LATCH
Download

Runtime governance and
observability for agents.

Policy enforcement and real-time observability for every agent you run. Every tool call governed, every session recorded, every action traceable.

Download for MacSource
Govern

One policy, every agent.

Write one policy. Latch enforces it across every agent. Per-session scoping lets you lock down production repos while keeping prototyping permissive. Tool-level control. Glob-based file blocking. A local authorization server evaluates every call before it runs.

Observe

See everything.

Every tool call classified by risk and recorded with its policy decision. Real-time activity feed. Full conversation replay with inline code diffs and token cost breakdowns. Z-score anomaly detection flags volume spikes and novel tool usage.

Protect

Isolation by default.

Each session gets its own git worktree and branch. Ten agents, one repo, zero conflicts. A local egress proxy gates all network traffic with domain allowlists and credential injection. Docker, macOS Seatbelt, or Linux Bubblewrap sandboxes.

Governance
How it works

Your agent calls a tool.
Latch decides if it runs.

Your agents run in real PTY shells. When one calls a tool, the request hits a local authorization server first. Eight evaluation layers. Rate limiting, permission flags, tool rules, MCP rules, command rules, blocked globs, destructive action confirmation, and an LLM evaluator for ambiguous cases.

First deny wins. Millisecond latency. The agent gets faster, safer answers without knowing the difference.

AUTHORIZATION CASCADE
first deny wins
01Rate Limit
02Permission Flags
03Tool Rules
04MCP Rules
05Command Rules
06Blocked Globs
07Confirm Destructive
08LLM Evaluator
RESULT →ALLOWDENYPROMPT
GATEWAY PROXY
session: auth-refactor-a3f8
DOMAINSgithub.comnpmjs.orglinear.app
PROXY AUDIT LOG
14:23:01POSTapi.github.com/graphql
ALLOW
GITHUB_TOKEN injectedINTERNAL
200 OK · 1.2kb · 3 fields tokenized
14:23:04GETregistry.npmjs.org/express
ALLOW
PUBLIC
200 OK · 4.8kb
14:23:09POSTwebhook.site/exfil
BLOCKED
Domain not in allowlist
14:23:12GETapi.linear.app/issues
ALLOW
LINEAR_API_KEY injectedCONFIDENTIAL
200 OK · 2.1kb · 7 fields tokenized
Requests: 34Blocked: 2Credentials: 18Tokenized: 143
Zero-trust gateway

Egress proxy and process sandbox.

A local HTTP proxy becomes the agent's only network exit. Every request logged. Unknown domains blocked. Credentials injected at the proxy layer, never in the environment. Data tier enforcement classifies services as public, internal, confidential, or restricted.

The agent shell runs in a kernel-enforced sandbox. Three backends auto-detected: Docker, macOS Seatbelt, or Linux Bubblewrap. Add service credentials mid-session without restarting.

Services & secrets

Service catalog and secret injection.

Configure services in the catalog. Latch injects the right credentials into each session as environment variables. The agent gets GITHUB_TOKEN and ANTHROPIC_API_KEY without seeing raw values in prompts or logs.

14 pre-configured integrations. 1Password references resolved at runtime via the CLI. Local secrets encrypted with Electron's safeStorage (OS keychain). Per-session scoping controls which services each agent can access.

SERVICE CATALOG
5 services · 3 secrets
ENABLED SERVICES
GitHub
GITHUB_TOKEN
repo, workflow
OpenAI
OPENAI_API_KEY
chat, embeddings
Anthropic
ANTHROPIC_API_KEY
messages
npm
NPM_TOKEN
publish, read
Linear
LINEAR_API_KEY
read, write
SECRET RESOLUTION
GITHUB_TOKEN
1Passwordop://dev/github/token
ANTHROPIC_API_KEY
KeychainsafeStorage
AWS_SECRET_KEY
1Passwordop://infra/aws/secret
Observability
CONVERSATION REPLAY
auth-refactor · 12 turns
12 TURNS$0.847 COST14.2m DURATIONclaude-sonnet MODEL
CheckpointsWritesErrorsPrompts
RESPONSE#33:18:46
write — src/main/auth.ts
RESPONSE#43:19:01📌
Created auth middleware
PROMPT#53:19:03
RESPONSE#63:21:58
RESPONSE#73:21:58
write — src/routes/login.ts
RESPONSE#83:22:24📌
Created login endpoint
RESPONSETurn #83:22:24 AM
THINKING
Created the login endpoint with JWT token generation and bcrypt password verification...
METADATA
MODEL
claude-sonnet
COST
$0.073
INPUT
2.1k
OUTPUT
847
CHECKPOINT #8
Added login route with JWT auth
a3f8b2c  2 files changed
▸ src/routes/login.ts
↺ Rewind to here⎇ Fork from here
Conversation replay

Full playback.
Every turn, every diff.

Structured conversations with tool calls, file diffs, and policy decisions inline. Click any turn to see exactly what changed and what it cost.

Git-based checkpoints after every file write. Fork or rewind to any point. Token usage and cost breakdowns per turn. Export to JSON for external analysis.

Anomaly detection

Z-score anomaly detection.

Radar runs z-score analysis against a rolling window of your agent's behavior. Traffic volume spikes 4x. An agent touches a tool it's never used. Deny rate jumps from 2% to 23%. Checks run every 30 seconds and after every 10 events.

The baseline adapts as patterns change. Five signal types: volume spikes, novel tool access, error rate surges, denial rate changes, and high-risk activity bursts.

ANOMALY DETECTION
sensitivity: medium · z-threshold: 2.4
TOOL CALL VOLUME — 24H
μ=12z=4.208:0010:0012:0014:0014:00
ACTIVE SIGNALS
HIGHtraffic-volume-spike16:42:01
Tool call volume 4.2x above baseline (48 vs μ=12, z=4.2)
MEDIUMnovel-tool-usage16:40:18
3 tools used for first time: mcp__aws__s3_delete, Bash(curl)
MEDIUMerror-rate-spike16:41:55
Deny rate 23% vs baseline 2.1% (z=3.1)
SESSION RECEIPT — SIGNED
{
  "session_id": "sess_a3f8b2c1",
  "policy_hash": "sha256:e4d909c290b0fb...",
  "harness":    "claude-code",
  "branch":     "latch/auth-flow-a3f8",
  "services":   ["github.com", "registry.npmjs.org"],
  "tool_calls": 142,
  "denied":     3,
  "merkle_root": "sha256:7f1a92d4e8...",
  "signature":  "ed25519:Kx9mP2qRvN...",
  "pr":         "#847"
}
Session attestation

Ed25519-signed session receipts.

When a session ends, Latch generates an Ed25519-signed receipt. Policy hash, Merkle root of the audit log, full activity summary, sandbox type, and a cryptographic signature over all of it.

Paste a GitHub PR URL and Latch posts the receipt as a PR comment. Inclusion proofs let you verify individual events against the Merkle tree.

Integrations
Skills & MCP

Register once, sync everywhere.

Register your MCP servers and skills once. When a session starts, Latch writes the right config for your harness. Claude Code, Codex, Cursor, Amp, Gemini, Kiro, Windsurf. Secrets resolved at runtime. Credentials never touch disk.

Target specific harnesses or broadcast to all. Introspect tools from any registered MCP server. Skill files tell the agent what services are available and under what constraints.

SKILLS & MCP
REGISTERED SKILLS
auth-flow
Authentication & OAuth
claudecodexopencode
code-review
PR review & quality
claudecodex
deploy-pipeline
CI/CD deployment
claude
MCP SERVERS
GitHub MCPgithub.com/mcp
connected
Linear MCPlinear.app/mcp
connected
Capabilities

Everything else.

Session isolation

Dedicated git worktree per session on its own branch. Ten agents in parallel, separate policies, independent logs, zero conflicts. Name sessions, set goals, pause and resume.

Conversation replay

Turn-by-turn timeline with inline code diffs. Git checkpoints after every file write. Fork or rollback to any point. Token usage and cost breakdowns per turn.

Budget enforcement

Per-session token and cost limits. Daily project budgets. Real-time tracking in the topbar. Warnings at 80%, hard stops at 100%.

Issue tracking

Pull GitHub and Linear issues into Latch. Start a session from an issue. Update status when the agent finishes.

Service catalog

14 pre-configured integrations: GitHub, npm, OpenAI, Anthropic, Vercel, Slack, Linear, Groq, and more. Per-session scoping.

1Password

Reference op://vault/item/field URIs. Resolved at runtime via the 1Password CLI. Keys never touch the database. Local secrets use OS keychain.

Multi-harness

Claude Code, Codex, OpenCode in one app. Unified sessions. Consistent policy enforcement. Tab-based multi-agent.

Real PTY shells

Native pseudo-terminals. Your agent runs in the same environment as your normal terminal. Governance layered on top.

Leak detection

Entropy analysis and pattern matching catch AWS keys, GitHub tokens, and private keys before they leave the session.

Get observability, governance and real-time protection for your agents.

Download for MacView source
AGPL-3.0Electron + React + TypeScriptAnonymous telemetry, opt-out
FAQ

Common questions.

No. Keep using Claude Code, Codex, OpenCode. Latch wraps your agent in a real PTY shell and adds governance on top. Policy enforcement, audit logging, session isolation.
Everything runs on your machine. The authorization server binds to 127.0.0.1. The database is a local SQLite file. Optional anonymous telemetry is off by default and requires explicit opt-in. Your code, conversations, and policies stay local.
One policy document. Latch compiles it to each harness's native config where possible, and runs a local HTTP authorization server that intercepts every tool call in real-time regardless of which agent made it. Works with Claude Code, OpenCode, Codex, and OpenClaw.
The agent gets a denial with the policy rule that triggered it. Claude Code receives it via the PreToolUse hook; plugin-based agents like OpenCode get it at the authorization endpoint. The agent adapts and finds another approach. Every denial is logged in the activity feed.
Yes. Each session gets its own git worktree and branch. Run as many in parallel as you want. Isolated working copies, separate policies, independent logs, zero conflicts.
No. Docker gives the strongest isolation, but macOS uses Seatbelt and Linux uses Bubblewrap. If none are available, the proxy still runs for network gating without process isolation.
Local secrets are encrypted via Electron's safeStorage (OS keychain). Or reference 1Password items with op://vault/item/field URIs resolved at runtime. Agents get environment variables, never raw keys. The Gateway can inject credentials at the proxy layer too.
Yes. Latch is open source under AGPL-3.0. Download the app or build from source. No account required, no usage limits, no paid tiers.
Every prompt, every response, every tool call with inputs and outputs, and inline code diffs for every file change. Latch creates git checkpoints after file writes so you can see the exact state of the codebase at any point during a session.
A cryptographically signed record of what happened: policy hash, every network request logged in a Merkle-chained audit trail, tool call counts, denial counts, sandbox type, and an Ed25519 signature over all of it. You can post it as a GitHub PR comment as proof of governed execution.
Nothing. Download, open, run. No accounts, no API keys, no Docker, no cloud services. Optional features like AI policy generation need an OpenAI key, and issue tracking needs a GitHub or Linear token — both configured in-app.