Railguard: The Safer Alternative to --dangerously-skip-permissions in Claude Code

What It Does — Security Without Friction

Railguard solves Claude Code's binary security dilemma. Currently, you either use --dangerously-skip-permissions (zero restrictions) or approve every single tool call manually. Railguard inserts itself between Claude Code and your system, making granular decisions in under 2ms: allow, block, or ask for approval.

Why It Matters — Beyond Simple Pattern Matching

Pattern matching alone is insufficient. Claude can evade basic rules by:

• Base64-encoding commands
• Writing helper scripts
• Chaining pipes to obscure intent

Railguard uses OS-level sandboxing (sandbox-exec on macOS, bwrap on Linux) that resolves what actually executes at the kernel level, regardless of how the command was constructed.

Context-Aware Decisions

The same command gets different treatment based on context:

• rm dist/bundle.js inside your project → allowed
• rm ~/.bashrc → blocked

This context awareness extends to file operations:

• Read operations: Detects sensitive paths (~/.ssh, ~/.aws, .env)
• Write operations: Path fencing + content inspection for secrets
• Edit operations: Content inspection on replacements

Memory Safety You Didn't Know You Needed

Claude Code's persistent memory across sessions creates a real attack surface. A misbehaving agent could:

• Exfiltrate secrets into memory
• Inject behavioral instructions for future sessions
• Tamper with existing memories

Railguard classifies every memory write:

• Secrets (API keys, JWTs, private keys) → blocked
• Behavioral instructions ("skip safety checks") → asks you
• Factual content (project info, tech stack) → allowed
• Overwrites of existing memories → asks you
• Deletions → blocked

Every memory write is signed with a content hash, automatically detecting tampering between sessions.

Setup in 2 Commands

cargo install railguard
railguard install

That's it. Keep using Claude Code exactly as before—99% of commands flow through instantly. You only see Railguard when it matters.

Configuring Your Rules

Edit railguard.yaml directly or ask Claude to help. Changes take effect immediately:

blocklist:
  - name: terraform-destroy
    pattern: "terraform\\s+destroy"

approve:
  - name: terraform-apply
    pattern: "terraform\\s+apply"

allowlist:
  - name: terraform-plan
    pattern: "terraform\\s+plan"

Recovery Features

Every file write is snapshotted. You can:

• Roll back one edit
• Roll back N edits
• Roll back an entire session

When To Use It

Use Railguard when you want to:

1. Run Claude Code with fewer interruptions than manual approval
2. Protect sensitive directories without blanket blocking
3. Safely experiment with new Claude Code workflows
4. Collaborate with less technical team members who shouldn't approve every command

Railguard won't close every attack vector, but it covers the gap between "no protection" and "approve everything manually" without changing your workflow.

The Trade-Off

You're adding a layer between Claude Code and your system. While the 2ms decision time is negligible for most workflows, it's still an additional component. However, for developers who regularly use --dangerously-skip-permissions, Railguard provides meaningful security improvements with minimal friction.