{"id":47888657,"url":"https://github.com/marcelocantos/doit","last_synced_at":"2026-04-08T15:00:41.908Z","repository":{"id":340968734,"uuid":"1168384287","full_name":"marcelocantos/doit","owner":"marcelocantos","description":"Capability broker for Claude Code — tiered safety, argument rules, audit logging","archived":false,"fork":false,"pushed_at":"2026-03-08T05:44:11.000Z","size":155,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-03-08T10:21:58.729Z","etag":null,"topics":["audit-log","capability-broker","claude-code","go","safety"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/marcelocantos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-27T10:22:55.000Z","updated_at":"2026-03-08T05:44:12.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/marcelocantos/doit","commit_stats":null,"previous_names":["marcelocantos/doit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/marcelocantos/doit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcelocantos%2Fdoit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcelocantos%2Fdoit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcelocantos%2Fdoit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcelocantos%2Fdoit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/marcelocantos","download_url":"https://codeload.github.com/marcelocantos/doit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcelocantos%2Fdoit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31385266,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T01:22:39.193Z","status":"online","status_checked_at":"2026-04-04T02:00:07.569Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-log","capability-broker","claude-code","go","safety"],"created_at":"2026-04-04T02:26:31.737Z","updated_at":"2026-04-08T15:00:41.903Z","avatar_url":"https://github.com/marcelocantos.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# doit\n\nA capability broker for [Claude Code](https://docs.anthropic.com/en/docs/claude-code).\nAdd `Bash(doit:*)` to your allowed tools and every shell command flows through\na single audited binary with tiered safety controls.\n\n## Why\n\nClaude Code's `Bash` tool is powerful but blunt — any command can run with no\nguardrails beyond the user clicking \"allow\". doit sits in between, providing:\n\n- **Safety tiers** — each capability is classified as read, build, write, or\n  dangerous. Dangerous operations (rm, chmod, git push) are disabled by default.\n- **Argument-level rules** — configurable rules block footguns like `make -j`,\n  `git push --force`, and `git checkout .` before they execute.\n- **Tamper-evident audit log** — every invocation is recorded in a SHA-256\n  hash-chained log that can be verified for integrity.\n- **Pipeline syntax** — Unicode operators (`¦`, `›`, `‹`, `＆＆`, `‖`, `；`)\n  replace shell metacharacters, letting doit validate every segment of a\n  pipeline before anything runs.\n\n## Install\n\nRequires Go 1.25+.\n\n```sh\ngit clone https://github.com/marcelocantos/doit.git\ncd doit\nmake install    # builds and copies to $GOPATH/bin\n```\n\nOr build without installing:\n\n```sh\nmake            # binary at bin/doit\n```\n\n## Quick start\n\n1. **Configure Claude Code** to route all shell commands through doit. In your\n   project's `.claude/settings.json` (or the global equivalent):\n\n   ```json\n   {\n     \"permissions\": {\n       \"allow\": [\"Bash(doit:*)\"],\n       \"deny\": [\"Bash\"]\n     }\n   }\n   ```\n\n2. **Run commands** through doit:\n\n   ```sh\n   doit ls -la\n   doit git status\n   doit grep -r TODO src/\n   ```\n\n3. **Run pipelines** with the `¦` operator:\n\n   ```sh\n   doit grep -r TODO src/ ¦ sort ¦ uniq -c ¦ head -20\n   ```\n\n4. **Check available capabilities** and their tiers:\n\n   ```sh\n   doit --list\n   ```\n\n## Usage\n\n### Direct execution\n\n```\ndoit \u003ccapability\u003e [args...]\n```\n\n### Pipelines\n\n```\ndoit \u003ccmd\u003e [args...] ¦ \u003ccmd\u003e [args...] ¦ ...\n```\n\n### Redirects\n\nUse `›` to redirect stdout to a file and `‹` to redirect stdin from a file:\n\n```\ndoit sort ‹ input.txt ¦ uniq -c › results.txt\n```\n\n### Compound commands\n\nChain pipelines with conditional operators:\n\n| Operator | Meaning | Equivalent |\n|---|---|---|\n| `＆＆` | and-then (run next if previous succeeded) | `\u0026\u0026` |\n| `‖` | or-else (run next if previous failed) | `\\|\\|` |\n| `；` | sequential (run next regardless) | `;` |\n\n```\ndoit make build ＆＆ git add -A ＆＆ git commit -m \"build ok\"\n```\n\n### Listing capabilities\n\n```\ndoit --list                  # all capabilities\ndoit --list --tier read      # only read-tier capabilities\n```\n\n## Safety tiers\n\n| Tier | Examples | Default |\n|---|---|---|\n| read | cat, grep, head, ls, tail, wc, find, git status | enabled |\n| build | make, go build | enabled |\n| write | cp, mv, mkdir, tee, git add/commit | enabled |\n| dangerous | rm, chmod, git push/reset/clean | **disabled** |\n\nTiers are configured in `~/.config/doit/config.yaml`:\n\n```yaml\ntiers:\n  read: true\n  build: true\n  write: true\n  dangerous: false    # enable at your own risk\n```\n\n## Rules\n\nBeyond tiers, doit enforces argument-level rules that block specific flag\ncombinations.\n\n### Default rules\n\n| Capability | Blocked | Why |\n|---|---|---|\n| `make` | `-j` | Parallel make can mask errors |\n| `git push` | `--force`, `-f`, `--force-with-lease` | Force-push destroys remote history |\n| `git reset` | `--hard` | Discards uncommitted changes |\n| `git checkout` | `.` | Silently discards all changes |\n| `rm` | `-rf /`, `-rf .`, `-rf ~` | Catastrophic deletion (hardcoded, cannot be bypassed) |\n\n### Rule types\n\n- **Hardcoded rules** block permanently catastrophic operations. They cannot be\n  bypassed. Don't retry.\n- **Config rules** block risky-but-sometimes-needed operations. They can be\n  bypassed with `--retry` after explicit user approval:\n\n  ```sh\n  doit --retry make -j4 all\n  doit --retry git push --force origin master\n  ```\n\n### Custom rules\n\nOverride default rules in `~/.config/doit/config.yaml`:\n\n```yaml\nrules:\n  make:\n    reject_flags: [\"-j\"]\n  git:\n    subcommands:\n      push:\n        reject_flags: [\"--force\", \"-f\", \"--force-with-lease\"]\n      reset:\n        reject_flags: [\"--hard\"]\n```\n\n## Audit log\n\nEvery invocation is recorded in a hash-chained append-only log at\n`~/.local/share/doit/audit.jsonl`.\n\n```sh\ndoit --audit show       # view recent entries\ndoit --audit verify     # check hash chain integrity\n```\n\nEach entry records the command, capabilities used, tiers, exit code, duration,\nworking directory, and whether `--retry` was used. The SHA-256 hash chain makes\ntampering detectable.\n\n## Agent integration\n\nIf you use an agentic coding tool (Claude Code, Cursor, Copilot, etc.), see\n[`agents-guide.md`](agents-guide.md) for a concise reference to include in your\nproject context, or run `doit --help-agent` for the full guide.\n\n## Configuration\n\nConfig file: `~/.config/doit/config.yaml`\n\n```yaml\ntiers:\n  read: true\n  build: true\n  write: true\n  dangerous: false\n\naudit:\n  path: ~/.local/share/doit/audit.jsonl\n\nrules:\n  make:\n    reject_flags: [\"-j\"]\n  git:\n    subcommands:\n      push:\n        reject_flags: [\"--force\", \"-f\", \"--force-with-lease\"]\n      reset:\n        reject_flags: [\"--hard\"]\n```\n\nAll fields are optional — doit uses sensible defaults when no config file exists.\n\n## License\n\nApache 2.0 — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcelocantos%2Fdoit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarcelocantos%2Fdoit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcelocantos%2Fdoit/lists"}