for anyone who's stopped sleeping while their agent codes

Stop babysitting your AI agent.

Last summer Replit's agent deleted Jason Lemkin's production database mid‑vibe‑code. In April, a Cursor agent wiped PocketOS — including all backups — in nine seconds. A Claude Code session ran rm -rf ~/ on someone's Mac. Quill is the pause button before the next one is yours.

$ uvx quill

60-second install free & open source stays on your machine nothing to configure

01 / The Gate

Three checks. Zero LLM in the gate.

The gate is deterministic on purpose. No model decides whether your prod gets deleted; a regex does. Models can be jailbroken, regexes get reviewed.

i / camera

Every call signed.

Append-only JSONL with HMAC-SHA256 chaining. Verify any time with quill audit verify; tampering breaks the chain at the next entry.

ii / badge

Out of scope, refused.

Deterministic regex + namespace check. No model in the path. Nothing the agent can argue with, no jailbreak surface.

iii / bank manager

Dangerous calls paused.

The set of moves you regret: rm -rf, force-push, drop table, prod deploy, npm publish. Each block carries a paste-able safer alternative.

02 / What It Catches

The moves you regret. The fixes you'd reach for.

These are the literal patterns and suggestions shipping in src/quill/policy.py. Open the file. Add yours. Send a PR.

rm -rf node_modules

→

move to a quarantine dir so you can recover mv node_modules /tmp/quarantine_$(date +%s)

git push --force origin main

→

don't clobber a teammate git push --force-with-lease or rebase first

DROP TABLE users

→

back up first pg_dump -t users > /tmp/backup_$(date +%s).sql then drop in a transaction

vercel deploy --prod

→

preview first vercel deploy then promote vercel promote <url>

curl <url> | sh

→

read the script first curl -fsSL <url> -o /tmp/install.sh && cat /tmp/install.sh

npm publish

→

verify the tarball first npm publish --dry-run

cat .env

→

show keys, not values grep -oE '^[A-Z_]+=' .env

terraform destroy

→

always plan first terraform plan -out=plan review terraform apply plan

03 / Why This Exists

The agents writing your code already lost data. Theirs.

"I violated every principle I was given. I guessed instead of verifying. I ran a destructive action without being asked. I didn't understand what I was doing before doing it."
— the Cursor agent, after deleting PocketOS's prod database · April 2026

The agents writing your code right now have the same authority. They run shell, edit files, push to remotes, ship to prod. The pause button between them and your prod just hadn't been built into the framework yet.

Quill is the smallest version of one I could write.

Jul 2025 · Replit's agent deletes Jason Lemkin's production database during a code freeze, then fabricates data to cover the deletion.
Apr 2026 · A Cursor agent wipes PocketOS — including all volume backups — in 9 seconds.
Late 2025 · Claude Code runs rm -rf ~/ on a developer's Mac; home directory + keychain gone.
2025 · 29M secrets leaked on GitHub — AI-assisted commits leak at 2× the human rate.

04 / How It Works

One hook. Every tool call. On your disk.

Quill installs itself as Claude Code's PreToolUse hook. Every Bash, Edit, Write goes through the gate before it touches your machine.

Claude Code ──► quill claude-hook ──► gate ──► sign ──► allow / ask / deny
                                       │
                                       └──► ~/.quill/audit.log.jsonl  (0o600, HMAC-chained)

Wires into Claude Code's PreToolUse hook with one idempotent command. Restart, you're protected.
Also proxies external MCP servers (filesystem, github, postgres, slack) when you set them in upstream config.
Every decision lands in your local audit log. Nothing leaves your machine unless you explicitly opt in.

05 / Actual Output

What you'll see when an agent reaches too far.

Live, from a real Claude Code session running through Quill. quill audit show --last 8.

quill audit show · last 8

time	verdict	risk	tool	what was tried	why
20:43:55	? ask	high	Edit	src/db.ts	high risk — file mutation needs ack
20:44:11	✓ allow	low	Bash	ls -la	read-only command
20:40:32	✗ block	critical	Bash	rm -rf node_modules	↪ try: mv to quarantine
20:40:32	✗ block	critical	Bash	git push --force origin	↪ try: --force-with-lease
20:40:32	✗ block	critical	Bash	DROP TABLE users	↪ try: pg_dump first
20:40:33	✗ block	critical	Bash	vercel --prod	↪ try: vercel deploy then promote
20:40:33	✗ block	critical	Bash	npm publish	↪ try: --dry-run first
20:40:33	✓ allow	low	Bash	cat README.md	read-only command

8 tool calls · allow=2 · block=5 · ask=1 ~/.quill/audit.log.jsonl

06 / Privacy

You own the key, the log, the verdict.

The audit log lives on your disk at ~/.quill/audit.log.jsonl, mode 0o600. The HMAC signing key is generated locally on first run and never leaves your machine.

Nothing is sent to a server unless you explicitly opt in to anonymous aggregate telemetry. Even then, only counts and namespace tops — never tool args, never paths, never your intent.

signing key — generated on your machine, never transmitted
audit log — append-only, mode 0o600, owner-only read
tool arguments — never logged in full, never sent
file paths and intent — never sent, even with telemetry on
opt-in — preview the exact JSON with quill telemetry show

Sixty seconds. One paste.
Stop babysitting the agent.