See and stop risky actions from AI coding agents.
See what Cursor, Claude Code, Codex, Gemini, and Copilot are doing across your team. AgentChute blocks risky actions before they run and keeps the audit trail when something needs review.
- 01
See which AI coding tool acted, what it tried, and which rule fired across the whole team.
- 02
Stop risky installs, shell commands, file edits, leaked secrets, and policy violations before they run.
- 03
Record allowed actions, blocked actions, access changes, and exportable evidence for later review.
One real repo · One AI coding tool · First event reviewed together
Built on top of AgentLint OSS — the open-source linter we maintain for the same problem. AgentLint catches risky behavior locally. AgentChute turns those signals into a team-wide action trail.
Compatibility
+ any MCP-compatible host
Caught a CRITICAL CVE before the install ran.
AgentLint includes hybrid rules that can consult curated security feeds such as GHSA, OSSF, gitleaks, URLhaus, and StevenBlack. Below is the actual rule output for a real npm install command.
Output above is real. The advisory GHSA-vqx2-fgx2-5wq9 is publicly searchable. The rule logic is open-source on GitHub; the curated security-feed data is the cloud half — data is the moat.
Section I · Why this exists
AI coding changed the security question.
- Hazard 01
Agents do work, not just suggestions.
They install packages, edit files, run shell commands, call tools, and touch production paths. The risk is no longer only what the model wrote — it is what the agent is about to do.
- Hazard 02
Every tool sees only its own world.
Cursor, Claude Code, Codex, Gemini, and Copilot each create their own trail. Engineering leaders need one place to see risky AI actions across the team.
- Hazard 03
PR review and CI are too late.
CodeRabbit reviews after a PR exists. SAST usually runs after commit. AgentChute sits earlier, inside the AI coding session, before the action runs.
Action surface · What AgentChute watches
Not just the code. The action.
AgentChute is built for the moment before an AI coding agent changes your system: the install, the command, the edit, the secret, the suppression.
- Surface 01
Package installs
Vulnerable versions, compromised packages, and supply-chain indicators before the install command runs.
- Surface 02
Shell commands
Destructive, privileged, or infrastructure-touching commands while the agent is still asking to execute.
- Surface 03
File edits
Risky writes, suspicious patterns, and policy violations as code changes happen in the editor.
- Surface 04
Secrets
Leaked keys, private-key material, token-like strings, and unsafe credential handling before they spread.
- Surface 05
Policy suppressions
Ignore comments, noisy rules, and team-level patterns that tell you where guardrails need tuning.
Section II · Operator console
One view across every AI tool.
Real-time violations, rule effectiveness, per-tool breakdowns, blocked actions, audit export, and weekly summaries. The dashboard gives leaders one event trail instead of scattered local logs.
- no-vulnerable-version-installERROR9
- no-leaked-secret-patternERROR4
- no-compromised-actionERROR2
- no-vulnerable-importWARNING64
- no-blocked-domain-fetchWARNING23
Sample console · Beta dashboard
Team control · Supporting infrastructure
Control access without slowing the team down.
Owners can issue separate keys for CI, developers, contractors, and pilots, then revoke access without rotating the whole organization. Every decision stays attached to the team event history.
- Control 01
Separate access
Use different access paths for CI, developers, contractors, and pilots instead of one shared team secret.
- Control 02
Roll out gradually
Start with one tool, one project, or one design partner team while keeping the rest of the org unchanged.
- Control 03
Remove access
Revoke leaked, retired, or temporary access without rotating the whole organization.
- Control 04
Preserve evidence
Keep access changes attached to the same event history your team reviews later.
Why this matters
Access control is not the headline; it is what makes the action trail usable by a real team. You can pilot AgentChute narrowly, remove access cleanly, and still preserve the evidence.
Cited evidence · From public record
The cost of inaction is real, recent, and citable.
Every number below comes from a public report. We don't invent industry-average estimates — each one links to the source so you can verify it.
- Exhibit 019 seconds to delete prod DB + backups
Cursor + Claude Opus 4.6 wipes PocketOS production database in 9 seconds
Tom's Hardware →2026-04-24 - Exhibit 02$25,000 in bug bounties from secrets in 'deleted' commits
Security researcher earns $25K finding secrets in 'deleted' GitHub commits
Truffle Security →2025-07-02 - Exhibit 03775 GitHub tokens, 373 AWS, 300 GCP, 115 Azure credentials stolen
Sha1-Hulud worm hits Postman, Zapier, PostHog via NPM
Wiz →2025-11-23
Section III · Maintainer credentials
Built by people who've scaled this exact problem.
I lead engineering at WAG, an AI-native platform running on AI-coding workflows end-to-end. Median cycle time went from 3 days to 1 day. That's when I learned the hard part isn't getting AI to ship code — it's seeing what your AI actually shipped. That's where AgentChute started.
Why I built this
When an agent can run gcloud, kubectl, terraform, or iptables, the blast radius isn't a bad commit — it's a production outage or a deleted database. We're building the tooling and intuition for autonomous agent safety in the open.
Full credentials →
Founding Head of Engineering at Félix Pago (QED, General Catalyst, Monashees · $75M Series B), scaling cross-border payments from zero to $250M+/month volume and 1M+ customers.
Prior IC at Lyft and Nubank. 100+ engineers hired across orgs, 1,000+ engineering interviews. Master's in Blockchain. Bilingual EN/ES.
AgentLint OSS is the foundation.
The open-source linter that runs on every developer's machine. AgentChute adds the org-wide action trail, blocked decisions, and event history on top.
- Lint rules
- 76
- Rule packs
- 8
- AI platforms supported
- 10
- Hook events covered
- 17
- →Multi-platform adapter architecture — Claude Code, Cursor, Codex, Gemini, OpenAI Agents, MCP hosts, generic HTTP, plus any AGENTS.md-compatible tool.
- →Native MCP server — query rules, suppress violations, get config from any MCP host.
- →Session summary, auto-fix, diff-only mode — production-grade, not a prototype.
Section IV · Deployment procedure
Live in 30 seconds.
No SDK to integrate. No PR pipeline to rewrite. AgentLint hooks into the AI coding tools your team already uses.
- Step 01
Sign in with email
Apply for the private beta. We review fit manually before opening access.
- Step 02
Install AgentLint OSS
Works with Cursor, Claude Code, Codex, Gemini, MCP hosts, and AGENTS.md-compatible tools.
$ pip install agentlint - Step 03
Connect team access
Set AGENTCHUTE_LICENSE_KEY=ac_team_... in the AI coding environment. Events stream to your dashboard, and owners can revoke access when teams or environments change.
$ export AGENTCHUTE_LICENSE_KEY=ac_team_...
Pricing · Simple by design
Free for one dev. Paid for teams.
AgentLint OSS stays free forever. AgentChute is the paid team layer: shared visibility, controlled rollout, revocation, and audit history across AI coding tools.
Solo
No card · No expiry · No catch
- 01Local guardrails for one developer
- 02MIT-licensed rules that run on your machine
- 03No card, no trial clock, no cloud account required
- 04AgentChute starts when a team needs shared visibility
- 05Private beta for teams using AI agents in real repositories
AgentChute beta
Private beta is free while we onboard the first design partners. Paid team plans are expected to start at $249/mo per team after beta, including up to 10 developers and unlimited AI coding tools, for shared action history, controlled access, revocation, audit export, and weekly digest.
No pricing table yet
We are not forcing a checkout before the product proves value in real team workflows. Growth teams can add developers at $15/dev/mo before Enterprise; SSO, a DPA, custom retention, or private deployment become a security/procurement conversation. Email us with your team size and we'll scope the right beta path.
Compatibility · Integration matrix
Works with the tools your team already uses.
AgentLint OSS ships native adapters for the main AI coding surfaces plus MCP and AGENTS.md-compatible workflows. AgentChute turns those local signals into one team event trail.
| № | Tool | Integration method | Status |
|---|---|---|---|
| 01 | Cursor | Native hooks (18 events) | Live |
| 02 | Claude Code | Native hooks (17 events) | Live |
| 03 | Gemini Code Assist | Native hooks (11 events) | Live |
| 04 | Codex / GitHub Copilot | Native hooks (6 events) | Live |
| 05 | MCP hosts | MCP server | Live |
Plus any AGENTS.md-compatible tool · Aider, OpenAI Agents SDK, and others
Routing · Where alerts go
Where alerts go.
We build integrations on customer pull, not roadmap promises. The universal webhook is the next integration layer; first-class Slack and PagerDuty follow when enough paying customers ask for them.
- Coming nextWebhook API
Outbound JSON POST for Slack bots, PagerDuty, Datadog, or your internal security workflow.
- When 10 customers askSlack alerts (first-class)
Native Slack app with per-channel rule routing and approval workflows.
- When 10 customers askPagerDuty
Direct incident creation for ERROR-severity rules.
- Enterprise tierSIEM (Splunk, Datadog, Sumo Logic)
Streaming export of every event in OCSF format. Custom contract.
Want Slack first-class? Tell us — every request counts toward the 10-customer threshold.
Architecture · Two surfaces
Two products. Two jobs.
AgentLint OSS protects every developer. AgentChute shows every leader. You need both.
Open source · For every dev
AgentLint OSS
Catches secrets, force-pushes, broken tests, and dozens more on the developer's machine — before bad code is committed.
- 01Local guardrails on every dev's machine
- 0276 rules across 8 packs
- 0310 AI platforms supported
- 04Native MCP server + adapters
- 05MIT-licensed forever
- 06Inline session reports
Forever · MIT-licensed
Hosted · For leaders
AgentChute
Everything in OSS, plus the org-wide visibility, policy, action history, controlled access, and audit-history foundation that a single-machine linter can't deliver.
- +01Org-wide aggregation across every dev
- +02Cross-tool unified view (Cursor + Claude Code + Codex + …)
- +03Blocked and allowed action history
- +04Controlled rollout for CI, devs, and contractors
- +05Revocation history for security review
- +06Audit CSV export, weekly digest, and coming next: webhooks
Expected after beta · up to 10 devs
The OSS isn't crippled to push you toward AgentChute. It can't aggregate across machines because it runs on one machine. AgentChute is the layer that exists above it — different job, different product.
Comparison · AI coding stack
Keep your AI tools. Add control.
ChatGPT, Claude, Cursor, Copilot, CodeRabbit, and Greptile help teams create and review code. AgentChute is the team visibility and guardrail layer around that activity: what happened, which tool did it, which guardrail fired, and what needs review.
| AgentChute | Adjacent tools | Difference | |
|---|---|---|---|
| ChatGPT, Claude, Gemini | Records team-wide AI coding events and guardrail outcomes | Answer questions, generate code, explain systems | They create work. AgentChute shows what happened across the team. |
| Cursor, Copilot, Claude Code | Cursor + Claude Code + Copilot + Gemini | Run inside the editor or agent session | Each tool sees its own context. AgentChute aggregates the risk trail. |
| CodeRabbit, Greptile, Qodo | Catches risky agent behavior before or around commit time | Review pull requests and suggest fixes | Review tools inspect code after it exists. AgentChute watches the workflow. |
| Team budget | $249 / mo for up to 10 developers, unlimited tools | A 10-dev AI stack can run hundreds per month | One team-wide layer around tools the team already pays for. |
A 10-dev team can easily spend $800+/mo across Cursor, Claude, Copilot, and AI review tools. $249/mo AgentChute covers up to 10 developers and any mix of AI coding tools as the visibility and guardrail layer around the spend you already approved.
Eligibility · Who this is for
Who this is for.
- 01Engineering leaders at 5–100 dev teams
- 02Engineering teams using ANY AI coding tool — or a mix of several
- 03Engineering teams shipping at AI velocity, worrying about AI quality
- 04Anyone whose SOC2 / ISO 27001 / customer auditor asked 'how do you govern AI codegen?'
Reference · Frequently asked
Questions a CTO actually has.
- Is my source code uploaded to your servers?
- No. AgentLint runs locally on each developer's machine. AgentChute receives operational metadata such as rule IDs, severity, timestamps, tool name, team/access identifiers, and the file path metadata needed to explain the event. Source code, secrets, and prompts are not uploaded.
- AgentLint OSS is free — why pay for AgentChute?
- AgentLint catches risky behavior locally on one machine. AgentChute turns those signals into a team-wide action trail: what happened, which AI tool did it, which rule fired, whether the action was allowed or blocked, and what your team needs to review later. The team layer adds shared history, access revocation, CSV audit export, and weekly summaries.
- How is this different from CodeRabbit or Greptile?
- Those are AI review tools. CodeRabbit and Greptile inspect code after a PR or review context exists. AgentChute sits around the AI coding workflow itself: which tool acted, which guardrail fired, whether it was allowed or blocked, and what the team needs to review later.
- Does it work if my team uses different AI tools?
- Yes — that's the point. AgentLint supports Cursor, Claude Code, Codex / GitHub Copilot, Gemini, MCP hosts, OpenAI Agents SDK, and other AGENTS.md-compatible workflows. AgentChute gives the team one event trail across that stack.
- What if a rule fires incorrectly?
- Developers suppress any rule with an inline comment (`# agentlint: ignore=rule-id`). AgentChute tracks suppression rates per rule across your team — so when a rule's noisy, you see the data and can tune the policy globally. Security tools die from noise; we instrument the noise so you can fix it instead of disabling the rule.
- When does it cost money?
- AgentLint OSS is permanently free for individual developers. AgentChute becomes the paid layer when a team needs shared action history, cross-tool visibility, controlled rollout, and evidence for risky AI coding behavior. Private beta is free while we onboard design partners; paid team plans are expected to start at $249/mo after beta for teams up to 10 developers, with no cap on AI coding tools.
- How is it priced when launched?
- AgentLint OSS is free. AgentChute private beta is free for design partners. Paid team plans are expected to start at $249/mo after beta for teams up to 10 developers. Growth is $499/mo for up to 25 developers, then $15/dev/mo before Enterprise. SSO, SAML, custom retention, DPA/security review, or private deployment needs remain custom.
- What about SOC2, GDPR, data residency?
- AgentChute is building toward SOC 2-oriented evidence workflows, but private beta should be treated as an audit-history foundation, not a completed compliance control or certification. CSV export exists for event evidence; DPA flow, data-residency options, and formal security review come before broader production rollout.
Closing remarks
Bring one real repo. We'll review the first event together.
Apply for the private beta. We're onboarding selected teams manually: one repo, one AI coding tool, a 30-minute setup call, and no credit card.