Quickstart

From nothing to watching Axtary block an agent's unsafe action — under ten minutes, no credentials required. Everything starts in deterministic fake mode, so there's nothing to sign up for and no token to paste.

1. Install

npm install -g @axtary/cli

Or run from source:

git clone <repo-url> axtary && cd axtary
npm install && npm run build:cli
alias axtary="node $PWD/packages/cli/dist/bin.js"

2. Scaffold and check

mkdir my-protected-project && cd my-protected-project
axtary init
axtary doctor connectors --config axtary.yml

init writes a starter axtary.yml (fake GitHub/Slack/Linear adapters — no tokens) and a policy that denies .env*/secrets/ reads, requires step-up approval for auth/, billing/, infra/prod/ writes, and allowlists #axtary-dev for Slack. doctor shows what each connector needs before you ever switch one to real mode.

3. See the loop end to end

axtary demo --config axtary.yml

Safe and unsafe GitHub/Slack/Linear/MCP actions run through policy → ActionPass signing → proxy → fake adapters → the hash-chained ledger at .axtary/actions.jsonl. You'll see allows, denies, and step-ups, each with a reason.

4. First blocked action

Start the enforcement point (leave it running):

axtary proxy --config axtary.yml

In another terminal, simulate a coding agent trying to read a secret:

echo '{"cwd":"'$PWD'","tool_name":"Read","tool_input":{"file_path":"'$PWD'/.env.production"}}' \
  | axtary hook claude-code

You'll get a deny with the blocked path prefixes named, and the decision is written to the ledger.

Why does a local file read show up as github.contents.read? Axtary normalizes every tool call to a provider-neutral action shape so one policy covers file reads, PR creates, and Slack posts alike. The github. prefix is the content namespace, not a network call to GitHub.

5. Gate a real agent

  • Claude Code: add the PreToolUse hook to your project's .claude/settings.json, then ask Claude Code to read .env.production — it gets denied and self-corrects.
  • Any MCP agent: run axtary mcp serve and point Claude Code / Cursor / Codex at it.

Where to go next

  • Switch a connector to real mode: set its env token (or run axtary connect linear), change mode: fake → its real mode in axtary.yml, and re-run doctor + smoke.
  • Read Core concepts to understand ActionPass, policy, and the ledger.