Documentation

Everything you need to install, configure, and understand Intracept.

Overview

Intracept is a desktop application (Tauri) and CLI hook that intercepts commands executed by AI coding agents — Claude Code, Cursor, and Codex. It translates each command to plain English using a local registry of 100,000+ command patterns, then enforces policy (allow, deny, or require approval) before the command reaches the shell. No LLM, no network calls, sub-millisecond latency. macOS only.

Installation

Intracept is distributed as a macOS cask via Homebrew. Requires macOS 12+.

$ brew tap laurenalexander2/tap
$ brew install --cask intracept

Then register the hook for your agent:

# Claude Code
$ intracept install --agent claude-code

# Cursor
$ intracept install --agent cursor

# Codex
$ intracept install --agent codex

That's it. Intracept is now active. Every command your agent runs will be intercepted, translated, and policy-checked before execution.

How it works

Intracept sits between the AI agent and the shell. The integration mechanism differs per agent:

Claude CodePreToolUse hookRegistered via hooks/ directory. Claude Code calls the hook binary before every Bash tool invocation. Intracept returns allow, deny, or require_approval with a translated description.

CursorShell wrapperIntracept installs a shell wrapper that intercepts commands before they execute. Integrated via Cursor's terminal hooks configuration.

CodexShell wrapperSame shell wrapper approach. Intracept intercepts the exec layer before commands reach the OS.

When a command is intercepted, the engine performs two operations in sequence:

Registry lookup — match the command against the local translation database to produce a plain-English description
Policy check — evaluate the command against your policy rules to determine the verdict (allow, deny, or require_approval)

Configuration

Policy is defined in a TOML file at ~/.intracept/policy.toml. This file controls which commands are allowed, denied, or require approval.

# ~/.intracept/policy.toml

# Default verdict for commands not matching any rule
default_verdict = "allow"

# Rules are evaluated top-to-bottom; first match wins
[[rules]]
tags = ["destructive", "force-push"]
verdict = "deny"
rationale = "Force pushes are never allowed"

[[rules]]
tags = ["network", "exfiltration"]
verdict = "require_approval"
rationale = "Network access needs human review"

[[rules]]
tags = ["filesystem", "write"]
verdict = "allow"

[[rules]]
tools = ["rm", "chmod", "chown"]
flags = ["--recursive", "-rf"]
verdict = "require_approval"
rationale = "Recursive destructive ops need review"

Verdicts:

allow — command executes silently, translation shown inline
deny — command is blocked, agent receives rejection
require_approval — execution pauses, human sees translation and chooses to run or cancel

Tags are semantic labels attached to registry entries (e.g., destructive, network, filesystem, privileged). Policy rules match on tags rather than raw command strings, making them composable and maintainable.

Registry

The Intracept Registry is the local database that powers command translation. It ships with the app and is structured as follows:

1,244

CLI tools

3,800+

flag definitions

100,000+

composable translations

Each registry entry contains:

Tool — the CLI binary (e.g., git, docker, kubectl)
Subcommand — the action (e.g., push, run, delete)
Flags — each flag with its own translation fragment
Tags — semantic labels for policy matching
Translation template — composable sentence built from matched components

Translations are composed deterministically: the engine matches the tool, subcommand, and each flag, then assembles the fragments into a complete English sentence. No generative AI involved.

# Example: git push --force --no-verify origin main
#
# Registry match:
#   tool: git
#   subcommand: push ("Upload local commits to a remote branch")
#   flag: --force ("overwriting its history")
#   flag: --no-verify ("skipping all pre-push hooks")
#   args: origin main
#
# Composed translation:
#   "Force-upload local commits to origin/main,
#    overwriting its history and skipping all pre-push hooks."

Architecture

The system is a single binary that handles hook invocations, registry lookup, and policy evaluation in one process. Here is the data flow:

┌─────────────────────────────────────────────────────────────────┐
│                        AI Agent                                  │
│            (Claude Code / Cursor / Codex)                        │
└──────────────────────────┬──────────────────────────────────────┘
                           │ command
                           ▼
┌──────────────────────────────────────────────────────────────────┐
│                     Intracept Hook                                │
│          (PreToolUse hook / shell wrapper)                        │
└──────────────────────────┬───────────────────────────────────────┘
                           │ raw command string
                           ▼
┌──────────────────────────────────────────────────────────────────┐
│                   Intracept Engine                                │
│                                                                  │
│   ┌────────────────────┐     ┌─────────────────────────┐        │
│   │  Registry Lookup   │────▶│    Policy Evaluation    │        │
│   │                    │     │                         │        │
│   │  • Parse command   │     │  • Match tags/tools     │        │
│   │  • Match tool      │     │  • Apply rules          │        │
│   │  • Match flags     │     │  • Determine verdict    │        │
│   │  • Compose text    │     │                         │        │
│   └────────────────────┘     └────────────┬────────────┘        │
│                                           │                      │
└───────────────────────────────────────────┼──────────────────────┘
                                            │
                           ┌────────────────┼────────────────┐
                           ▼                ▼                ▼
                    ┌───────────┐   ┌──────────────┐   ┌─────────┐
                    │   allow   │   │require_approval│  │  deny   │
                    │           │   │              │   │         │
                    │ execute + │   │ show human   │   │ block + │
                    │ show      │   │ translation  │   │ notify  │
                    │ translation│  │ + wait       │   │ agent   │
                    └───────────┘   └──────────────┘   └─────────┘

Key properties: the engine runs locally as a single process, has no network dependencies, completes in under 1ms for typical commands, and persists no state between invocations.

Privacy

Intracept is designed to be fully local:

No telemetry — no usage data, analytics, or crash reports are collected
No network calls — the binary never opens a socket; all lookups are against the local registry
No data leaves your machine — commands, translations, and policy decisions stay on disk
No LLM — translations are deterministic pattern matches, not generated text
No account required — install and use without signing up for anything

Uninstall

Remove the hook registration first, then uninstall the app:

# Remove hook for your agent
$ intracept uninstall --agent claude-code
$ intracept uninstall --agent cursor
$ intracept uninstall --agent codex

# Remove the application
$ brew uninstall --cask intracept

# (Optional) Remove configuration
$ rm -rf ~/.intracept

Uninstalling the hook restores your agent to its default behavior immediately.