touchid-guard

touchid-guard

A Claude Code plugin (macOS) that requires Touch ID — or your Mac account password — before Claude runs an irreversible destructive command. It exists because AI coding agents have wiped home directories, production databases, and whole projects (Claude Code, Replit, Gemini CLI — see the design spec). Every other guardrail is something the model can satisfy or skip on its own; a fingerprint is proof a human is physically present.

What it gates (each toggleable)

• Filesystem: rm -rf, deletes that expand to ~ or /, deletes above the project, glob wipes, find -delete, dd, mkfs, truncate, shred.
• Database: DROP DATABASE/TABLE/SCHEMA, TRUNCATE, DELETE without WHERE, redis FLUSHALL/FLUSHDB.
• Git: reset --hard, clean -fd, push --force, branch -D, discarding checkout/restore.
• Cloud/infra: aws s3 rm --recursive, terraform destroy, kubectl delete, docker system prune -a, gcloud/az ... delete.
• Self-protection: edits to the guard's own config/scripts.

How it works

A PreToolUse hook inspects each Bash command (after expanding ~/vars/globs the way the shell would). On a match it invokes a tiny Swift binary using macOS LocalAuthentication: Touch ID first, Mac password fallback in the same OS dialog. Success → the command runs. Failure, cancel, or a headless session (SSH/CI) → blocked (fail-closed). Every decision is logged to ~/.claude/touchid-guard/audit.log.

What you'll see

At session start:

[touchid-guard] active. Destructive commands (rm -rf, DROP/TRUNCATE,
git reset --hard/push --force, terraform destroy, etc.) require Touch ID
or your Mac password before they run.

When Claude tries a destructive command, a macOS Touch ID dialog appears ("touch the sensor, or enter your password"). Approve it and the command runs; the dialog is a secure system overlay, so it can't be shown in a screenshot here.

If you cancel, or there's no Touch ID available (e.g. over SSH), it's blocked and Claude is told why:

Blocked by touchid-guard (filesystem): rm -rf ~/ — targets your home
directory. Fingerprint/password not verified; a human must run this manually.

Every decision lands in ~/.claude/touchid-guard/audit.log (one JSON object per line):

{"tool": "Bash", "command": "rm -rf ~/", "category": "filesystem", "reason": "rm -rf ~/ — targets your home directory", "decision": "allowed", "ts": "2026-05-28T00:22:16-06:00"}
{"tool": "Bash", "command": "psql -c \"DROP DATABASE prod\"", "category": "database", "reason": "DROP database/schema/table", "decision": "blocked", "ts": "2026-05-28T00:23:03-06:00"}

Install

From inside Claude Code:

/plugin marketplace add CantinaDigital/touchid-guard
/plugin install touchid-guard@touchid-guard

Restart the session so the hooks load. On first start the plugin compiles the Touch ID helper; you'll see a [touchid-guard] active line.

Local / dev

To run it straight from a clone without the marketplace:

claude --plugin-dir /path/to/touchid-guard

Configuration

Edit config.json. Set "mode": "report" to log what would be gated without blocking, so you can tune rules first. Add routine commands to allowlist to skip the prompt. Entries are per-segment, fully-anchored regexes (re.fullmatch), so each must match a whole command segment — e.g. "rm -rf node_modules/?". Anchoring is deliberate: it stops an allowlisted segment from suppressing a dangerous sibling in a chained command.

Threat model

Stops accidental/confused destruction — the real incident pattern. It is not a defense against a deliberately adversarial model (it can edit files under ~/.claude); the self-protection rule closes the casual self-disable path but is not a hard guarantee.

Requirements

macOS with swiftc (Xcode Command Line Tools) and python3. Touch ID optional — falls back to the Mac password.

License

MIT