Ghost-hunter/ Docs

Active mode

Read-only credentials. Ghost-hunter runs the commands itself.

⚠️ Active mode is for sandbox and personal accounts only. For production, use paranoid mode.

In active mode, Ghost-hunter runs gcloud or aws directly using read-only credentials you provide. The 7-layer validator still gates every command — the LLM cannot escape the allowlist.

Setup

pip install 'ghosthunter[gcp]'   # or [aws] or [all]

Drop a config at ~/.ghosthunter/config.toml:

[provider.gcp]
project_id = "my-sandbox-project"
billing_export_table = "my-billing.gcp_billing_export_v1_0123"

[provider.aws]
profile = "ghosthunter-readonly"
region  = "us-east-1"

Authenticate the underlying SDKs the normal way (gcloud auth application-default login, aws sso login, etc).

Run

ghosthunter investigate --active --provider gcp

Ghost-hunter will execute each proposed command itself, capture the output, compress it via Sonnet, and continue the loop without you pasting.

What active mode cannot do

Even with credentials, the validator blocks anything that isn't a read-only describe / get / list / query operation. There is no flag to disable the validator. If you want a command that isn't in the allowlist, open an issue.

Audit log

Every command Ghost-hunter runs in active mode is appended to ~/.ghosthunter/audit.log. See audit mode to review past investigations.

Previous
Paranoid mode
Next
Demo mode