We're a small startup (but have ~15 years of experience building software), so we try to run Claude Code as autonomously as possible. The goal is to spend most of our time talking to customers instead of babysitting the agent. But --dangerously-skip-permissions felt a bit too wild west for us.

So we built a runtime to make autonomous use safer. Railyard is an open-source runtime that sits between Claude Code and the shell and adds guardrails to agent commands.

Every command Claude runs goes through Railyard first. Most commands pass straight through. The ones that could cause damage (for example terraform destroy) get blocked or require approval.

Under the hood it runs commands inside an OS-level sandbox (sandbox-exec on macOS and bwrap on Linux) and applies deterministic rules. There’s no LLM scoring commands or guessing about intent — a command either matches a rule or it doesn’t. The check takes about 2ms.

By default it blocks destructive commands like terraform destroy or rm -rf, prevents access to sensitive paths like ~/.ssh, ~/.aws, and /etc, restricts certain network calls, and catches simple evasion tricks like base64, hex, or variable obfuscation.

It also snapshots file writes so you can roll back a session if something goes wrong.

In practice this lets us run Claude Code with --dangerously-skip-permissions, but with guardrails underneath so we can move fast without breaking or deleting production assets.

We built this because we wanted Claude Code to behave more like a software factory. Factories run at high volume, but only because the production line has quality and safety checks. Railyard is the guardrail layer that makes that possible for us.

Repo: https://github.com/railyarddev/railyard

It's MIT licensed and free to use. If you're experimenting with autonomous agents, feel free to clone it and try it out. I'm especially curious how people push or break these guardrails.

Happy to answer any questions about how it works.