ratelworks/leasecheck
Audit agent tool leases before handoff — capability allowlist, TTL, secrets, path scope, git state in one CLI check
Platform-specific configuration:
{
"mcpServers": {
"leasecheck": {
"command": "npx",
"args": [
"-y",
"leasecheck"
]
}
}
}Add the config above to .claude/settings.json under the mcpServers key.
<h1 align="center">leasecheck</h1> Lease requests drift when allowlists, TTLs, paths, and secret scopes are checked by hand. This CLI reads one JSON manifest, audits the request against the repo, and prints the fixes before you hand off the lease.
[](https://github.com/ratelworks/leasecheck/actions/workflows/ci.yml) [](https://github.com/ratelworks/leasecheck/releases/latest) [](./LICENSE) [](https://pkg.go.dev/github.com/ratelworks/leasecheck)
On Monday, a small team starts with a trusted lease request and everything works. On Wednesday, someone adds one more capability, stretches the TTL, and points the request at a path that no longer exists. On Friday, the handoff fails, and nobody can tell if the break came from policy drift, repo drift, or a dirty working tree. leasecheck makes that mismatch visible before the handoff leaves the terminal.
This is the same problem that Terraform solved for infrastructure changes.
leasecheck --manifest examples/lease-demo.json --repo-root .Lease decision: deny
Summary: 0 pass, 3 warn, 2 fail
Manifest: examples/lease-demo.json
Repository: /Users/ratelworks/Desktop/Claude Code/dev/A_/A_Star/projects/leasecheck
...
5. git audit [warn]
- Git metadata could not be collected.
- Reason: collect branch failed: git rev-parse --abbrev-ref HEAD failed: exit status 128
Fix: Install git or run the tool inside a repository if you want commit-level audit data.go install github.com/ratelworks/leasecheck@latestUse a small JSON manifest like examples/lease-demo.json.
| Field | Required | What it co
Loading reviews...