dormstern
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 62 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 47 additions & 189 deletions b/‎README.md‎
Lines changed: 47 additions & 189 deletions
diff --git a/‎examples/shield.yaml‎ ‎examples/leash.yaml‎examples/shield.yaml renamed to examples/leash.yaml b/‎examples/shield.yaml‎ ‎examples/leash.yaml‎examples/shield.yaml renamed to examples/leash.yaml
diff --git a/‎tests/shield.test.ts‎ ‎tests/leash.test.ts‎tests/shield.test.ts renamed to tests/leash.test.ts b/‎tests/shield.test.ts‎ ‎tests/leash.test.ts‎tests/shield.test.ts renamed to tests/leash.test.ts
@@ -0,0 +1,62 @@
+# Contributing to leashed
+
+Thanks for your interest in contributing.
+
+## Getting Started
+
+```bash
+git clone https://github.com/dormstern/leashed.git
+cd leashed
+npm install
+npm run build
+npm test
+```
+
+No AnchorBrowser API key is needed for development — all tests run against mocked sessions.
+
+## Making Changes
+
+1. Fork the repo and create a branch from `main`
+2. Write or update tests for your changes
+3. Run `npm test` to make sure everything passes
+4. Run `npm run build` to verify TypeScript compilation
+5. Open a pull request
+
+## Project Structure
+
+```
+src/
+  index.ts        # createLeash() — main entry point
+  policy.ts       # Pattern matching + deny-first evaluation
+  session.ts      # AnchorBrowser session lifecycle
+  audit.ts        # JSONL audit log
+  output-scanner.ts # Post-execution output scanning
+  cli.ts          # npx leashed commands
+  types.ts        # TypeScript types
+  constants.ts    # Shared constants
+tests/
+  leash.test.ts   # Integration tests (mocked AnchorBrowser)
+  policy.test.ts  # Policy evaluation unit tests
+  audit.test.ts   # Audit log unit tests
+  cli.test.ts     # CLI unit tests
+  output-scanner.test.ts # Output scanner tests
+examples/
+  leash.yaml      # Example policy file
+  basic.ts        # Minimal usage example
+  openclaw-inbox.ts # OpenClaw inbox agent example
+```
+
+## Coding Standards
+
+- TypeScript strict mode
+- Tests via Vitest
+- No runtime dependencies beyond `anchorbrowser`, `js-yaml`, `picomatch`
+- Fail closed — errors are reported as blocked, never silently swallowed
+
+## Reporting Bugs
+
+Use the [bug report template](https://github.com/dormstern/leashed/issues/new?template=bug_report.md). Include your policy config and Node version.
+
+## Security Vulnerabilities
+
+Do **not** file a public issue for security vulnerabilities. See [SECURITY.md](./SECURITY.md).
@@ -4,11 +4,10 @@
 
 Policy, audit, kill switch for any AI agent with access to your accounts.
 
-[![npm version](https://img.shields.io/npm/v/leashed)](https://www.npmjs.com/package/leashed)
+[![npm version](https://img.shields.io/npm/v/leashed?color=blue)](https://www.npmjs.com/package/leashed)
 [![license](https://img.shields.io/npm/l/leashed)](./LICENSE)
 [![tests](https://img.shields.io/badge/tests-67%20passing-brightgreen)](#)
-
-**[See the full showcase →](https://behalf.work/harness/)**
+[![CI](https://github.com/dormstern/leashed/actions/workflows/ci.yml/badge.svg)](https://github.com/dormstern/leashed/actions/workflows/ci.yml)
 
 ### OpenClaw sales bot — leashed
 
@@ -18,10 +17,6 @@ Policy, audit, kill switch for any AI agent with access to your accounts.
 
 ![Work assistant demo](docs/demos/work-assistant-demo.gif)
 
-## The Problem
-
-[42,000 live credentials leaked](https://www.wired.com/story/ai-agent-credential-leaks/) from AI agent workflows. The community's response? Buy a separate Mac Mini. **leashed replaces the Mac Mini** — software governance instead of hardware isolation.
-
 ## Quick Start
 
 You need an [AnchorBrowser](https://anchorbrowser.io) API key: `export ANCHOR_API_KEY=your-key`
@@ -37,7 +32,7 @@ npm install leashed
 Create `leash.yaml`:
 
 ```yaml
-agent: my-openclaw-sales-bot
+agent: my-sales-bot
 rules:
   allow:
     - "read*"
@@ -68,223 +63,86 @@ const result2 = await leash.task('export all contacts to CSV')
 // → { allowed: false, reason: 'blocked by deny pattern: *export*' }
 ```
 
-That's it. Every `leash.task()` call is policy-checked, audited, and budgeted.
-
-## Common Use Cases
-
-People give agents their passwords every day. Here's what they're afraid of — and how `leashed` fixes it.
-
-### 1. LinkedIn Sales Agent (OpenClaw)
-
-**The fear:** Your bot has your LinkedIn password. It's supposed to read your inbox and check messages. But what if it starts mass-connecting, exporting contacts, or changing your profile?
-
-**With leashed:**
-
-```yaml
-agent: linkedin-sales-bot
-rules:
-  allow:
-    - "read*"
-    - "list*"
-    - "check*"
-    - "search*"
-  deny:
-    - "*send*"
-    - "*connect*"
-    - "*export*"
-    - "*settings*"
-    - "*password*"
-default: deny
-expire_after: 60min
-max_actions: 50
-```
-
-Read inbox, check messages — allowed. Mass-connect, export contacts — blocked before it starts.
-
-### 2. Email & Calendar Assistant
-
-**The fear:** Your assistant has your Gmail. It reads your calendar and summarizes emails. But what if it deletes messages, forwards sensitive emails externally, or changes your billing settings?
-
-**With leashed:**
-
-```yaml
-agent: daily-briefing
-rules:
-  allow:
-    - "read*"
-    - "list*"
-    - "check*"
-    - "summarize*"
-  deny:
-    - "*delete*"
-    - "*forward*"
-    - "*billing*"
-    - "*settings*"
-    - "*password*"
-default: deny
-expire_after: 30min
-max_actions: 100
-```
-
-Read calendar, list emails, summarize threads — allowed. Delete, forward, change settings — blocked.
-
-### 3. CRM Data Entry Bot
+Every `leash.task()` call is policy-checked, audited, and budgeted.
 
-**The fear:** Your bot updates Salesforce records from your email threads. But what if it bulk-deletes contacts, exports your pipeline, or modifies deal values?
-
-**With leashed:**
-
-```yaml
-agent: crm-updater
-rules:
-  allow:
-    - "read*"
-    - "update*"
-    - "list*"
-    - "search*"
-  deny:
-    - "*delete*"
-    - "*export*"
-    - "*bulk*"
-    - "*admin*"
-    - "*billing*"
-default: deny
-expire_after: 45min
-max_actions: 200
-```
-
-Read records, update fields, search contacts — allowed. Bulk-delete, export pipeline, admin changes — blocked.
-
----
-
-## AI got hands. We control the grip.
-
-Think of a crane operator. The brain decides what to move — but the joystick decides how far the arm can reach. **leashed is the joystick between the AI agent and your accounts.**
-
-### Without leashed
-
-```mermaid
-flowchart LR
-    A["🤖 AI Agent<br/><i>the brain</i>"]
-    B["📧 Your Accounts<br/><i>LinkedIn, Gmail, CRM</i>"]
-
-    A -- "🔴 your password<br/>full access" --> B
-
-    style A fill:#fef2f2,stroke:#fca5a5,color:#991b1b
-    style B fill:#fef2f2,stroke:#fca5a5,color:#991b1b
-```
-
-> **The agent IS you.** Full access. No limits. No off switch.
-
-### With leashed
-
-```mermaid
-flowchart LR
-    A["🤖 AI Agent<br/><i>the brain</i>"]
-    S["🛡️ leashed<br/><i>the joystick</i>"]
-    B["📧 Your Accounts<br/><i>LinkedIn, Gmail, CRM</i>"]
-
-    A -- "requests action" --> S
-    S -- "🟢 scoped access" --> B
-
-    style A fill:#f0fdf4,stroke:#86efac,color:#166534
-    style S fill:#ede9fc,stroke:#6d5bd0,color:#6d5bd0
-    style B fill:#f0fdf4,stroke:#86efac,color:#166534
-```
-
-> **The agent works through controlled arms.** You decide what moves.
-
-| | |
-|---|---|
-| ✅ read inbox | ✅ list messages |
-| ❌ delete data | ❌ export contacts |
-| ⏱️ 60 min limit | 🔢 50 actions max |
-
-> *A crane operator doesn't carry the steel himself. He moves joysticks that control arms — limited to a work zone, every movement tracked, with an emergency stop within reach. That's what leashed does for AI agents.*
-
-### Three layers of protection
+## How It Works
 
 1. **Credential isolation** — your password stays in an isolated cloud browser. The agent gets a pre-authenticated session, never the credentials themselves.
 2. **Scoped boundaries** — tasks that don't match your policy are blocked before they start. Deny-first pattern matching with Unicode bypass protection.
 3. **Audit + kill switch** — every action logged (allowed and blocked). Budget enforced. Session destruction when you're done.
 
 ## Security Model
 
-In security terms, leashed is **application-layer authz for AI agents** — it governs what agents are *authorized to do*, not who they are or what credentials they hold. Think of it like an AWS IAM policy that checks what you *request*, not what the underlying service *executes*.
+leashed is **application-layer authz for AI agents** — it governs what agents are *authorized to do*, not who they are or what credentials they hold.
 
-### What leashed enforces today (v0.1)
+### What leashed enforces
 
-| Layer | Enforced | How |
-|-------|----------|-----|
-| Task gating | Yes | Deny-first glob pattern matching on task strings |
-| Time + action budgets | Yes | Configurable expiration and action limits |
-| Credential isolation | Yes | Passwords stay in AnchorBrowser's isolated session, never exposed to the agent |
-| Session destruction | Yes | `leash.yank()` destroys the cloud browser session |
-| Audit trail | Yes | Every task request (allowed + blocked) logged to JSONL |
-| Unicode bypass protection | Yes | Strips zero-width chars, combining marks, BiDi controls |
+| Layer | How |
+|-------|-----|
+| Task gating | Deny-first glob pattern matching on task strings |
+| Time + action budgets | Configurable expiration and action limits |
+| Credential isolation | Passwords stay in AnchorBrowser's isolated session |
+| Session destruction | `leash.yank()` destroys the cloud browser session |
+| Audit trail | Every task request (allowed + blocked) logged to JSONL |
+| Unicode bypass protection | Strips zero-width chars, combining marks, BiDi controls |
 
-### What leashed does NOT enforce (yet)
+### What leashed does NOT enforce
 
-| Layer | Status | Why |
-|-------|--------|-----|
-| Browser action validation | Roadmap (v1.0) | AnchorBrowser executes tasks autonomously — leashed has no visibility into actual browser clicks/navigation |
-| URL/domain restrictions | Roadmap (v1.0) | Requires AnchorBrowser session-level allowlists (not yet available in their SDK) |
-| Semantic equivalence | By design | `"forward email"` and `"send email to myself"` are different strings — glob patterns match literally, not semantically |
+| Layer | Why |
+|-------|-----|
+| Browser action validation | AnchorBrowser executes tasks autonomously — leashed gates the request, not the execution |
+| URL/domain restrictions | Requires AnchorBrowser session-level allowlists (roadmap) |
+| Semantic equivalence | `"forward email"` and `"send email to myself"` are different strings — patterns match literally |
 
-### The honest version
+**The honest version:** leashed is a seatbelt, not a cage. It stops the 95% of accidents from misconfiguration, scope creep, and unintended actions. A deliberately adversarial agent that lies about what it's doing can bypass pattern matching. For defense-in-depth, see [SECURITY.md](./SECURITY.md).
 
-The policy engine checks the **task description string** — the human-readable instruction you pass to `leash.task()`. If the string matches a deny pattern, it never reaches the browser. If it's allowed, AnchorBrowser's AI executes it autonomously.
+## CLI
 
-This means: a well-intentioned agent that uses descriptive task names gets real governance. A deliberately adversarial agent that lies about what it's doing can bypass pattern matching — just like a developer with an IAM read-only key could name their Lambda "ReadOnlyFunction" while it actually writes to S3.
+```bash
+npx leashed status   # Agent: my-sales-bot | Allowed: 23 | Blocked: 3
+npx leashed audit    # Full audit trail
+npx leashed yank     # Kill switch — destroy session immediately
+```
 
-**leashed is a seatbelt, not a cage.** It stops the 95% of accidents that come from misconfiguration, scope creep, and unintended actions. It does not stop a determined attacker with direct API access.
+## API
 
-For defense-in-depth, see [SECURITY.md](./SECURITY.md).
+[Full API reference, policy examples, and audit log format →](./docs/API.md)
 
-## CLI
+## Development
 
 ```bash
-npx leashed status   # Agent: my-openclaw-sales-bot | Allowed: 23 | Blocked: 3
-npx leashed audit    # Full audit trail
-npx leashed yank     # Kill switch — destroy session immediately
+git clone https://github.com/dormstern/leashed.git
+cd leashed
+npm install
+npm run build
+npm test
 ```
 
-[Full API reference & policy examples →](./docs/API.md)
+Tests run against mocked AnchorBrowser sessions — no API key needed for development. CI runs on Node 18, 20, and 22.
 
 ## Roadmap
 
-leashed is v0.1 — the governance primitives. Here's what's coming:
-
-### v0.2 — Output Scanning
+### v0.3 — Output Scanning (current)
 - Post-execution validation: scan AnchorBrowser output for policy-violating content
-- Domain hints in policy: `domains: [linkedin.com]` for documentation and audit enrichment
-- Structured output schemas for safer result parsing
+- Domain hints in policy for audit enrichment
+- Structured output schemas
 
-### v1.0 — Session-Level Enforcement (with AnchorBrowser)
-- URL allowlists at the session level — the browser itself refuses to navigate outside your policy
-- Browser action audit trail — not just task requests, but actual clicks, form fills, and navigation
+### v1.0 — Session-Level Enforcement
+- URL allowlists enforced at the browser level
+- Browser action audit trail (clicks, form fills, navigation)
 - Webhook callbacks for real-time policy violation alerts
-- This is the "IAM enforcement" layer — restrictions enforced by the infrastructure, not just the intent
 
-Want to help shape v1.0? [Open an issue](https://github.com/dormstern/leashed/issues) or reach out.
+[Open an issue](https://github.com/dormstern/leashed/issues) or see [CONTRIBUTING.md](./CONTRIBUTING.md) to help shape v1.0.
 
 ## Empowered by AnchorBrowser
 
-leashed runs on [AnchorBrowser](https://anchorbrowser.io) — ephemeral, hardened cloud browser sessions purpose-built for AI agents. Each session is isolated, auto-expires, and leaves no trace. [Cloudflare](https://cloudflare.com) verified bot partner. SOC2 Type 2 and ISO27001 certified. Trusted by [Google](https://google.com), [Coinbase](https://coinbase.com), and [Composio](https://composio.dev). Stealth proxies, CAPTCHA solving, anti-fingerprinting, and full session isolation out of the box.
+leashed runs on [AnchorBrowser](https://anchorbrowser.io) — ephemeral, hardened cloud browser sessions for AI agents. SOC2 Type 2, ISO27001 certified. Trusted by Google, Coinbase, and Groq.
 
 AnchorBrowser handles the browser. leashed handles the rules.
 
-[Get an API key →](https://anchorbrowser.io)
-
-## Why This Exists
-
-[Behalf](https://behalf.work) already powers safe delegation for humans — scoped sessions, audit trails, and instant revocation for people who delegate work through their accounts. We built the trust infrastructure, battle-tested it, and realized: **agents need the exact same thing.**
-
-42,000 live credentials leaked from AI agent workflows. The community's best workaround is buying a separate Mac Mini. That's not security — that's surrender.
-
-So we open-sourced the engine. `leashed` gives agents what they should have had from the start: **a policy file, an audit log, and a kill switch.** The same trust model that protects human delegation — now available for every agent operator.
+## Contributing
 
-Half the access. All the work done.
+See [CONTRIBUTING.md](./CONTRIBUTING.md) for development setup, coding standards, and how to submit changes.
 
 ## License