saferun-guard

🛡️ SafeRun Guard

Runtime safety firewall for AI coding agents.

SafeRun Guard is a Claude Code Plugin that intercepts dangerous commands and file operations before they execute. It protects your codebase from accidental rm -rf /, force pushes to main, credential overwrites, and more — automatically, silently, in ~20ms.

Compound commands like echo ok && rm -rf / are split and each segment is checked independently. Secret patterns (AWS keys, private keys, API tokens) are detected in file writes before they hit disk.

95% of actions — invisible. SafeRun Guard only speaks up when something is actually dangerous.

---

Quick Start

# Add marketplace and install (two commands, one time)
claude plugin marketplace add Cocabadger/saferun-guard
claude plugin install saferun-guard@saferun-guard

That's it. SafeRun Guard is now active for every Claude Code session.

Other install methods

# Via marketplace — browse + install
/plugin marketplace add Cocabadger/saferun-guard
/plugin install saferun-guard@saferun-guard

# Clone and install locally
git clone https://github.com/Cocabadger/saferun-guard.git
claude plugin install ./saferun-guard

# Load for one session only
claude --plugin-dir ./saferun-guard

Set up for your team

Add to your project's .claude/settings.json so every team member gets prompted to install:

{
  "extraKnownMarketplaces": {
    "saferun-guard": {
      "source": {
        "source": "github",
        "repo": "Cocabadger/saferun-guard"
      }
    }
  },
  "enabledPlugins": {
    "saferun-guard@saferun-guard": true
  }
}

---

What It Does

SafeRun Guard sits between Claude and your system. Every time Claude wants to run a shell command or write a file, SafeRun Guard checks it against 112 safety rules + 9 secret patterns in ~20ms:

Claude wants to run: git push --force origin main
                          │
                          ▼
                   SafeRun Guard
                          │
       ┌──────────┬───────┼───────┬──────────┐
       │          │       │       │          │
    🔄 REDIRECT  🚫 BLOCK  ❓ ASK  ✅ ALLOW
    (3 rules)  (27+25)  (25+23)  (silent)
       │          │       │       │
    Suggest    Agent    User    Command
    safer      sees     sees    executes
    command    block    prompt  normally

Four Decisions

• 🔄 REDIRECT — suggest a safer alternative. Agent rewrites the command. git push --force → "Use --force-with-lease instead"

• 🚫 BLOCK — command denied. Claude sees the reason and adapts. sudo rm -rf / → "Recursive delete as root"

• ❓ ASK — user gets a confirmation prompt. git push origin main → "Push to production branch — allow?"

• ✅ ALLOW — silent passthrough. No delay, no prompt. npm test, git status, ls -la

Compound Command Splitting

Commands chained with &&, ||, or ; are split and each segment is checked independently:

echo ok && rm -rf /
    │           │
    ✅          🚫 BLOCK — caught!

Pipe | is not split — it's part of a single pipeline (grep foo | wc -l is safe).

Content Scanning

File writes and edits are scanned for 9 secret patterns before they hit disk:

• AWS access keys (AKIA...) and secret keys
• Private keys (PEM -----BEGIN...PRIVATE KEY-----)
• GitHub tokens (ghp_, gho_, ghs_, ghr_)
• OpenAI / Stripe keys (sk-...)
• Slack tokens (xox[bpras]-...)
• Database connection strings with passwords
• Generic API keys and hardcoded passwords

---

What's Protected

🚫 Blocked Commands (27 rules)

• Git destructive — git push --force, git reset --hard, git clean -fd, delete main/master branch, interactive rebase
• Filesystem — rm -rf /, rm -rf ., chmod 777, chmod -R 777, dd, mkfs, sudo rm -rf
• Code execution — curl ... | bash, wget ... | sh — remote code execution
• Credentials — rm -rf ~/.ssh, destroy SSH keys, overwrite /etc/passwd
• Infrastructure — docker system prune -a, fork bombs, kubectl delete namespace
• History — history -c, history --clear — audit trail destruction
• Lockfiles — overwrite package-lock.json, yarn.lock, Cargo.lock via shell

❓ Ask User (25 rules)

• Git production — git push origin main, git merge main, delete tags
• Infrastructure — kubectl apply/delete, terraform apply/destroy
• Cloud / IaC — helm install/upgrade/uninstall/rollback, pulumi up/destroy, cdk deploy/destroy
• CI / GitHub — gh pr merge/close, gh release create/delete
• AWS — aws ec2 run/terminate/stop, aws s3 rm/rb
• Config mgmt — ansible-playbook (excluding --check/--diff/--syntax-check)
• Publishing — npm publish, pip upload, docker push, gem push
• Database — db migrate, db drop, SQL execution on prod
• Services — systemctl stop, service restart

🚫 Blocked File Writes (25 rules)