safe
safe is a local security layer for package managers and external binaries.
It combines three tools:
safe-run: sandboxed package execution fornpx,bunx,uvx, andpipx-style workflows.safe-audit: dependency, SBOM, release, binary, vulnerability, and IOC checks across local and SSH-accessible machines.- install wrappers: zsh functions that guard persistent package-manager installs before the real command runs.
The repo installs a top-level safe dispatcher, direct component binaries, one config tree under ~/.config/safe, one data tree under ~/.local/share/safe, and one zsh completion file.
Start Here
Clone, inspect, scan, then install:
git clone <repo-url> safe
cd safe
safe audit scan --project .
bash install.sh
If safe is not already available on the machine, run equivalent local scanners
before installing. The project is part of the same zero-trust model it enforces.
Check local readiness:
safe doctor
safe status
Run a package in a sandbox:
safe run repomix@latest -- --help
Scan the current project:
safe audit scan --project .
Guard persistent package installs:
source "$HOME/.config/safe/install-wrappers.zsh"
npm install express
Main Safety Idea
Unknown package code should not get host access by default. safe prefers sandboxed execution, explicit pinned host allowlists, package checks before install, and auditable records of decisions.
For release binaries, safe-audit separates source/release review, checksum or Sigstore verification, and networkless binary smoke execution.