aiskillstore/slb

SLB — Simultaneous Launch Button

A Go CLI that implements a two-person rule for running potentially destructive commands from AI coding agents. When an agent wants to run something risky (e.g., rm -rf, git push --force, kubectl delete, DROP TABLE), SLB requires peer review and explicit approval before execution.

Why This Exists

Coding agents can get tunnel vision, hallucinate, or misunderstand context. A second reviewer (ideally with a different model/tooling) catches mistakes before they become irreversible.

SLB is built for multi-agent workflows where many agent terminals run in parallel and a single bad command could destroy work, data, or infrastructure.

Critical Design: Client-Side Execution

Commands run in YOUR shell environment, not on a server. The daemon is a NOTARY (verifies approvals), not an executor. This means commands inherit:

• AWS_PROFILE, AWS_ACCESS_KEY_ID
• KUBECONFIG
• Activated virtualenvs
• SSH_AUTH_SOCK
• Database connection strings

Risk Tiers

| Tier | Approvals | Auto-approve | Examples | |------|-----------|--------------|----------| | CRITICAL | 2+ | Never | rm -rf /, DROP DATABASE, terraform destroy, git push --force | | DANGEROUS | 1 | Never | rm -rf ./build, git reset --hard, kubectl delete, DROP TABLE | | CAUTION | 0 | After 30s | rm file.txt, git branch -d, npm uninstall | | SAFE | 0 | Immediately | rm *.log, git stash, kubectl delete pod |

Quick Start

Installation

# One-liner
curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/slb/main/scripts/install.sh | bash

# Or with go install
go install github.com/Dicklesworthstone/slb/cmd/slb@latest

Initialize a Project

cd /path/to/project
slb init

Creates .slb/ directory with:

• state.db - SQLite database (source of truth)
• config.toml - Project configuration
• pending/ - JSON files for pending requests
• logs/ - Execution logs

Basic Workflow

# 1. Start a session (as an AI agent)
slb session start --agent "GreenLake" --program "claude-code" --model "opus"
# Returns: session_id and session_key

# 2. Run a dangerous command (blocks until approved)
slb run "rm -rf ./build" --reason "Clean build artifacts" --session-id <id>

# 3. Another agent reviews and approves
slb pending                    # See what's waiting
slb review <request-id>        # View full details
slb approve <request-id> --session-id <reviewer-id> --comment "Looks safe"

# 4. Original command executes automatically after approval

Commands Reference

Session Management

slb session start --agent <name> --program <prog> --model <model>
slb session end --session-id <id>
slb session resume --agent <name> --create-if-missing  # Resume after crash
slb session list                               # Show active sessions
slb session heartbeat --session-id <id>        # Keep session alive
slb session gc --threshold 2h                  # Clean stale sessions

Request & Run

# Primary command (atomic: check, request, wait, execute)
slb run "<command>" --reason "..." --session-id <id>

# Plumbing commands
slb request "<command>" --reason "..."         # Create request only
slb status <request-id> --wait                 # Check/wait for status
slb pending --all-projects                     # List pending requests
slb cancel <request-id>                        # Cancel own request

Review & Approve

slb review <request-id>                        # Show full details
slb approve <request-id> --session-id <id> --comment "..."
slb reject <request-id> --session-id <id> --reason "..."

Execution

slb execute <request-id>                       # Execute approved request
slb emergency-execute "<cmd>" --reason "..."   # Human override (logged)
slb rollback <request-id>                      # Rollback if captured

Pattern Management

slb patterns list --tier critical              # List patterns by tier
slb patterns test "<command>"                  # Check what tier a command gets
slb patterns add --tier dangerous "<pattern>"  # Add runtime pattern

Daemon & TUI

slb daemon start --foreground                  # Start background daemon
slb daemon stop                                # Stop daemon
slb daemon status                              # Check daemon status
slb tui                                        # Launch interactive TUI
slb watch --session-id <id> --json             # Stream events (NDJSON)

Claude Code Hook

slb hook install                               # Install PreToolUse hook
slb hook status                                # Check installation
slb hook test "<command>"                      # Test classification
slb hook uninstall                             # Remove hook

History & Audit

slb history --tier critical --status executed  # Filter history
slb history -q "rm -rf"                        # Full-text search
slb show <request-id> --with-reviews           # Detailed view
slb outcome record <request-id> --problems     # Record feedback
slb outcome stats                              # Execution statistics

Pattern Matching Engine

Classification Algorithm

1. Normalization: Commands are parsed with shell-aware tokenization

   • Strips wrapper prefixes: sudo, doas, env, time, nohup
   • Extracts inner commands from bash -c 'command'
   • Resolves paths: ./foo → /absolute/path/foo

2. Compound Command Handling: Commands with ;, &&, ||, | are split and each segment classified. Highest risk segment wins:

   echo "done" && rm -rf /etc    →  CRITICAL (rm -rf /etc wins)
   ls && git status              →  SAFE (no dangerous patterns)
   

3. Shell-Aware Splitting: Separators inside quotes preserved:

   psql -c "DELETE FROM users; DROP TABLE x;"  →  Single segment (SQL)
   echo "foo" && rm -rf /tmp                   →  Two segments
   

4. Pattern Precedence: SAFE → CRITICAL → DANGEROUS → CAUTION (first match wins)

5. Fail-Safe Parse Handling: If parsing fails, tier is upgraded by one level:

   • SAFE → CAUTION
   • CAUTION → DANGEROUS
   • DANGEROUS → CRITICAL

Default Patterns

CRITICAL (2+ approvals): rm -rf /..., DROP DATABASE/SCHEMA, TRUNCATE TABLE, terraform destroy, kubectl delete node/namespace/pv/pvc, git push --force, aws terminate-instances, dd ... of=/dev/

DANGEROUS (1 approval): rm -rf, git reset --hard, git clean -fd, kubectl delete, terraform destroy -target, DROP TABLE, chmod -R, chown -R

CAUTION (auto-approved after 30s): rm <file>, git stash drop, git branch -d, npm/pip uninstall

SAFE (skip review): rm *.log, rm *.tmp, git stash, kubectl delete pod, npm cache clean

Request Lifecycle

State Machine

                    ┌─────────────┐
                    │   PENDING   │
                    └──────┬──────┘
           ┌───────────────┼───────────────┐───────────────┐
           ▼               ▼               ▼               ▼
     ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐
     │ APPROVED │    │ REJECTED │    │ CANCELLED│    │ TIMEOUT  │
     └────┬─────┘    └──────────┘    └──────────┘    └────┬─────┘
          │              (terminal)      (terminal)       │
          ▼                                               ▼
     ┌──────────┐                                   ┌──────────┐
     │EXECUTING │                                   │ESCALATED │
     └────┬─────┘                                   └──────────┘
          │
   ┌──────┴──────┬──────────┐
   ▼             ▼          ▼
┌────────┐  ┌─────────┐  ┌────────┐
│EXECUTED│  │EXEC_FAIL│  │TIMED_OUT│
└────────┘  └─────────┘  └────────┘
(terminal)   (terminal)   (terminal)

Approval TTL

• Standard requests: 30 minutes (configurable)
• CRITICAL requests: 10 minutes (stricter)

If approval expires before execution, re-approval required.

Execution Verification (5 Security Gates)

Before any command executes, five gates must pass:

| Gate | Check | |------|-------| | 1. Status | Request must be in APPROVED state | | 2. Expiry | Approval TTL must not have elapsed | | 3. Hash | SHA-256 hash of command must match (tamper detection) | | 4. Tier | Risk tier must still match (patterns may have changed) | | 5. First-Executor | Atomic claim prevents race conditions |

Dry Run & Rollback

Dry Run Pre-flight

For supported commands, SLB can run a dry-run variant first:

| Command | Dry-run variant | |---------|-----------------| | terraform apply | terraform plan | | kubectl apply | kubectl diff | | git push | git diff (show what would change) |

[general]
enable_dry_run = true

Rollback State Capture

Before executing, SLB can capture state:

[general]
enable_rollback_capture = true
max_rollback_size_mb = 100

Captured state includes:

• Filesystem: Tar archive of affected paths
• Git: HEAD commit, branch, dirty state, untracked files
• Kubernetes: YAML manifests of affected resources

slb rollback <request-id>           # Restore captured state
slb rollback <request-id> --force   # Force overwrite

Configuration

Configuration is hierarchical (lowest to highest priority):

1. Built-in defaults
2. User config (~/.slb/config.toml)
3. Project config (.slb/config.toml)
4. Environment variables (SLB_*)
5. Command-line flags

Example Configuration

[general]
min_approvals = 2
request_timeout = 1800              # 30 minutes
approval_ttl_minutes = 30
timeout_action = "escalate"         # or "auto_reject", "auto_approve_warn"
require_different_model = true      # Reviewer must use different AI model

[rate_limits]
max_pending_per_session = 5
max_requests_per_minute = 10

[notifications]
desktop_enabled = true
webhook_url = "https://slack.com/webhook/..."

[daemon]
tcp_addr = ""                       # For Docker/remote agents
tcp_require_auth = true

[agents]
trusted_self_approve = ["senior-agent"]
trusted_self_approve_delay_seconds = 300

Advanced Configuration

Cross-Project Reviews

[general]
cross_project_reviews = true
review_pool = ["agent-a", "agent-b", "human-reviewer"]

Conflict Resolution

[general]
conflict_resolution = "any_rejection_blocks"  # Default
# Options: any_rejection_blocks | first_wins | human_breaks_tie

Dynamic Quorum

[patterns.critical]
dynamic_quorum = true
dynamic_quorum_floor = 2    # Minimum approvals even with few reviewers

Daemon Architecture

IPC Communication

Unix domain sockets (project-specific):

/tmp/slb-<hash>.sock

JSON-RPC Protocol

All daemon communication uses JSON-RPC 2.0:

{"jsonrpc": "2.0", "method": "hook_query", "params": {"command": "rm -rf /"}, "id": 1}

Available methods: hook_query, hook_health, verify_execution, subscribe

TCP Mode (Docker/Remote)

[daemon]
tcp_addr = "0.0.0.0:9876"
tcp_require_auth = true
tcp_allowed_ips = ["192.168.1.0/24"]

Timeout Handling

| Action | Behavior | |--------|----------| | escalate | Transition to ESCALATED, notify humans (default) | | auto_reject | Automatically reject the request | | auto_approve_warn | Auto-approve CAUTION tier with warning |

Agent Event Streaming

slb watch provides real-time NDJSON event streaming:

slb watch --session-id <id>

{"type":"request_pending","request_id":"abc123","tier":"dangerous","command":"rm -rf ./build","ts":"..."}
{"type":"request_approved","request_id":"abc123","reviewer":"BlueLake","ts":"..."}
{"type":"request_executed","request_id":"abc123","exit_code":0,"ts":"..."}

Event types: request_pending, request_approved, request_rejected, request_executed, request_timeout, request_cancelled

Auto-Approve Mode (for reviewer agents)

slb watch --session-id <id> --auto-approve-caution

Request Attachments

Provide context for reviewers:

# Attach file
slb request "DROP TABLE users" --reason "..." --attach ./schema.sql

# Attach screenshot
slb request "kubectl delete deployment" --reason "..." --attach ./dashboard.png

# Attach command output
slb request "terraform destroy" --reason "..." --attach-cmd "terraform plan -destroy"

Emergency Override

For true emergencies, humans can bypass with extensive logging:

# Interactive (prompts for confirmation)
slb emergency-execute "rm -rf /tmp/broken" --reason "System emergency: disk full"

# Non-interactive (requires hash acknowledgment)
HASH=$(echo -n "rm -rf /tmp/broken" | sha256sum | cut -d' ' -f1)
slb emergency-execute "rm -rf /tmp/broken" --reason "Emergency" --yes --ack $HASH

Safeguards: Mandatory reason, hash acknowledgment, extensive logging, optional rollback capture.

Outcome Tracking

Record execution feedback to improve pattern classification:

slb outcome record <request-id>                          # Success
slb outcome record <request-id> --problems --description "Deleted wrong files"
slb outcome stats                                        # Statistics

TUI Dashboard

slb tui

┌─────────────────────────────────────────────────────────────────────┐
│  SLB Dashboard                                                       │
├─────────────────┬───────────────────────────────────────────────────┤
│  AGENTS         │  PENDING REQUESTS                                  │
│  ───────        │  ────────────────                                  │
│▸ GreenLake      │▸ abc123 CRITICAL rm -rf /etc      BlueLake 2m     │
│  BlueLake       │  def456 DANGEROUS git reset --hard GreenLake 5m   │
├─────────────────┴───────────────────────────────────────────────────┤
│  ACTIVITY                                                            │
│  10:30:15 GreenLake approved abc123                                  │
│  10:28:42 BlueLake requested def456 (DANGEROUS)                      │
└─────────────────────────────────────────────────────────────────────┘

Keys: Tab (cycle panels), ↑/↓ (navigate), Enter (view), a (approve), r (reject), q (quit)

Claude Code Hook Integration

# Install hook
slb hook install

# Hook actions returned to Claude Code:
# - allow: Command proceeds
# - ask: User prompted (CAUTION tier)
# - block: Blocked with message to use `slb request`

Generate IDE integrations:

slb integrations claude-hooks > ~/.claude/hooks.json
slb integrations cursor-rules > .cursorrules

Security Design Principles

Defense in Depth (6 layers)

1. Pattern-based classification
2. Peer review requirement
3. Command hash binding (SHA-256)
4. Approval TTL
5. Execution verification gates
6. Audit logging

Cryptographic Guarantees

• Command binding: SHA-256 hash verified at execution
• Review signatures: HMAC using session keys
• Session keys: Generated per-session, never stored in plaintext

Fail-Closed Behavior

• Daemon unreachable → Block dangerous commands (hook)
• Parse error → Upgrade tier by one level
• Approval expired → Require new approval
• Hash mismatch → Reject execution

Exit Codes

| Code | Meaning | |------|---------| | 0 | Success | | 1 | General error | | 2 | Invalid arguments | | 3 | Request not found | | 4 | Permission denied | | 5 | Timeout | | 6 | Rate limited |

Environment Variables

| Variable | Description | |----------|-------------| | SLB_MIN_APPROVALS | Minimum approval count | | SLB_REQUEST_TIMEOUT | Request timeout in seconds | | SLB_TIMEOUT_ACTION | What to do on timeout | | SLB_DESKTOP_NOTIFICATIONS | Enable desktop notifications | | SLB_WEBHOOK_URL | Webhook notification URL | | SLB_DAEMON_TCP_ADDR | TCP listen address | | SLB_TRUSTED_SELF_APPROVE | Comma-separated trusted agents |

Troubleshooting

"Daemon not running" warning

SLB works without daemon (file-based polling). Start for real-time:

slb daemon start

"Active session already exists"

slb session resume --agent "YourAgent" --create-if-missing

Approval expired

Re-request:

slb run "<command>" --reason "..."

Command hash mismatch

Command was modified after approval. Re-request for the modified command.

Safety Note

SLB adds friction and peer review for dangerous actions. It does NOT replace:

• Least-privilege credentials
• Environment safeguards
• Proper access controls
• Backup strategies

Use SLB as defense in depth, not your only protection.

Integration with Flywheel

| Tool | Integration | |------|-------------| | Agent Mail | Notify reviewers via inbox; track audit trails | | BV | Track SLB requests as beads | | CASS | Search past SLB decisions across sessions | | DCG | DCG blocks automatically; SLB adds peer review layer | | NTM | Coordinate review across agent terminals |