uuid>.json
├── sessions/ # Session files
└── logs/ # Execution logs
└── req-<uuid>.log
Key Design Decision: Client-side execution. The daemon is a NOTARY (verifies approvals) not an executor. Commands execute in the calling process's shell environment to inherit: - AWS_PROFILE, AWS_ACCESS_KEY_ID - KUBECONFIG - Activated virtualenvs - SSH_AUTH_SOCK - Database connection strings
This is expected - slb works without the daemon (file-based polling). Start the daemon for real-time updates:
slb daemon start
Resume your existing session instead of starting a new one:
slb session resume --agent "YourAgent" --create-if-missing
Approvals have a TTL (30min default, 10min for CRITICAL). Re-request if expired:
slb run "<command>" --reason "..." # Creates new request
The command was modified after approval. This is a security feature - re-request approval for the modified command.
slb adds friction and peer review for dangerous actions. It does NOT replace:
- Least-privilege credentials
- Environment safeguards
- Proper access controls
- Backup strategies
Use slb as defense in depth, not your only protection.
To integrate with Claude Code, slb provides a PreToolUse hook that intercepts Bash commands before execution.
# Install hook (generates script and updates Claude Code settings)
slb hook install
# Check installation status
slb hook status
# Test classification without executing
slb hook test "rm -rf ./build"
~/.slb/hooks/slb_guard.py intercepts Bash tool callsslb hook generate # Generate hook script only
slb hook install [--global] # Install to Claude Code settings
slb hook uninstall # Remove hook from settings
slb hook status # Show installation status
slb hook test "<command>" # Test command classification
The hook returns one of three actions to Claude Code:
- allow - Command proceeds without intervention
- ask - User is prompted (CAUTION tier)
- block - Command is blocked with message to use slb request
The pattern matching engine is the core of slb's command classification system.
sudo, doas, env, time, nohup, etc.bash -c 'command' patternsResolves paths: ./foo → /absolute/path/foo
Compound Command Handling: Commands with ;, &&, ||, | are split and each segment is classified independently. The highest risk segment determines the overall tier.
echo "done" && rm -rf /etc → CRITICAL (rm -rf /etc wins)
ls && git status → SAFE (no dangerous patterns)
Shell-Aware Splitting: Separators inside quotes are preserved:
psql -c "DELETE FROM users; DROP TABLE x;" → Single segment (SQL)
echo "foo" && rm -rf /tmp → Two segments
Pattern Precedence: Patterns are checked in order: SAFE → CRITICAL → DANGEROUS → CAUTION
SAFE patterns skip review entirely
Fail-Safe Parse Handling: If command parsing fails (unbalanced quotes, complex escapes), the tier is upgraded by one level:
For commands that wrap SQL (e.g., psql -c "...", mysql -e "..."), pattern matching may not catch embedded statements. The engine includes fallback detection:
DELETE FROM ... (no WHERE clause) → CRITICAL
DELETE FROM ... WHERE ... → DANGEROUS
Agents can add patterns at runtime:
slb patterns add --tier dangerous "docker system prune"
slb patterns list --tier critical
slb patterns test "kubectl delete deployment nginx"
Pattern changes are persisted to SQLite and take effect immediately.
Requests follow a well-defined state machine with strict transition rules.
```