Note: Currently supports macOS (Apple Silicon / ARM64) only.
Intelligent command validation and context persistence for coding agents. CLX supports Claude Code, Codex CLI, and Cursor (see Supported Hosts for what each host can and cannot enforce).
-
Command Validation - Two-layer validation system:
- Layer 0: Fast deterministic whitelist/blacklist rules (~1ms)
- Layer 1: LLM-based risk assessment via Ollama (~100-300ms)
-
Context Persistence - SQLite-based storage with semantic search:
- Automatic snapshots before context compression
- Vector embeddings for semantic recall
- Session history and analytics
-
Auto-Recall - Automatic context injection on every prompt:
- Hybrid search: semantic (sqlite-vec) + FTS5 full-text
- Relevant past sessions injected as
additionalContext - Configurable thresholds, timeouts, and result limits
- Graceful degradation: Ollama down β FTS5 fallback β orchestrator-only
-
User Learning - Adapts to your workflow:
- Tracks approved/denied commands
- Auto-generates rules based on usage patterns
-
MCP Tools - the host agent can access (Claude Code, Codex CLI, Cursor):
clx_recall- Search historical contextclx_remember- Explicitly save informationclx_checkpoint- Create manual snapshotsclx_rules- Manage validation rulesclx_session_info- Get current session detailsclx_credentials- Manage stored provider credentialsclx_stats- Report usage and storage statistics
CLX installs into three coding-agent hosts. MCP tools and instructions injection work fully on all three; command gating differs by host because each host exposes a different hook surface.
| Host | Command gating | Instructions injection | MCP tools |
|---|---|---|---|
| Claude Code | Full CLI gating: PreToolUse allow / deny / ask enforced on every tool call |
~/.claude/CLAUDE.md |
Full (7 tools) |
| Codex CLI | Interactive-only, best-effort guardrail: allow / deny in interactive Codex sessions; no ask channel |
~/.codex/AGENTS.md (with AGENTS.override.md fallback) |
Full (7 tools) |
| Cursor | IDE agent and cloud agents only: beforeShellExecution / beforeMCPExecution with failClosed: true; the local cursor-agent CLI runs no hooks |
<repo>/.cursor/rules/clx.mdc |
Full (7 tools) |
Codex caveat: Command validation is a guardrail, not a complete enforcement boundary (OpenAI's wording); it applies to interactive Codex sessions, not codex exec automation, and ask is mapped to deny pending Codex ask support.
Cursor caveat: Command gating fires in the IDE agent and cloud agents only; the cursor-agent local CLI does not run hooks.
brew tap blackaxgit/clx
brew install clxThis installs clx, clx-hook, and clx-mcp. To update:
brew update && brew upgrade clxLet Claude handle the entire setup. You just need macOS, Ollama, and Rust installed.
1. Make sure Ollama is running:
ollama serve2. Paste this into Claude Code:
Install CLX from https://github.com/blackaxgit/clx:
1. Clone the repo and build: git clone https://github.com/blackaxgit/clx.git /tmp/clx && cd /tmp/clx && cargo build --release
2. Run the installer: ./target/release/clx install
3. Pull Ollama models: ollama pull qwen3:1.7b && ollama pull qwen3-embedding:0.6b
4. Add to PATH: echo 'export PATH="$HOME/.clx/bin:$PATH"' >> ~/.zshrc
5. Tell me to restart Claude Code when done
3. Restart Claude Code.
Done. Hooks are validating commands, context is being persisted, and MCP tools are available.
Full control over every step. Requires macOS (ARM64), Rust 1.85+, and Ollama.
1. Install prerequisites:
# Rust (if not installed)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Ollama (if not installed) β or download from https://ollama.com
brew install ollama
ollama serve # start the server2. Build and install CLX:
git clone https://github.com/blackaxgit/clx.git
cd clx
cargo build --release
./target/release/clx install3. Pull the required Ollama models:
ollama pull qwen3:1.7b
ollama pull qwen3-embedding:0.6b4. Add CLX to your PATH:
echo 'export PATH="$HOME/.clx/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc5. Restart Claude Code, then verify:
clx dashboardYou should see the interactive dashboard with session history and system status.
See INSTALL.md for troubleshooting.
# Check status
clx dashboard
# Search context
clx recall "authentication bug"
# View/edit configuration
clx config
clx config edit
# Manage rules
clx rules list
clx rules allow "npm install *"
clx rules deny "rm -rf /"
# Check system health
clx health # Colored table output
clx health --json # Structured JSON output
# Generate shell completions (v0.2+)
clx completions bash > ~/.clx-completion.bash
clx completions zsh > ~/.clx-completion.zsh
# Manage embeddings (v0.2+)
clx embeddings status # Check model and dimensions
clx embeddings rebuild # Rebuild for model migration
# Uninstall
clx uninstall
clx uninstall --purge # Also removes ~/.clxEdit ~/.clx/config.yaml:
validator:
enabled: true
layer0_enabled: true # deterministic policy (rule-based)
layer1_enabled: true # LLM validation
layer1_timeout_ms: 30000
default_decision: "ask" # allow, deny, ask
# If both layer0_enabled and layer1_enabled are false (with enabled: true),
# every command resolves to "ask"; to disable validation entirely set
# enabled: false. Both layer toggles are also overridable via
# CLX_VALIDATOR_LAYER0_ENABLED / CLX_VALIDATOR_LAYER1_ENABLED env vars;
# disabling a layer emits a per-event SHA-256 fingerprint to
# tracing::warn!; tamper-evident only when an external append-only sink
# captures the anchor (SQLite alone is not tamper-evident because a
# same-uid attacker can rewrite the database file).
context:
enabled: true
auto_snapshot: true
ollama:
host: "http://127.0.0.1:11434"
model: "qwen3:1.7b"
embedding_model: "qwen3-embedding:0.6b"
timeout_ms: 60000
user_learning:
enabled: true
auto_whitelist_threshold: 3 # Auto-add after N allows
auto_blacklist_threshold: 2 # Auto-block after N denies
logging:
level: "info"
file: "~/.clx/logs/clx.log"
auto_recall:
enabled: true
max_results: 3 # Top-K results to inject
similarity_threshold: 0.35 # Min relevance score (0.0-1.0)
max_context_chars: 1000 # Max chars for recall context
timeout_ms: 500 # Recall timeout per prompt
fallback_to_fts: true # Use FTS5 if semantic fails
include_key_facts: true # Include key facts in context
min_prompt_len: 10 # Skip recall for short promptsEdit ~/.clx/rules/default.yaml:
whitelist:
- pattern: "Bash(npm:test*)"
description: "Allow npm test commands"
- pattern: "Bash(cargo:build*)"
description: "Allow cargo build"
blacklist:
- pattern: "Bash(rm:-rf /*)"
description: "Block recursive delete from root"
- pattern: "Bash(curl:*|bash)"
description: "Block pipe to shell"Edit ~/.clx/prompts/validator.txt to customize risk assessment.
Claude requests command
β
PreToolUse hook fires
β
Layer 0: Check whitelist/blacklist
ββ Match whitelist β Allow
ββ Match blacklist β Deny
ββ Unknown β Continue
β
Layer 1: Ollama risk assessment
ββ Score 1-3 β Allow
ββ Score 4-7 β Ask user
ββ Score 8-10 β Deny
β
User confirms (if Ask)
β
Command executes
β
PostToolUse logs result
PreCompact hook fires (before compression)
β
Read transcript from JSONL file
β
Generate summary via Ollama
β
Store snapshot in SQLite
β
Generate embedding for search
β
Context available via clx_recall
clx/
βββ crates/
β βββ clx-core/ # Core library
β β βββ src/
β β βββ config/ # Configuration management
β β βββ storage/ # SQLite storage (sessions, snapshots, rules)
β β βββ policy/ # Command validation (L0 rules + L1 LLM)
β β βββ recall/ # Hybrid search engine (semantic + FTS5)
β β βββ llm.rs # LLM client (Ollama + Azure OpenAI)
β β βββ embeddings.rs # Vector search
β βββ clx-hook/ # Hook handler binary (host abstraction in host/)
β βββ clx-mcp/ # MCP server binary
β βββ clx/ # CLI binary + dashboard (codex/, cursor/ installers)
βββ scripts/ # Docker compose, service management, packaging
βββ INSTALL.md # Installation guide
βββ CONTRIBUTING.md # Contribution guide
# Build
cargo build
# Test
cargo test
# Run with verbose logging
RUST_LOG=debug ./target/debug/clx dashboardSee CONTRIBUTING.md for development setup and guidelines.
MPL-2.0