Show HN: Railguard – A safer –dangerously-skip-permissions for Claude Code

https://github.com/railyard-dev/railguard

1•LunarFrost88•1h ago

--dangerously-skip-permissions is all-or-nothing. Either you approve every tool call by hand, or Claude runs with zero restrictions. I wanted a middle ground.

Railguard hooks into Claude Code and intercepts every tool call and decides in under 2ms: allow, block, or ask.

  cargo install railguard                                                                                                                                                                                                                         
  railguard install

It comes with sane configs preinstalled. You keep using Claude exactly as before. 99% of commands flow through instantly. You only see Railguard when it matters.

What it actually does beyond pattern matching and sandboxing:

  - OS-level sandbox (sandbox-exec on macOS, bwrap on Linux). Agents can base64-encode commands, write helper scripts, chain pipes to evade regex rules. The sandbox resolves what actually executes at the kernel level.   
                      
  - Context-aware decisions. rm dist/bundle.js inside your project is fine. rm ~/.bashrc is not. Same command, different decision.

  - Memory safety. Claude Code has persistent memory across sessions — a real attack surface. Railguard classifies every memory write, blocks secrets from being exfiltrated, flags behavioral injection, and detects tampering between sessions. 

  - Recovery. Every file write is snapshotted. Roll back one edit, N edits, or an entire session.

It won't close every vector of attack. But it covers the gap between "no protection" and "approve everything manually" without changing your workflow.

Rust, MIT, single YAML config file. Happy to talk architecture or trade-offs.

Comments

LunarFrost88•1h ago

I'm the author, AMA!

In search of Banksy, Reuters found the artist took on a new identity

Amazon Owes New York City Almost $10M in Fines over Idling Vehicles

China Has Five-Minute EV Charging. America Is Trying to Catch Up

Ask HN: What Are You Reading? (Mar 2026)

Claude Chief of Staff

Show HN: Turn your OpenAPI document to an MCP server in ~1000 tokens and 3 tools

Asteroids and meteorites may have delivered the building blocks for life

MinRLM: A Token-Efficient Recursive Language Model Implementation and Benchmark

Show HN: Soul Protocol – an open standard for portable AI identity

OpenAI courts private equity to join enterprise AI venture

Slug Text Rendering Algorithm Dedicated to Public Domain

Miami, Tokyo, Zurich top UBS housing bubble risk

Nvidia Hits $1T Order Backlog Through 2027

Hacking the System in a Moral Panic: We Need to Talk

Huckle: Detect operational problems 30–90 days before they appear in metrics

Show HN: A minimalist dungeon-crawler card game built with Deno

Missiles a Month vs. 7 Interceptors – Why Centcom Shifted to Factories

Toaster Settings: AI Agents and Classical French Cooking Techniques [video]

The Sky Tonight

Padel Chess – tactical simulator for padel

How OpenClaw's Memory System Works

Show HN: Build a knowledge graph from unstructured text in Python

I built a free site that can tell you if your hardware can run a model

PgBeam, a globally distributed PostgreSQL proxy

Words on Words on Words

Syntaqlite: High-fidelity devtools that SQLite deserves

Show HN: Flotilla – An orchestrator for persistent agent fleets on Apple Silicon

Show HN: I can no longer afford the silicon. Here is my autonomous HPC agent

When Science Goes Agentic

Java 26 is here, and with it a solid foundation for the future