Guardrails for Claude Code

Claude Code can run shell commands, modify files, and interact with external services. That power needs boundaries. Guardrails aren't about distrusting the tool — they're about building the same safety nets you'd put around any automated system with access to your production environment.

Permission modes

Claude Code has built-in permission controls that determine what it can do without asking:

  • Ask mode (default) — Claude Code asks permission before running commands, writing files, or accessing the network. Good for getting started and for sensitive environments.
  • Auto-allow mode — Pre-approve specific categories of actions (like reading files or running tests) while still requiring approval for others (like installing packages or deploying).
  • Full auto mode — Claude Code runs without prompts. Only use this in sandboxed CI/CD environments where the blast radius is contained.

CLAUDE.md as a guardrail

Your project's CLAUDE.md file is the most important guardrail. Claude Code reads it before every session and follows its instructions. Use it to set explicit boundaries: 

# Rules
- Never force-push to any branch
- Never modify files in /config/production/
- Never run database migrations without explicit user confirmation
- Always run tests before committing
- Never commit .env files or secrets
- Stop and ask if a change affects more than 10 files

These rules are respected because Claude Code treats CLAUDE.md as authoritative project instructions. They're not foolproof — they're behavioural guidance, not hard technical constraints — but they're highly effective in practice.

Git hooks as hard constraints

For constraints that must be enforced technically, use git hooks:

  • Pre-commit hooks — Run linting, type checking, and secret scanning. Claude Code's commits go through these just like human commits.
  • Pre-push hooks — Prevent pushes to protected branches. This catches accidental pushes regardless of who (or what) made them.
  • Commit-msg hooks — Enforce commit message formats and require Co-Authored-By trailers for AI-assisted commits.

File and directory protection

Some files should never be touched by automated tools:

  • Environment files.env, credentials, API keys. Use .gitignore and CLAUDE.md rules to keep these off-limits.
  • Production config — Infrastructure-as-code files, deployment configs, and production database schemas deserve extra protection.
  • Legal and compliance — Licence files, privacy policies, terms of service. These need human authorship and review.

Network access controls

Claude Code can make network requests if allowed. In sensitive environments:

  • Restrict which domains Claude Code can access
  • Block access to production APIs from development sessions
  • Use environment-specific API keys that only have access to dev/staging resources

Approval workflows for autonomous agents

When Claude Code runs autonomously (in CI/CD or headless mode), human approval should gate actions with significant impact:

  • PR creation — Autonomous agents create draft PRs. A human promotes them to "ready for review".
  • Deployment — Agents can prepare deployments but shouldn't execute them without human sign-off.
  • External notifications — Agents shouldn't send emails, Slack messages, or create issues without approval.

Monitoring for guardrail violations

Guardrails are only as good as your ability to detect when they're breached:

  • Log all Claude Code actions in a central, tamper-resistant store
  • Set up alerts for attempts to access restricted files or run prohibited commands
  • Review session transcripts periodically, especially for autonomous sessions
  • Track guardrail "near misses" — cases where Claude Code asked permission for something it shouldn't have attempted

Regulated environments

If your business operates in a regulated industry (finance, healthcare, government), additional considerations apply:

  • Data residency — Understand where your code is being sent for processing. Anthropic's API processes data in specific regions.
  • IP and licensing — Establish clear policies on AI-generated code ownership.
  • Audit requirements — Full session transcripts satisfy most audit trail requirements, but verify with your compliance team.
  • Separation of duties — AI-authored code should be reviewed by someone other than the person who prompted it.

Next steps

Guardrails pair with centralised logging for visibility and AgentOps for governance at scale. See Best Practices for the broader quality framework.