2026-02-09 · Authensor

SafeClaw Policy Recipe: Developer Workstation

This policy is for developers using AI coding agents — Claude Code, Cursor Agent Mode, GitHub Copilot — during daily development. It allows the agent to read and write source code within your project while blocking access to system files, credentials, and unvetted shell commands. Install SafeClaw with npx @authensor/safeclaw and paste this config into safeclaw.config.yaml.

Use Case

A developer workstation agent assists with writing code, running tests, installing packages, and navigating the project. The agent needs write access to source, test, and config files inside the project directory. Risks include overwriting system files, reading credentials from .env or ~/.ssh, executing destructive shell commands (rm -rf /), and making unauthorized network requests. This policy applies deny-by-default architecture and first-match-wins evaluation to contain the agent to the project workspace.

The Policy

# safeclaw.config.yaml — Developer Workstation For: Claude Code, Cursor, Copilot, or any local coding agent Install: npx @authensor/safeclaw version: "1.0" agent: dev-workstation defaultAction: deny rules: # --- FILE READ RULES --- # Block reading credentials and secrets before any allow rules - id: deny-read-env-files action: file_read target: "*/.env" decision: deny description: "Block reading .env files containing secrets" # Block reading SSH keys and auth tokens - id: deny-read-ssh-keys action: file_read target: "~/.ssh/**" decision: deny description: "Block reading SSH private keys" # Block reading system-level config - id: deny-read-etc action: file_read target: "/etc/**" decision: deny description: "Block reading system configuration files" # Allow reading all project source files - id: allow-read-src action: file_read target: "./src/**" decision: allow description: "Allow reading source code" # Allow reading test files - id: allow-read-tests action: file_read target: "./tests/**" decision: allow description: "Allow reading test files" # Allow reading project config files (package.json, tsconfig, etc.) - id: allow-read-project-config action: file_read target: "./*.{json,yaml,yml,toml,js,ts}" decision: allow description: "Allow reading root-level project config files" # Allow reading docs and markdown - id: allow-read-docs action: file_read target: "./docs/**" decision: allow description: "Allow reading documentation files" # --- FILE WRITE RULES --- # Block writing to node_modules (agent should not modify dependencies) - id: deny-write-node-modules action: file_write target: "./node_modules/**" decision: deny description: "Block writing to node_modules directory" # Block writing outside the project directory - id: deny-write-outside-project action: file_write target: "/**" decision: deny description: "Block writing to absolute paths outside project" # Allow writing source code - id: allow-write-src action: file_write target: "./src/**" decision: allow description: "Allow writing to source directory" # Allow writing test files - id: allow-write-tests action: file_write target: "./tests/**" decision: allow description: "Allow writing to test directory" # Allow writing project config files - id: allow-write-project-config action: file_write target: "./*.{json,yaml,yml,toml}" decision: allow description: "Allow modifying root-level configs like package.json" # --- SHELL EXEC RULES --- # Block destructive commands unconditionally - id: deny-rm-rf action: shell_exec target: "rm -rf *" decision: deny description: "Block recursive force-delete commands" # Block sudo usage - id: deny-sudo action: shell_exec target: "sudo *" decision: deny description: "Block all sudo commands" # Allow npm/yarn/pnpm install - id: allow-package-install action: shell_exec target: "{npm,yarn,pnpm} install*" decision: allow description: "Allow installing packages" # Allow running tests - id: allow-test-commands action: shell_exec target: "{npm,yarn,pnpm} test*" decision: allow description: "Allow running test suites" # Allow running build - id: allow-build-commands action: shell_exec target: "{npm,yarn,pnpm} run build*" decision: allow description: "Allow running build scripts" # Allow git commands - id: allow-git action: shell_exec target: "git *" decision: allow description: "Allow all git operations" # Require approval for any other shell command - id: gate-other-shell action: shell_exec target: "*" decision: require_approval description: "All other shell commands need human approval" # --- NETWORK RULES --- # Allow npm registry - id: allow-npm-registry action: network target: "https://registry.npmjs.org/*" decision: allow description: "Allow npm package registry access"

# Block all other network access - id: deny-network-default action: network target: "*" decision: deny description: "Block all other outbound network requests"

What This Policy Allows

Reading and writing files inside ./src/ and ./tests/
Reading root-level project config files (package.json, tsconfig.json)
Running npm install, npm test, and npm run build
All git commands (status, commit, diff, push, pull)
Reading documentation files in ./docs/
Network access to the npm registry for package installs

What This Policy Blocks

Reading .env files, SSH keys, or /etc/ system config
Writing to node_modules/ or any path outside the project
Running rm -rf or any sudo command
Outbound network requests to any domain except the npm registry
Writing to system directories or absolute paths
Reading credentials or token files

What Requires Approval

Any shell command not in the explicit allow list (e.g., curl, docker, chmod)
Unrecognized commands surface in the SafeClaw dashboard approval queue
The developer reviews and approves or denies from the browser at safeclaw.onrender.com

Customization Guide

Change the project path scope. Replace ./src/ and ./tests/ with your actual directory layout. If your source lives in ./lib/ or ./app/, update the allow-write-src and allow-read-src rules accordingly.

Add more allowed shell commands. If your workflow uses docker compose up, make, or cargo build, add explicit allow rules for those commands above the gate-other-shell catch-all. First-match-wins means specific allows must come before the general gate.

Allow network access to private registries. If you pull packages from a private Artifactory or GitHub Packages registry, add an allow rule for that domain above the deny-network-default rule (e.g., target: "https://npm.pkg.github.com/*").

Example Session

1. ALLOW — Agent reads a source file:

{
  "actionType": "file_read",
  "target": "./src/components/Header.tsx",
  "agentId": "dev-workstation",
  "decision": "ALLOW",
  "rule": "allow-read-src",
  "evaluationTime": "0.3ms"
}

2. DENY — Agent attempts to read .env:

{
  "actionType": "file_read",
  "target": "./.env.production",
  "agentId": "dev-workstation",
  "decision": "DENY",
  "rule": "deny-read-env-files",
  "evaluationTime": "0.2ms"
}

3. ALLOW — Agent runs the test suite:

{
  "actionType": "shell_exec",
  "target": "npm test",
  "agentId": "dev-workstation",
  "decision": "ALLOW",
  "rule": "allow-test-commands",
  "evaluationTime": "0.3ms"
}

4. REQUIRE_APPROVAL — Agent tries to run a curl command:

{
  "actionType": "shell_exec",
  "target": "curl -X POST https://api.example.com/deploy",
  "agentId": "dev-workstation",
  "decision": "REQUIRE_APPROVAL",
  "rule": "gate-other-shell",
  "evaluationTime": "0.2ms"
}

5. ALLOW — Agent writes a new component file:

{
  "actionType": "file_write",
  "target": "./src/components/Footer.tsx",
  "agentId": "dev-workstation",
  "decision": "ALLOW",
  "rule": "allow-write-src",
  "evaluationTime": "0.3ms"
}

Every evaluation is recorded in SafeClaw's tamper-proof audit trail (SHA-256 hash chain). Use simulation mode to test this policy before switching to enforce mode. SafeClaw evaluates each action in sub-millisecond time with zero third-party dependencies — verified across 446 tests in TypeScript strict mode.

Cross-References

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw