Code assistance with built-in safeguards

Rust-native autonomous assistant with atomic writes, automatic backups, and guardrails against destructive operations. Designed for production environments where reliability is non-negotiable.

View Documentation GitHub

Safety in action

Watch hyle's guardrails protect your codebase in real-time.

SAFETY DEMO

Enterprise use cases

Real scenarios where hyle's reliability features matter. Click to see implementation details.

Database Migration Safety safety

Production database migrations are high-stakes. A wrong ALTER TABLE can take down your service. hyle generates migrations with rollback scripts, validates syntax before execution, and creates point-in-time backups of affected schema. If migration fails, automatic rollback kicks in.

-- Generated: migrations/20260110_add_audit_columns.sql -- Rollback: migrations/20260110_add_audit_columns_rollback.sql BEGIN; -- Validate table exists DO $$ BEGIN ASSERT EXISTS (SELECT 1 FROM pg_tables WHERE tablename = 'orders'); END $$; ALTER TABLE orders ADD COLUMN created_by UUID REFERENCES users(id), ADD COLUMN updated_by UUID REFERENCES users(id), ADD COLUMN audit_log JSONB DEFAULT '[]'; CREATE INDEX CONCURRENTLY idx_orders_audit ON orders USING GIN (audit_log); COMMIT;

Refactor with Backup Trail recovery

Large refactors touch dozens of files. One wrong rename propagates errors everywhere. hyle creates timestamped backups before every write. If the refactor breaks the build, restore any file to its pre-refactor state. Each backup includes the prompt that caused the change for audit trails.

$ ls ~/.local/state/hyle/backups/ orders_service/ src/handlers/orders.rs.2026-01-10T14:23:15.bak src/handlers/orders.rs.2026-01-10T14:23:47.bak src/models/order.rs.2026-01-10T14:24:02.bak $ hyle restore src/handlers/orders.rs --version 2026-01-10T14:23:15 Restored src/handlers/orders.rs from backup $ cargo build Compiling orders_service v0.1.0

Audit-Ready Code Changes audit

Compliance requires knowing who changed what and why. hyle logs every file operation with timestamps, diffs, and the prompts that triggered them. Export to JSON for integration with your audit system. SOC2 and ISO 27001 friendly.

$ hyle audit --since "2026-01-09" --format json | jq '.[0]' { "timestamp": "2026-01-10T09:15:23Z", "session_id": "sess_8f3a2b1c", "operation": "write", "file": "src/auth/jwt.rs", "lines_changed": 47, "prompt": "add token expiration validation", "model": "deepseek-coder", "checksum_before": "a1b2c3...", "checksum_after": "d4e5f6...", "backup_path": "~/.local/state/hyle/backups/..." }

Atomic Config Updates safety

Config files are read at startup. Partial writes mean broken deployments. hyle writes to a temp file, calls fsync, then atomically renames. If power fails mid-write, you get the old config, never corruption. Kubernetes ConfigMaps and secrets handled the same way.

// How hyle writes files atomically fn atomic_write(path: &Path, content: &[u8]) -> io::Result<()> { let temp = path.with_extension("tmp"); // Write to temp file let mut file = File::create(&temp)?; file.write_all(content)?; file.sync_all()?; // Force to disk // Atomic rename (POSIX guarantees) fs::rename(&temp, path)?; // Verify write succeeded let readback = fs::read(path)?; assert_eq!(readback, content); Ok(()) }

Destructive Command Blocking safety

"Clean up the build artifacts" shouldn't mean "delete production data." hyle maintains a blocklist of dangerous command patterns. rm -rf, DROP DATABASE, kubectl delete --all - all blocked by default. Override with explicit confirmation for legitimate use cases.

$ hyle > clean up old build files and temp directories [BLOCKED] Command pattern matched blocklist: rm -rf target/ tmp/ .cache/ This matches pattern: rm -rf * To proceed, run with explicit confirmation: hyle --allow-destructive Or use safer alternatives: cargo clean git clean -xdf (interactive: git clean -xdfi)

Rate Limit Resilience recovery

Long-running refactors can hit API rate limits. hyle tracks model health in real-time. When one model returns 429, it automatically switches to a fallback. Work continues without interruption. When the primary recovers, it switches back automatically.

$ hyle status --models MODEL STATUS LATENCY RATE deepseek-chat healthy 234ms ok deepseek-coder healthy 189ms ok qwen/qwen-2.5-coder limited - 429 (retry: 45s) mistralai/codestral healthy 312ms ok Current model: deepseek-coder Fallback chain: qwen -> mistral -> deepseek-chat $ hyle config show rate-limit rate_limit: detection: auto fallback_delay: 5s health_check_interval: 30s max_retries: 3

Safety features

Destructive Command Blocking

rm -rf, DROP DATABASE, and similar patterns blocked by default

Atomic File Writes

Write to temp, fsync, rename. No partial writes, ever.

Write Verification

Read-back check after every file write confirms integrity

Backup Rotation

Timestamped backups with configurable retention (default: 3)

Rate Limit Handling

Auto-switches to fallback models on 429 responses

Session Auto-save

Work preserved on Ctrl-C, crash, or power failure

Specifications

Component	Detail
Language	Rust 1.75+ (MSRV)
Binary Size	~10MB (release, stripped)
Dependencies	38 crates (cargo-audit clean)
Test Coverage	364 tests (unit + integration)
License	MIT
Config Location	XDG directories (0600 permissions)
Backup Location	~/.local/state/hyle/backups/
Audit Log	~/.local/state/hyle/audit.jsonl