Marketplace slb

Simultaneous Launch Button - Two-person rule for destructive commands in multi-agent workflows. Risk-tiered classification, command hash binding, 5 execution gates, client-side execution with environment inheritance. Go CLI.

install

source · Clone the upstream repo

git clone https://github.com/aiskillstore/marketplace

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/dicklesworthstone/slb" ~/.claude/skills/aiskillstore-marketplace-slb && rm -rf "$T"

manifest: skills/dicklesworthstone/slb/SKILL.md

source content

SLB — Simultaneous Launch Button

A Go CLI that implements a two-person rule for running potentially destructive commands from AI coding agents. When an agent wants to run something risky (e.g.,

rm -rf

git push --force

kubectl delete

DROP TABLE

), SLB requires peer review and explicit approval before execution.

Why This Exists

Coding agents can get tunnel vision, hallucinate, or misunderstand context. A second reviewer (ideally with a different model/tooling) catches mistakes before they become irreversible.

SLB is built for multi-agent workflows where many agent terminals run in parallel and a single bad command could destroy work, data, or infrastructure.

Critical Design: Client-Side Execution

Commands run in YOUR shell environment, not on a server. The daemon is a NOTARY (verifies approvals), not an executor. This means commands inherit:

AWS_PROFILE, AWS_ACCESS_KEY_ID
KUBECONFIG
Activated virtualenvs
SSH_AUTH_SOCK
Database connection strings

Risk Tiers

Tier	Approvals	Auto-approve	Examples
CRITICAL	2+	Never	`rm -rf /` , `DROP DATABASE` , `terraform destroy` , `git push --force`
DANGEROUS	1	Never	`rm -rf ./build` , `git reset --hard` , `kubectl delete` , `DROP TABLE`
CAUTION	0	After 30s	`rm file.txt` , `git branch -d` , `npm uninstall`
SAFE	0	Immediately	`rm *.log` , `git stash` , `kubectl delete pod`

Quick Start

Installation

# One-liner
curl -fsSL https://raw.githubusercontent.com/Dicklesworthstone/slb/main/scripts/install.sh | bash

# Or with go install
go install github.com/Dicklesworthstone/slb/cmd/slb@latest

Initialize a Project

cd /path/to/project
slb init

Creates

.slb/

directory with:

```
state.db
```
- SQLite database (source of truth)
```
config.toml
```
- Project configuration
```
pending/
```
- JSON files for pending requests
```
logs/
```
- Execution logs

Basic Workflow

# 1. Start a session (as an AI agent)
slb session start --agent "GreenLake" --program "claude-code" --model "opus"
# Returns: session_id and session_key

# 2. Run a dangerous command (blocks until approved)
slb run "rm -rf ./build" --reason "Clean build artifacts" --session-id <id>

# 3. Another agent reviews and approves
slb pending                    # See what's waiting
slb review <request-id>        # View full details
slb approve <request-id> --session-id <reviewer-id> --comment "Looks safe"

# 4. Original command executes automatically after approval

Commands Reference

Session Management

slb session start --agent <name> --program <prog> --model <model>
slb session end --session-id <id>
slb session resume --agent <name> --create-if-missing  # Resume after crash
slb session list                               # Show active sessions
slb session heartbeat --session-id <id>        # Keep session alive
slb session gc --threshold 2h                  # Clean stale sessions

Request & Run

# Primary command (atomic: check, request, wait, execute)
slb run "<command>" --reason "..." --session-id <id>

# Plumbing commands
slb request "<command>" --reason "..."         # Create request only
slb status <request-id> --wait                 # Check/wait for status
slb pending --all-projects                     # List pending requests
slb cancel <request-id>                        # Cancel own request

Review & Approve

slb review <request-id>                        # Show full details
slb approve <request-id> --session-id <id> --comment "..."
slb reject <request-id> --session-id <id> --reason "..."

Execution

slb execute <request-id>                       # Execute approved request
slb emergency-execute "<cmd>" --reason "..."   # Human override (logged)
slb rollback <request-id>                      # Rollback if captured

Pattern Management

slb patterns list --tier critical              # List patterns by tier
slb patterns test "<command>"                  # Check what tier a command gets
slb patterns add --tier dangerous "<pattern>"  # Add runtime pattern

Daemon & TUI

slb daemon start --foreground                  # Start background daemon
slb daemon stop                                # Stop daemon
slb daemon status                              # Check daemon status
slb tui                                        # Launch interactive TUI
slb watch --session-id <id> --json             # Stream events (NDJSON)

Claude Code Hook

slb hook install                               # Install PreToolUse hook
slb hook status                                # Check installation
slb hook test "<command>"                      # Test classification
slb hook uninstall                             # Remove hook

History & Audit

slb history --tier critical --status executed  # Filter history
slb history -q "rm -rf"                        # Full-text search
slb show <request-id> --with-reviews           # Detailed view
slb outcome record <request-id> --problems     # Record feedback
slb outcome stats                              # Execution statistics

Pattern Matching Engine

Classification Algorithm

Normalization: Commands are parsed with shell-aware tokenization
- Strips wrapper prefixes:
```
sudo
```
  ,
```
doas
```
  ,
```
env
```
  ,
```
time
```
  ,
```
nohup
```
- Extracts inner commands from
```
bash -c 'command'
```
- Resolves paths:
```
./foo
```
  →
```
/absolute/path/foo
```

Compound Command Handling: Commands with

&&

||

are split and each segment classified. Highest risk segment wins:

echo "done" && rm -rf /etc    →  CRITICAL (rm -rf /etc wins)
ls && git status              →  SAFE (no dangerous patterns)

Shell-Aware Splitting: Separators inside quotes preserved:

psql -c "DELETE FROM users; DROP TABLE x;"  →  Single segment (SQL)
echo "foo" && rm -rf /tmp                   →  Two segments

Pattern Precedence: SAFE → CRITICAL → DANGEROUS → CAUTION (first match wins)
Fail-Safe Parse Handling: If parsing fails, tier is upgraded by one level:
- SAFE → CAUTION
- CAUTION → DANGEROUS
- DANGEROUS → CRITICAL

Default Patterns

CRITICAL (2+ approvals):

rm -rf /...

DROP DATABASE/SCHEMA

TRUNCATE TABLE

terraform destroy

kubectl delete node/namespace/pv/pvc

git push --force

aws terminate-instances

dd ... of=/dev/

DANGEROUS (1 approval):

rm -rf

git reset --hard

git clean -fd

kubectl delete

terraform destroy -target

DROP TABLE

chmod -R

chown -R

CAUTION (auto-approved after 30s):

rm <file>

git stash drop

git branch -d

npm/pip uninstall

SAFE (skip review):

rm *.log

rm *.tmp

git stash

kubectl delete pod

npm cache clean

Request Lifecycle

State Machine

                    ┌─────────────┐
                    │   PENDING   │
                    └──────┬──────┘
           ┌───────────────┼───────────────┐───────────────┐
           ▼               ▼               ▼               ▼
     ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐
     │ APPROVED │    │ REJECTED │    │ CANCELLED│    │ TIMEOUT  │
     └────┬─────┘    └──────────┘    └──────────┘    └────┬─────┘
          │              (terminal)      (terminal)       │
          ▼                                               ▼
     ┌──────────┐                                   ┌──────────┐
     │EXECUTING │                                   │ESCALATED │
     └────┬─────┘                                   └──────────┘
          │
   ┌──────┴──────┬──────────┐
   ▼             ▼          ▼
┌────────┐  ┌─────────┐  ┌────────┐
│EXECUTED│  │EXEC_FAIL│  │TIMED_OUT│
└────────┘  └─────────┘  └────────┘
(terminal)   (terminal)   (terminal)

Approval TTL

Standard requests: 30 minutes (configurable)
CRITICAL requests: 10 minutes (stricter)

If approval expires before execution, re-approval required.

Execution Verification (5 Security Gates)

Before any command executes, five gates must pass:

Gate	Check
1. Status	Request must be in APPROVED state
2. Expiry	Approval TTL must not have elapsed
3. Hash	SHA-256 hash of command must match (tamper detection)
4. Tier	Risk tier must still match (patterns may have changed)
5. First-Executor	Atomic claim prevents race conditions

Dry Run & Rollback

Dry Run Pre-flight

For supported commands, SLB can run a dry-run variant first:

Command	Dry-run variant
`terraform apply`	`terraform plan`
`kubectl apply`	`kubectl diff`
`git push`	`git diff` (show what would change)

[general]
enable_dry_run = true

Rollback State Capture

Before executing, SLB can capture state:

[general]
enable_rollback_capture = true
max_rollback_size_mb = 100

Captured state includes:

Filesystem: Tar archive of affected paths
Git: HEAD commit, branch, dirty state, untracked files
Kubernetes: YAML manifests of affected resources

slb rollback <request-id>           # Restore captured state
slb rollback <request-id> --force   # Force overwrite

Configuration

Configuration is hierarchical (lowest to highest priority):

Built-in defaults
User config (
```
~/.slb/config.toml
```
)
Project config (
```
.slb/config.toml
```
)
Environment variables (
```
SLB_*
```
)
Command-line flags

Example Configuration

[general]
min_approvals = 2
request_timeout = 1800              # 30 minutes
approval_ttl_minutes = 30
timeout_action = "escalate"         # or "auto_reject", "auto_approve_warn"
require_different_model = true      # Reviewer must use different AI model

[rate_limits]
max_pending_per_session = 5
max_requests_per_minute = 10

[notifications]
desktop_enabled = true
webhook_url = "https://slack.com/webhook/..."

[daemon]
tcp_addr = ""                       # For Docker/remote agents
tcp_require_auth = true

[agents]
trusted_self_approve = ["senior-agent"]
trusted_self_approve_delay_seconds = 300

Advanced Configuration

Cross-Project Reviews

[general]
cross_project_reviews = true
review_pool = ["agent-a", "agent-b", "human-reviewer"]

Conflict Resolution

[general]
conflict_resolution = "any_rejection_blocks"  # Default
# Options: any_rejection_blocks | first_wins | human_breaks_tie

Dynamic Quorum

[patterns.critical]
dynamic_quorum = true
dynamic_quorum_floor = 2    # Minimum approvals even with few reviewers

Daemon Architecture

IPC Communication

Unix domain sockets (project-specific):

/tmp/slb-<hash>.sock

JSON-RPC Protocol

All daemon communication uses JSON-RPC 2.0:

{"jsonrpc": "2.0", "method": "hook_query", "params": {"command": "rm -rf /"}, "id": 1}

Available methods:

hook_query

hook_health

verify_execution

subscribe

TCP Mode (Docker/Remote)

[daemon]
tcp_addr = "0.0.0.0:9876"
tcp_require_auth = true
tcp_allowed_ips = ["192.168.1.0/24"]

Timeout Handling

Action	Behavior
`escalate`	Transition to ESCALATED, notify humans (default)
`auto_reject`	Automatically reject the request
`auto_approve_warn`	Auto-approve CAUTION tier with warning

Agent Event Streaming

slb watch

provides real-time NDJSON event streaming:

slb watch --session-id <id>

{"type":"request_pending","request_id":"abc123","tier":"dangerous","command":"rm -rf ./build","ts":"..."}
{"type":"request_approved","request_id":"abc123","reviewer":"BlueLake","ts":"..."}
{"type":"request_executed","request_id":"abc123","exit_code":0,"ts":"..."}

Event types:

request_pending

request_approved

request_rejected

request_executed

request_timeout

request_cancelled

Auto-Approve Mode (for reviewer agents)

slb watch --session-id <id> --auto-approve-caution

Request Attachments

Provide context for reviewers:

# Attach file
slb request "DROP TABLE users" --reason "..." --attach ./schema.sql

# Attach screenshot
slb request "kubectl delete deployment" --reason "..." --attach ./dashboard.png

# Attach command output
slb request "terraform destroy" --reason "..." --attach-cmd "terraform plan -destroy"

Emergency Override

For true emergencies, humans can bypass with extensive logging:

# Interactive (prompts for confirmation)
slb emergency-execute "rm -rf /tmp/broken" --reason "System emergency: disk full"

# Non-interactive (requires hash acknowledgment)
HASH=$(echo -n "rm -rf /tmp/broken" | sha256sum | cut -d' ' -f1)
slb emergency-execute "rm -rf /tmp/broken" --reason "Emergency" --yes --ack $HASH

Safeguards: Mandatory reason, hash acknowledgment, extensive logging, optional rollback capture.

Outcome Tracking

Record execution feedback to improve pattern classification:

slb outcome record <request-id>                          # Success
slb outcome record <request-id> --problems --description "Deleted wrong files"
slb outcome stats                                        # Statistics

TUI Dashboard

slb tui

┌─────────────────────────────────────────────────────────────────────┐
│  SLB Dashboard                                                       │
├─────────────────┬───────────────────────────────────────────────────┤
│  AGENTS         │  PENDING REQUESTS                                  │
│  ───────        │  ────────────────                                  │
│▸ GreenLake      │▸ abc123 CRITICAL rm -rf /etc      BlueLake 2m     │
│  BlueLake       │  def456 DANGEROUS git reset --hard GreenLake 5m   │
├─────────────────┴───────────────────────────────────────────────────┤
│  ACTIVITY                                                            │
│  10:30:15 GreenLake approved abc123                                  │
│  10:28:42 BlueLake requested def456 (DANGEROUS)                      │
└─────────────────────────────────────────────────────────────────────┘

Keys:

Tab

(cycle panels),

↑/↓

(navigate),

Enter

(view),

(approve),

(reject),

(quit)

Claude Code Hook Integration

# Install hook
slb hook install

# Hook actions returned to Claude Code:
# - allow: Command proceeds
# - ask: User prompted (CAUTION tier)
# - block: Blocked with message to use `slb request`

Generate IDE integrations:

slb integrations claude-hooks > ~/.claude/hooks.json
slb integrations cursor-rules > .cursorrules

Security Design Principles

Defense in Depth (6 layers)

Pattern-based classification
Peer review requirement
Command hash binding (SHA-256)
Approval TTL
Execution verification gates
Audit logging

Cryptographic Guarantees

Command binding: SHA-256 hash verified at execution
Review signatures: HMAC using session keys
Session keys: Generated per-session, never stored in plaintext

Fail-Closed Behavior

Daemon unreachable → Block dangerous commands (hook)
Parse error → Upgrade tier by one level
Approval expired → Require new approval
Hash mismatch → Reject execution

Exit Codes

Code	Meaning
`0`	Success
`1`	General error
`2`	Invalid arguments
`3`	Request not found
`4`	Permission denied
`5`	Timeout
`6`	Rate limited

Environment Variables

Variable	Description
`SLB_MIN_APPROVALS`	Minimum approval count
`SLB_REQUEST_TIMEOUT`	Request timeout in seconds
`SLB_TIMEOUT_ACTION`	What to do on timeout
`SLB_DESKTOP_NOTIFICATIONS`	Enable desktop notifications
`SLB_WEBHOOK_URL`	Webhook notification URL
`SLB_DAEMON_TCP_ADDR`	TCP listen address
`SLB_TRUSTED_SELF_APPROVE`	Comma-separated trusted agents

Troubleshooting

"Daemon not running" warning

SLB works without daemon (file-based polling). Start for real-time:

slb daemon start

"Active session already exists"

slb session resume --agent "YourAgent" --create-if-missing

Approval expired

Re-request:

slb run "<command>" --reason "..."

Command hash mismatch

Command was modified after approval. Re-request for the modified command.

Safety Note

SLB adds friction and peer review for dangerous actions. It does NOT replace:

Least-privilege credentials
Environment safeguards
Proper access controls
Backup strategies

Use SLB as defense in depth, not your only protection.

Integration with Flywheel

Tool	Integration
Agent Mail	Notify reviewers via inbox; track audit trails
BV	Track SLB requests as beads
CASS	Search past SLB decisions across sessions
DCG	DCG blocks automatically; SLB adds peer review layer
NTM	Coordinate review across agent terminals