Night Agent
Install
ENGITA

Product

Local control forAI agents

Night Agent runs on the computer, intercepts agent actions before execution, and enforces policy where the work actually happens.

Install the CLISee Cloud

What ships locally

PATH shims, shell hooks, and MCP hooks

Deterministic YAML policy

Docker isolation and signed audit logs

Intercept before execution

The product supports multiple entry points so control does not depend on one specific agent.

PATH shims

`nightagent init` places wrappers for binaries like `bash`, `git`, and `python3`, so commands pass through the guardian first.

Shell hook

A preexec hook catches commands typed in the terminal before the shell actually runs them.

MCP hook for Claude Code

`nightagent mcp-hook` intercepts tool calls like Bash, Read, Write, Edit, Glob, Grep, and WebFetch before execution.

Clear outcomes, not vague scoring

Policy decides what happens. Risk signals support the review but do not override the rules.

Allow

Safe work continues normally on the computer.

Block

The action is stopped before it can run.

Ask

The action waits for manual confirmation.

Sandbox

The action continues inside Docker instead of touching the host.

Readable policy in YAML

The rule system stays deterministic, readable, and easy to review.

version: 1rules:  - id: block_sudo    when:      action_type: shell      command_matches: ["sudo *"]    decision: block    reason: "sudo disabled"
  - id: ask_for_ssh_access    when:      action_type: shell      command_matches: ["cat ~/.ssh/*", "scp *"]    decision: ask    reason: "manual confirmation required"
  - id: sandbox_python_scripts    when:      action_type: shell      command_matches: ["python3 *.py"]    decision: sandbox    sandbox:      image: "python:3.12-alpine"      network: "none"    reason: "run in isolated environment"
  - id: allow_git_status    when:      action_type: git      command_matches: ["git status", "git log *"]    decision: allow
allowblockasksandbox
  • Cloud policy can override local policy when connected.
  • Project-level policy can live alongside the repo.
  • Changes hot-reload without restarting the daemon.

Isolation and auditability

When blocking is too strict, Night Agent can isolate work. Whatever happens, the decision stays traceable.

Docker sandbox

  • Workspace mounted as `/workspace`
  • Networking disabled by default
  • Command output and exit code returned normally

Signed audit log

  • Each event is written as JSONL
  • HMAC signatures and `prev_hash` protect integrity
  • `nightagent verify` checks the local chain
{"timestamp":"2026-04-14T08:11:03Z","agent":"claude-code","channel":"mcp_hook","action_type":"shell","command":"sudo rm -rf /tmp/demo","decision":"block","reason":"sudo disabled","risk_level":"high","prev_hash":"af91d2...","signature":"9f4c11..."}{"timestamp":"2026-04-14T08:11:09Z","agent":"claude-code","channel":"mcp_hook","action_type":"shell","command":"python3 script.py","decision":"sandbox","sandboxed":true,"sandbox_image":"python:3.12-alpine","network":"none","risk_level":"medium","anomaly_detected":true,"suggestions":["consider a dedicated rule for python3 *.py"],"prev_hash":"be72aa...","signature":"1b0d83..."}{"timestamp":"2026-04-14T08:11:15Z","agent":"codex","channel":"path_shim","action_type":"git","command":"git status","decision":"allow","risk_level":"low","cloud_synced":true,"prev_hash":"c91ed0...","signature":"53b6fd..."}

Built for agent workflows teams already run

Night Agent stays close to execution and fits existing local tooling.

Claude Code

Intercept PreToolUse events and apply policy before tool execution.

Codex

Control shell-based workflows that run through the local environment.

Terminal workflows

Cover direct shell usage and scripted execution paths with the same policy layer.