Claude Code's --dangerously-skip-permissions flag does what it says on the tin: it lets the AI agent run shell commands without asking you first. Fast, but risky. Railyard, a new open-source project released today, tries to split the difference - giving Claude Code autonomous execution while blocking the commands that could actually wreck your system.
How It Works
Railyard is a Rust-based runtime that hooks into Claude Code's tool execution pipeline. Every command Claude tries to run passes through Railyard first, which applies deterministic rule matching (not another LLM call) to sort commands into three buckets:
- Allow: passes through instantly, under 2ms latency
- Block: denied outright (things like
rm -rf,terraform destroy, access to~/.sshor~/.aws) - Approve: flagged for human confirmation before executing
The sandboxing happens at the OS level using sandbox-exec on macOS and bwrap (Bubblewrap) on Linux. This is kernel-level isolation, not application-level filtering that a clever prompt could bypass. Railyard also detects evasion attempts like base64-encoded commands or hex-obfuscated payloads.
One feature that stands out: file write snapshots. Railyard captures the state of files before Claude modifies them, letting you roll back an entire session if something goes sideways. For anyone who's had an AI agent cheerfully refactor half their codebase in the wrong direction, that's a practical safety net.
Installation and Setup
Setup is three commands:
cargo install --git https://github.com/railyarddev/railyard.git
railyard install
The install step registers hooks with Claude Code, initializes the shell sandbox, and injects constraints into your CLAUDE.md file. After that, you use Claude Code exactly as before - Railyard is transparent unless it blocks something.
Rules are configurable through a railyard.yaml file with regex-based pattern matching, so you can whitelist commands specific to your workflow (like terraform apply if you actually need it) while keeping the defaults for everything else.
The project is MIT-licensed, built by a small team, and currently at v0.1.0 with 141 passing tests. It only supports macOS and Linux for now - no Windows support. Given that Claude Code's autonomous mode is where most of its power (and risk) lives, a lightweight guardrail layer like this fills a real gap. The 2ms overhead on allowed commands means you're not trading speed for safety.