Stats
Actions
Available In
Tags
LLM Rail
Guardrails for AI agents that actually work.
Structural safety. Workflow control. Full audit.
Install & Forget · How It Protects You · Workflow Engine · Security Architecture · Getting Started · Contributing
1.0.0 — First stable release. The legacy pre-1.0 workflow format is no longer executed; use
lrail wf <name> migrateto convert old files. SeeCHANGELOG.md.
Your AI agent just ran rm -rf on your project. Or leaked your API key in its output. Or force-pushed to main.
You told it to be careful. It ignored you — because that's what LLMs do when context grows long enough. Prompt-level safety is a suggestion. Agents don't follow suggestions.
LLM Rail enforces safety structurally. Not through prompts, but through hooks that intercept every command before it runs, policies that block what shouldn't execute, and audit logs that record everything that does.
It works at two levels:
- Instant protection — install the plugin, and every Claude Code session is guarded. Dangerous commands are blocked. Secrets are redacted. Everything is logged.
- Workflow control — for complex tasks, decompose work into validated steps where each step gets only the context it needs, runs under its own policy, and must pass validation before advancing.
Both levels share the same policy engine, the same audit infrastructure, and the same security model. The guardrails you configure for everyday use also protect your workflows.
# That's the whole setup.
/plugin marketplace add neuradex/llm-rail
/plugin install llm-rail@llm-rail
Install and Forget
On your next Claude Code session, lrail.yml is auto-created with sensible defaults. That one file does everything:
# lrail.yml — auto-generated, edit anytime
visible: false # agents can't see or modify this file
policy:
mode: enforce
default: allow # deny-list approach: block specific commands
rules:
- effect: deny
commands:
- "rm -rf *" # recursive force delete
- regex: "rm\\s+-r\\s" # rm -r (recursive delete)
- "sudo *" # privilege escalation
- "git push --force *" # force push
- regex: "git\\s+reset\\s+--hard" # hard reset
- regex: "git\\s+clean\\s+(-\\w*f)" # git clean (deletes untracked files)
- regex: "git\\s+checkout\\s+--\\s+\\." # git checkout -- . (mass revert)
- regex: "curl.*\\|\\s*(bash|sh)" # pipe to shell
- regex: "npm\\s+(uninstall|remove)\\s+.*llm-rail" # self-protection
- regex: "lrail\\.yml" # protect this config
Put it in your home directory and it covers every project underneath. Put it in a specific project and it overrides the global one for that directory tree. The nearest lrail.yml walking up from cwd wins — just like .gitignore.
One file. Zero setup. Every session guarded.
How It Protects You
Policy: controlling what agents can do
Every Bash command the agent runs is intercepted by a PreToolUse hook and checked against your policy rules before it executes. Denied commands never run.
Simple rules use glob patterns. When you need precision — catching flag reordering, absolute path tricks, or subcommand variants — use regex:
rules:
- effect: deny
commands:
- "sudo *" # glob — blocks sudo
- regex: "rm\\s+(-\\w*r\\w*\\s+)*-\\w*f" # regex — catches rm -rf, rm -r -f, rm -fr, etc.
- regex: "git\\s+push\\s+.*(--force|\\s-f)" # regex — catches all force-push variants
An agent that knows rm -rf is blocked might try rm -r -f or /bin/rm -rf. Glob patterns miss these. Regex doesn't.
Secrets: use them without seeing them
Agents need API keys to call external services. But they shouldn't see the actual values, and they definitely shouldn't print them in their output.
env:
secret_files: [.env, .env.local]
