overreach

overreach is a zero-config Rust CLI that scans a diff, file, or repository for capability drift — outbound network calls, subprocess spawns, sensitive-file reads, pipe-to-shell installers, disabled TLS, and provider-prefixed hardcoded secrets (with values redacted).

Built as a tripwire for AI-assisted code review, it runs on every push with no network access and no telemetry, grades findings by severity, and gates CI against a committed .overreach.json baseline so it only fails when a PR expands the accepted surface. It ships as a single binary, prebuilt releases, and a composite GitHub Action — the standalone cousin of the governance suite.