--dangerously-skip-permissions is all-or-nothing. Either you approve every tool call by hand, or Claude runs with zero restrictions. I wanted a middle ground.

Railguard hooks into Claude Code and intercepts every tool call and decides in under 2ms: allow, block, or ask.

  cargo install railguard                                                                                                                                                                                                                         
  railguard install
It comes with sane configs preinstalled. You keep using Claude exactly as before. 99% of commands flow through instantly. You only see Railguard when it matters.

What it actually does beyond pattern matching and sandboxing:

  - OS-level sandbox (sandbox-exec on macOS, bwrap on Linux). Agents can base64-encode commands, write helper scripts, chain pipes to evade regex rules. The sandbox resolves what actually executes at the kernel level.   
                      
  - Context-aware decisions. rm dist/bundle.js inside your project is fine. rm ~/.bashrc is not. Same command, different decision.

  - Memory safety. Claude Code has persistent memory across sessions — a real attack surface. Railguard classifies every memory write, blocks secrets from being exfiltrated, flags behavioral injection, and detects tampering between sessions. 

  - Recovery. Every file write is snapshotted. Roll back one edit, N edits, or an entire session.
It won't close every vector of attack. But it covers the gap between "no protection" and "approve everything manually" without changing your workflow.

Rust, MIT, single YAML config file. Happy to talk architecture or trade-offs.