Human-in-the-Loop
for AI coding agents

Tamer turns every Claude Code, Aider, Cursor or Gemini CLI session into a Human-in-the-Loop (HITL) workflow. Every dangerous action waits for your explicit approval — sent to your phone, not buried in a terminal.

Try HITL approvals How HITL works ↓

What is Human-in-the-Loop?

Human-in-the-Loop (HITL) is a control pattern where an AI system pauses before taking an irreversible or high-impact action and waits for a human decision. The human stays "in the loop" — the agent does not act unilaterally.

For AI coding agents (Claude Code, Aider, Cursor, Gemini CLI, Cline), HITL means that destructive shell commands, file writes outside the workspace, network calls, and credential reads do not execute until a human approves them. The agent continues to plan and reason; only execution is gated.

"Autonomy is not a binary. The right amount of autonomy is task-dependent — and Human-in-the-Loop is the dial that lets the operator set it."

tamer.ai design principle

How tamer implements Human-in-the-Loop

  1. 1

    The agent proposes an action

    Claude Code, Aider or any wrapped agent emits a tool call (bash command, file write, web fetch). Tamer intercepts it via pre-execution hooks before the syscall reaches the OS.

  2. 2

    Tamer classifies the risk

    A pattern engine matches the action against a policy: safe (auto-allow), risky (HITL approval required), or forbidden (auto-block, kernel-enforced). Safe patterns learned from your past approvals run through.

  3. 3

    A push notification reaches your phone

    The encrypted relay forwards a redacted approval request to the PWA on your phone (and optionally to Telegram). Secrets are never sent — only the action description and a fingerprint.

  4. 4

    You approve, reject, or edit

    "Hold to Approve" runs the action. Reject sends the agent a refusal it can reason about. You can also rewrite the command before it runs — full Human-in-the-Loop control.

  5. 5

    The Master learns

    Patterns you keep approving (e.g. npm test in this repo) become safe by default. You only intervene on novel or risky actions — the loop tightens around what matters.

Why Human-in-the-Loop matters for AI agents

Without HITL

  • Agents execute curl | bash from poisoned MCP tools
  • Stuck in retry loops, burning tokens until the bill explodes
  • Overwriting .env, .git, or production configs
  • Exfiltrating secrets via "helpful" debug commands
  • You glued to the terminal, approving line by line

With Human-in-the-Loop

  • Risky actions require a phone tap; safe ones flow through
  • You step away from the desk and supervise from anywhere
  • Kernel sandbox is the last wall — even a bypassed hook can't reach .ssh/
  • Pattern learning means fewer prompts over time, not more
  • Audit trail of every approval, by you, signed and timestamped

One HITL layer, every agent

Tamer adds Human-in-the-Loop approvals to any CLI-based AI coding agent — without modifying the agent itself.

Claude Code

HITL approvals on every Bash, Edit, Write, and WebFetch tool call.

Aider

Approve before commits, file edits, and shell suggestions reach disk.

Gemini CLI

Wrap tamer gemini for HITL on every action the model proposes.

Cursor & Windsurf

Background agents get the same HITL layer when run via the tamer CLI.

Cline

Hooks into Cline's command surface the same way as Claude Code.

Local LLMs

Any CLI-driven local model gets HITL approvals via the generic adapter.

Human-in-the-Loop — FAQ

What does Human-in-the-Loop mean for AI coding agents?
It means the agent stops before any risky action — bash command, file write, network call — and waits for a human decision. The agent keeps planning autonomously; only execution is gated by approval.
Is HITL the same as "manual approval" in Claude Code?
Claude Code already prompts before destructive commands, but the prompt only reaches the local terminal. Tamer extends this into a real Human-in-the-Loop loop: approvals reach your phone, are auditable, can be edited, and survive across multiple agents in a single session.
Won't HITL slow my agent down?
Only on novel actions. The Master Agent learns the patterns you repeatedly approve and auto-allows them next time. After a few sessions, you only see approvals for genuinely new or risky actions — typically a handful per hour, not per minute.
What if I'm offline when the agent needs approval?
The agent pauses safely. The relay queues the request; when your phone reconnects, the approval prompt arrives. No timeouts execute the action by default — silence means "no".
Can I bypass HITL for trusted commands?
Yes. Auto-allow patterns can be defined per-project (e.g. npm test, git status). Anything not on the allowlist still requires HITL approval.
Does the relay see my code or my approval payload?
No. The relay only forwards encrypted approval requests; payloads are AES-256-GCM end-to-end between your CLI and your phone. Secrets are redacted from the request itself before it leaves your machine.
Is HITL alone enough to secure an AI agent?
No, and tamer doesn't pretend otherwise. HITL handles intent; the kernel sandbox (Landlock, seccomp-BPF, Job Object) handles capability. A bypassed HITL hook still hits the kernel wall.

Add Human-in-the-Loop to your agents

Three commands to gate every risky action behind a phone tap.

$ curl -fsSL https://server.tamer-ai.dev/install.sh | bash
$ tamer init
$ tamer claude
Install tamer Read the security model →