What It Does — Per-Session Security for Your Coding Agent
Claude Guard is a new plugin that gives you granular, per-session control over what your Claude Code agent can access. Instead of global permissions or trusting Claude to self-limit, you can now run sessions with specific guardrails:
- Network sandboxing: Kernel-level network blocking on macOS (via
sandbox-exec) or pattern-based blocking cross-platform - Path protection: Blocks access to sensitive directories like credentials, browser sessions, keychains, clipboard, and shell history
- Workspace scoping: Restricts Read/Write/Edit/Grep/Glob operations to specific project directories
- Write sandboxing: Kernel-level protection against writes to sensitive directories, even for scripts spawned by Bash
This follows Claude Code's recent introduction of Auto Mode (March 26, 2026), which enables more autonomous task execution. Claude Guard provides the safety controls to use that autonomy confidently.
Setup — Install and Configure in 3 Commands
# Step 1: Add the marketplace source
/plugin marketplace add derek-larson14/claude-guard
# Step 2: Install the plugin
/plugin install claude-guard@claude-guard
# Step 3: Run setup
/claude-guard:setup
The setup wizard asks about your environment and generates a claude-guard.toml configuration file. You can toggle individual protection categories (credentials, browser sessions, etc.) in this file or via environment variables.
When To Use It — Specific Security Scenarios
1. Locked-Down Automated Scripts
When running automated Claude Code tasks (like batch fixes or CI/CD integration), scope the agent to only your project:
CLAUDE_GUARD_NETWORK_MODE=sandbox \
CLAUDE_GUARD_WORKSPACE_GUARD=on \
CLAUDE_GUARD_ALLOWED_ROOTS="$HOME/Github/my-app" \
claude -p "fix the scroll bug" --dangerously-skip-permissions
2. Multi-Repository Work with Different Permissions
Working across multiple repos? Give different sessions different access:
# Session 1: Full access to both repos
CLAUDE_GUARD_WORKSPACE_GUARD=on \
CLAUDE_GUARD_ALLOWED_ROOTS="$HOME/Github/my-app:$HOME/Github/my-lib" \
claude -p "update shared dependencies"
# Session 2: Network-blocked, app-only access
CLAUDE_GUARD_NETWORK_GUARD=on \
CLAUDE_GUARD_NETWORK_MODE=sandbox \
CLAUDE_GUARD_WORKSPACE_GUARD=on \
CLAUDE_GUARD_ALLOWED_ROOTS="$HOME/Github/my-app" \
claude -p "debug API calls"
3. Build Processes with Controlled Write Access
Allow builds but protect sensitive directories:
# Agent can write anywhere except exec/, with exceptions for scratch/build/
CLAUDE_GUARD_NETWORK_MODE=sandbox \
CLAUDE_GUARD_SANDBOX_DENY_WRITE="$HOME/Github/exec" \
CLAUDE_GUARD_SANDBOX_ALLOW_WRITE="$HOME/Github/exec/scratch/build" \
claude -p "build the feature" --dangerously-skip-permissions
How It Works — The Guard Chain
When Claude Code makes a tool call, Claude Guard intercepts it with a PreToolUse hook and runs four guards in sequence:
- Path guard: Blocks access to sensitive paths
- Write guard: Blocks dangerous writes
- Workspace guard (optional): Scopes to project directory
- Network guard: Sandboxes or blocks network access
The first deny blocks the entire action. All actions are logged to JSONL audit logs.
Available Overrides — Fine-Tune Per Session
You can override default settings with environment variables:
CLAUDE_GUARD_NETWORK_GUARD=on # Force-enable network guard
CLAUDE_GUARD_PATH_GUARD=off # Disable path protection
CLAUDE_GUARD_WORKSPACE_GUARD=on # Enable workspace restriction
CLAUDE_GUARD_ALLOWED_ROOTS="path1:path2" # Set allowed directories
This aligns with our March 26 article "How to Deploy Claude Code at Scale," which covered MCPs, skills, and user management—Claude Guard provides the security layer for that scale deployment.
Why This Matters Now
With Claude Code surpassing 100,000 GitHub stars (March 25, 2026) and increased adoption in production workflows, security becomes critical. Claude Guard addresses the fundamental tension: you want agents to have the access they need, but nothing more. This is especially important as Claude Code integrates with GitHub (mentioned in 52 prior articles) and competes with GitHub Copilot in the coding assistant space.
Unlike global permission settings, Claude Guard's per-session approach lets you match security to task risk. Review untrusted code with network sandboxing. Run automated fixes with workspace restrictions. Build features with controlled write access.
Try It Today
Install Claude Guard and test it on a non-critical task first. Start with workspace guard to scope a session to a single project directory. Then experiment with network sandboxing. The configuration is session-specific, so you can iterate safely.
This plugin represents a significant step toward production-ready Claude Code usage—giving developers the confidence to delegate more while maintaining control.
