Developer Tools●●Solid
Run Claude Code with –dangerously-skip-permissions in a Docker sandbox
Docker sandbox for Claude Code's dangerous flag when Anthropic won't let you run it bare.
Solve My ProblemShip It
sayil
222mo ago
Back to browse
GitHub Repository
Safe runtime for Claude Code, built to be yours.
40 starsRust
Railguard – A safer –dangerously-skip-permissions for Claude Code
by LunarFrost88·Mar 17, 2026·1 point·3 comments
AI Analysis
●●●BangerSolve My ProblemSlickDark Horse
OS-level sandboxing blocks base64 evasion when pattern matching alone fails.
Strengths
- •sandbox-exec and bwrap prevent evasion tactics that regex pattern matching cannot catch
- •Context-aware rules allow same command with different decisions based on file path
- •Covers all Claude Code tool types including Read, Write, Edit, Memory not just Bash
Weaknesses
- •No Windows support since sandbox-exec is macOS-only and bwrap is Linux-only
- •Claude Code-specific implementation won't work with other AI coding agents
Category
Target Audience
Developers using Claude Code who want safer --dangerously-skip-permissions
Similar To
Aider's permission system · Cursor's tool restrictions
Post Description
--dangerously-skip-permissions is all-or-nothing. Either you approve every tool call by hand, or Claude runs with zero restrictions. I wanted a middle ground.
Railguard hooks into Claude Code and intercepts every tool call and decides in under 2ms: allow, block, or ask.
cargo install railguard railguard install
It comes with sane configs preinstalled. You keep using Claude exactly as before. 99% of commands flow through instantly. You only see Railguard when it matters.What it actually does beyond pattern matching and sandboxing:
- OS-level sandbox (sandbox-exec on macOS, bwrap on Linux). Agents can base64-encode commands, write helper scripts, chain pipes to evade regex rules. The sandbox resolves what actually executes at the kernel level. - Context-aware decisions. rm dist/bundle.js inside your project is fine. rm ~/.bashrc is not. Same command, different decision.
- Memory safety. Claude Code has persistent memory across sessions — a real attack surface. Railguard classifies every memory write, blocks secrets from being exfiltrated, flags behavioral injection, and detects tampering between sessions.
- Recovery. Every file write is snapshotted. Roll back one edit, N edits, or an entire session.
It won't close every vector of attack. But it covers the gap between "no protection" and "approve everything manually" without changing your workflow.Rust, MIT, single YAML config file. Happy to talk architecture or trade-offs.
Similar Projects
Developer Tools●●Solid
Run Claude Code autonomously inside your Docker Compose stack (OSS)
Auto-detects docker-compose.yml so agents can test against real database dependencies.
Solve My ProblemSlick
sayil
802mo ago
Developer Tools●Mid
Kelos – Run Claude –dangerously-skip-permissions on Kubernetes
Self-dogfooding via 24/7 agent tasks on Kelos itself; solid but unproven at scale.
Bold Bet
gjkim042
213mo ago
Infrastructure●●●Banger
Axon – Safely run claude --dangerously-skip-permissions on Kubernetes
Kubernetes operator for autonomous AI agents—orchestrates Claude Code, Gemini, Codex as isolated, event-driven jobs.
WizardryBig BrainSolve My Problem
gjkim042
103mo ago
Developer Tools●Mid
Secure Agent Starter – A minimal template for building safer AI agents
Capability tokens + action firewall template, but wrapped in aggressive ACTTOKENS.COM enterprise SaaS marketing.
Ship It
timbucto2
223mo ago
Security●●Solid
Samma Suit – 8 enforced security layers for AI agents (open source)
Eight enforced security layers for AI agents, but unclear if this beats custom middleware for most teams.
Niche GemBold Bet
jbwagoner
103mo ago