Open-source · Rust · MIT

Run your agents
safely in prod.

Secure runtime for Claude Code. Run at full speed while Railguard enforces the guardrails that matter — command blocking, memory safety, path fencing, and recovery.

Star on GitHub →Join Discord
Without Railguard
×Claude wants to run: npm install
Allow? (y/n) y
Claude wants to run: npm run build
Allow? (y/n) y
Claude wants to run: terraform destroy
Allow? (y/n) y
→ VPC + RDS + ECS deleted. 1.9M rows. Gone.

Babysit every command, or skip permissions and risk production.

With Railguard
✓ npm install
✓ npm run build
✓ git add . && git commit
✓ npx prisma migrate deploy
⛔ BLOCKED  terraform destroy
⛔ BLOCKED  drizzle-kit push --force
⛔ BLOCKED  rm -rf /

Safe commands fly through. Dangerous ones never run.

Without Railguard
×Claude wants to run: terraform destroy
Allow? (y/n) y
→ VPC + RDS + ECS deleted. 1.9M rows. Gone.

Babysit every command, or skip permissions and risk production.

With Railguard
✓ npm install
✓ npm run build
⛔ BLOCKED  terraform destroy
⛔ BLOCKED  drizzle-kit push --force

Safe commands fly through. Dangerous ones never run.

This is awesome and so needed right now. I was going mad because I can't do the babysitting but DSP is kind of wild right now so I'm definitely checking this out and starring it.

ShawntenamReddit

This looks really useful! I like how you added OS-level sandboxing and deterministic guardrails instead of relying on LLM-based intent checks — that feels much safer for running autonomous agents.

joaquin_ariasHacker News

The OS level isolation is really good of course. Just curious if I might want to switch.

jonathanmalkinReddit

That's nice work guys.

simosmikHacker News

This is awesome and so needed right now. I was going mad because I can't do the babysitting but DSP is kind of wild right now so I'm definitely checking this out and starring it.

ShawntenamReddit

This looks really useful! I like how you added OS-level sandboxing and deterministic guardrails instead of relying on LLM-based intent checks — that feels much safer for running autonomous agents.

joaquin_ariasHacker News

The OS level isolation is really good of course. Just curious if I might want to switch.

jonathanmalkinReddit

That's nice work guys.

simosmikHacker News
cargo install railguard && railguard install

Six layers.
Production-safe.

What you unlock
Command blocking
Every bash command is evaluated against semantic rules and an OS-level sandbox. Safe commands flow through instantly (<2ms). Dangerous commands are blocked. Risky ones ask for your approval.
Every command evaluated. Safe ones flow through (<2ms). Dangerous ones blocked. Risky ones ask you.
Pattern matching + sandbox-exec (macOS) / bwrap (Linux). Catches encoded commands, pipe chains, and helper scripts that would evade pattern matching alone.
Memory safety
Claude Code has persistent memory that carries context across sessions. Railguard guards every memory write — secrets are blocked, behavioral injections are flagged, factual content flows through. Provenance tracking detects tampering.
Guards agent memory writes. Blocks secrets, flags behavioral injections, tracks provenance.
API keys, JWTs, private keys auto-blocked. Instructions like “skip safety checks” flagged for review. Every write signed with content hash via railguard memory verify.
Path fencing
Restrict which files and directories the agent can access. Sensitive paths like ~/.ssh, ~/.aws, ~/.gnupg, and /etc are fenced by default. Add your own in railguard.yaml.
Sensitive paths like ~/.ssh, ~/.aws are fenced by default. Add your own.
Default fences cover credentials, keys, and system config. Fully customizable per-project in railguard.yaml.
Multi-agent
Run multiple Claude Code sessions in the same repo. Railguard locks files per session so agents don't clobber each other. Locks self-heal if a session dies.
Run multiple agents in one repo. File-level locking with self-healing locks.
Locks auto-expire after 60s with PID verification. Run railguard locks to see all active locks across sessions.
Dashboard &amp; replay
Watch every tool call across all sessions in real time, or browse what any session did after the fact. Structured JSON traces for your observability stack.
Live dashboard across all sessions. Full replay and JSON traces.
railguard dashboard for live view. railguard replay --session <id> for history. Search, filter, and expand any action.
Recovery
Every file write is snapshotted before execution. Undo the last edit, undo the last N edits, or undo an entire session. One command: railguard rollback.
Every write is snapshotted. Undo anything with railguard rollback.
Instant, atomic rollback. Works for files, config edits, and more.
How it works

Up in
60 seconds.

01
Install
One command: cargo install railguard. Railguard registers hooks with Claude Code, configures the sandbox, and loads the default policy.
One command: cargo install railguard. Hooks, sandbox, and policy configured automatically.
02
Configure
Drop a railguard.yaml in your project. Define blocklists, allowlists, and approval rules. Changes take effect instantly — no restart.
Drop a railguard.yaml in your project. Define what to block.
03
Ship with confidence
Use claude --dangerously-skip-permissions knowing Railguard has your back. Run multiple sessions. Ship faster. Nothing dangerous gets through.
Run with full autonomy. Nothing dangerous gets through.
railguard — zsh
# install in one line
$cargo install railguard
$railguard install
✓ hooks registered with Claude Code
✓ sandbox shell configured
✓ policy loaded · railguard.yaml

# now run with full autonomy
$claude --dangerously-skip-permissions

✓ npm install && npm run build
✓ git add . && git commit
⛔ BLOCKED terraform destroy
  rule: destructive-infra · railguard.yaml:14
✓ 241 actions · 1 blocked · 0 incidents
Works with
Claude Code
Codex — coming soon
Kiro — coming soon
Featured on
YHacker NewsReddit

Frequently asked questions

How do I run Claude Code safely in production?

Install Railguard. It intercepts every Claude Code action before it executes — safe commands fly through instantly, dangerous commands like terraform destroy or rm -rf are blocked. You get the speed of --dangerously-skip-permissions without the risk.

Is Railguard a sandbox?

No. Sandboxes restrict where your agent can work — they limit file access, network, and tools. Railguard only restricts what commands your agent can run. Your agent keeps full access to your project, your tools, and your workflow. It just can't run the commands that would destroy production.

What does --dangerously-skip-permissions do in Claude Code?

It skips all permission checks, letting Claude Code execute any command without asking for approval. It's fast, but it means destructive commands like terraform destroy or DROP TABLE run without any safety net. Railguard makes this flag safe to use.

What commands does Railguard block?

Railguard blocks whatever you configure in railguard.yaml. Common blocklist entries include terraform destroy, rm -rf, DROP TABLE, push --force, and drizzle-kit push --force. You can also flag commands for manual approval.

Does Railguard work with agents other than Claude Code?

Railguard currently works with Claude Code via its native hooks system. Support for OpenAI Codex and Kiro is coming soon.

Does Railguard add latency?

Under 2ms per command. 99% of commands execute instantly. Railguard runs on-device — nothing leaves your machine, no network calls, no cloud dependency.

Ship faster.
Break nothing.

Star on GitHub →Join the Discord
MIT Licensed
Written in Rust
On-device
Free forever