· Field NotesJuly 12, 2026

A Guard Dog for Your AI's Shopping Cart

Refuse watches every software package your AI installs and quietly blocks the ones with known security holes — before they touch your system.

open-sourceself-hostingAIautomationvia github

The thing worth knowing

When an AI coding agent — like Claude Code or Cursor — writes software for you, it doesn't just think and type. It also shops. It goes out and fetches pre-built pieces of code written by other people, called packages, and installs them into your project. This is completely normal. Every developer does it.

The problem is that AI agents learned what packages to use from training data that has a cutoff date. So they sometimes reach for an older version of something — and that older version has since been found to have a security hole. The AI doesn't know. It just grabs it.

Refuse sits quietly in the background and checks every install against live databases of known vulnerabilities. If something looks bad, it blocks the install before anything lands on your disk. You don't change how you work. Your developer doesn't change how they work. It just runs in the background, watching the door.

It's open source, runs in a single container on any server, and covers over 13 different ways developers fetch code.

Words worth knowing

Package — A reusable chunk of code someone else wrote, that your software borrows. Like ordering a pre-made sauce instead of making it from scratch.

CVE — Common Vulnerabilities and Exposures. A public list of known security flaws. Think of it as a recalled-products database, but for software.

Supply chain attack — When a bad actor poisons a widely-used package so that anyone who installs it gets compromised. Like tampering with a supplier's ingredients before they reach the restaurant.

Docker container — A self-contained box of software that runs the same way on any machine, no installation headaches.

Worth thinking about

If you're using any AI tool to help build software for your business, ask your developer: what's checking the packages the AI installs? That question alone will tell you a lot.

Check it out →

Written by David at AC0.AI. Follow on @ac0hero

Field Notes in your inbox

The AI tools and moves I actually use to win more business. A couple a week, nothing I haven't run myself.