Halting
Halting reviews every AI-suggested command or code snippet before it runs — giving you a plain-English risk summary and a risk level so you can make an informed decision.
How it works
Automatic command analysis (hooks)
Once set up, Halting intercepts shell commands that your AI coding assistant tries to run and shows you a risk analysis before it executes:
🛑 Halting — Pre-flight Analysis
─────────────────────────────────────
⚠️ Risk: Warning
📋 This command installs packages from the npm registry and modifies node_modules/. It does not delete files or access the network beyond npm.
─────────────────────────────────────
Local rules layer
Before any command reaches the AI, it's checked against a local, offline rules layer: a denylist of unambiguously dangerous patterns (rm -rf /, fork bombs, piping remote scripts into a shell, etc.) that block immediately with no network call, and a conservative allowlist of read-only commands (ls, git status, pwd, …) that are allowed immediately, also with no network call. Only commands that fall through both lists — and commands flagged as obfuscated or referencing a sensitive path — get sent to the LLM, and a denylist/obfuscation verdict can never be overridden by what the model comes back with.
Automatic, blocking review is supported for:
| Assistant |
Support |
| Claude Code |
Full — installs into ~/.claude/settings.json, auto-blocks Dangerous commands |
| Cursor |
Full — installs a project-level .cursor/hooks.json, auto-blocks Dangerous commands |
| Windsurf |
Full — installs a project-level .windsurf/hooks.json, auto-blocks Dangerous commands |
| Antigravity |
Full — installs a project-level .agents/hooks.json, auto-blocks Dangerous commands |
| GitHub Copilot |
Not supported — Copilot's agent mode has no third-party API for blocking a command before it runs. |
Unlike Claude Code, Cursor/Windsurf/Antigravity have no field in their hook config for storing secrets — after installing their hooks you'll still need OPENROUTER_API_KEY set as a real environment variable (the setup command tells you how).
Getting started
Halting walks you through setup automatically on first launch:
- Get a free API key from openrouter.ai/keys
- Paste the key when prompted — it is stored securely in your system keychain, never in plain text
- Install hooks — run
Halting: Setup Hooks (Choose Tools)… and pick the assistant(s) you use
- Reload VS Code (or restart your assistant) — done
Commands
| Command |
Description |
Halting: Setup Hooks (Choose Tools)… |
Pick which assistant(s) to install hooks for |
Halting: Setup Claude Code Hooks |
Install hooks into Claude Code |
Halting: Setup Cursor Hooks |
Install hooks into Cursor (project-level) |
Halting: Setup Windsurf Hooks |
Install hooks into Windsurf (project-level) |
Halting: Setup Antigravity Hooks |
Install hooks into Antigravity (project-level) |
Halting: Set API Key |
Store or update your OpenRouter API key |
Halting: Reset Setup |
Clear stored key and re-run onboarding |
Requirements
Settings
| Setting |
Default |
Description |
halting.model |
anthropic/claude-haiku-4-5 |
OpenRouter model used for analysis |
halting.failMode |
open |
What happens when the AI risk analysis can't complete (timeout, network error, bad response): open allows with a loud warning, closed blocks. Local rules always apply regardless of this setting. |
halting.timeout |
5000 |
Milliseconds to wait for the AI risk analysis before treating it as failed and falling back to halting.failMode. |
halting.redactSecrets |
true |
Redact known secret formats (API keys, bearer tokens, export KEY=...) from a command before sending it to OpenRouter or writing it to the decision log. Best-effort, not a guarantee. |
Risk levels
| Level |
Meaning |
| ✅ Safe |
Command is read-only or low impact |
| ⚠️ Warning |
Command modifies files or installs packages — review before proceeding |
| 🚫 Dangerous |
Command deletes files, alters system config, or has high destructive potential |
Privacy
Commands that the local rules layer can't classify on its own are sent to OpenRouter for analysis — this can include file paths, arguments, and other command content. Read-only commands matched by the local allowlist (ls, git status, etc.) never leave your machine. Known secret formats are redacted before anything is sent, by default (halting.redactSecrets) — this is best-effort and won't catch every possible secret shape, so don't rely on it as a guarantee. Onboarding shows this notice explicitly and requires you to acknowledge it before setup finishes.
Your API key is stored in your OS keychain (Windows Credential Manager / macOS Keychain) and is never written to any settings file.
Every non-trivial decision (command, which rule or AI risk level decided it, and the action taken) is appended to ~/.claude/halting-decisions.log as JSON lines, regardless of which assistant triggered it — useful for auditing or tuning the rules layer.