navikt

navikt / cplt

Public

Drop in replacement sandbox for GitHub Copilot CLI for macOS

12
2
100% credibility
Found Apr 10, 2026 at 12 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Rust
AI Summary

cplt is a macOS wrapper that runs GitHub Copilot CLI in a kernel-enforced sandbox, blocking access to secrets and sensitive files while allowing project work and necessary tool access.

How It Works

1
📰 Discover safe AI coding helper

You hear about a Mac tool that lets AI assistants like Copilot help with your code without ever seeing your passwords, keys, or private files.

2
📥 Add the protector

You easily download and set up the safety wrapper on your Mac so your AI helper stays in a secure bubble.

3
🩺 Check your setup

You run a quick health check to make sure everything is ready and your secrets are protected.

4
🚀 Ask AI for code help safely

You give a simple request like 'fix these tests' and watch the AI work on your project inside its safe space.

5
🔧 Tweak protections if needed

You adjust what the AI can see or connect to, like allowing certain folders, to fit your project perfectly.

🎉 Code improved, secrets safe

Your project gets smarter fixes from the AI, while all your personal info stays completely hidden and secure.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 12 to 12 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is cplt?

cplt is a Rust-built drop-in replacement sandbox for GitHub Copilot CLI on macOS, wrapping it in Apple's kernel-level Seatbelt framework. It lets Copilot read/write your project dir and spawn tools like npm or go test, but kernel-blocks secrets in ~/.ssh, .env files, AWS creds, and SSH agents—preventing exfil via HTTPS. Brew install it, then `cplt -- -p "fix tests"` for secure sessions.

Why is it gaining traction?

Zero-config defaults block git hooks, lifecycle scripts, and localhost SSRF, with flags like `--allow-env-files` or `--scratch-dir` for go test/npm builds. Optional proxy logs gh/curl connections and blocks pastebin-style domains, while `--doctor` scans your env. Like a drop in replacement meaning seamless swap with git drop commit safety, it tackles AI supply-chain risks navikt-style.

Who should use this?

macOS backend devs prompting Copilot on repos with cloud creds or .env secrets. Security teams at gov agencies like navikt, or Rust/Go/Node engineers dodging npm postinstall attacks during AI-driven fixes.

Verdict

Grab it if you're on macOS and Copilot CLI—early with 12 stars and 1.0% credibility score, but MIT-licensed, CI-badged releases with provenance, and SECURITY.md depth make it production-ready for paranoid workflows. Run `--doctor` to vet your setup.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.