How to Make an AI Agent Read-Only (No Write Access)

SafeClaw by Authensor lets you enforce read-only mode on any AI agent by denying all write, create, delete, and execute actions in your policy file. The agent can read your codebase for analysis, code review, or documentation — but cannot modify a single file. Install with npx @authensor/safeclaw and your agent is read-only from the first action.

Why Read-Only Mode Matters

Many AI agent use cases do not require write access. Code review, architecture analysis, documentation extraction, and security auditing only need read permissions. Granting write access when it is not needed violates the principle of least privilege and opens the door to accidental file modifications, unintended deletions, and unauthorized code changes.

Read-only mode is the safest starting point for any AI agent interaction.

Step 1: Install SafeClaw

npx @authensor/safeclaw

Zero dependencies, MIT licensed. Works with Claude, OpenAI, LangChain, and every major framework.

Step 2: Create a Read-Only Policy

# safeclaw.policy.yaml
rules:
  # Allow reading files within the project
  - action: file.read
    path: "/home/user/projects/my-app/**"
    effect: allow
    reason: "Agent can read all project files"

# Allow listing directories
  - action: file.list
    path: "/home/user/projects/my-app/**"
    effect: allow
    reason: "Agent can list project directories"

# Block all write operations
  - action: file.write
    effect: deny
    reason: "Read-only mode: all writes are blocked"

- action: file.create
    effect: deny
    reason: "Read-only mode: file creation is blocked"

- action: file.delete
    effect: deny
    reason: "Read-only mode: file deletion is blocked"

# Block all shell commands (could modify files)
  - action: shell.execute
    effect: deny
    reason: "Read-only mode: shell execution is blocked"

# Block network access
  - action: network.*
    effect: deny
    reason: "Read-only mode: network access is blocked"

Step 3: Allow Safe Read Commands (Optional)

If you want the agent to run non-destructive shell commands for analysis:

rules:
  # Allow read-only shell commands
  - action: shell.execute
    command_pattern: "cat *"
    working_directory: "/home/user/projects/my-app"
    effect: allow
    reason: "Allow cat for file reading"

- action: shell.execute
    command_pattern: "grep *"
    working_directory: "/home/user/projects/my-app"
    effect: allow
    reason: "Allow grep for code search"

- action: shell.execute
    command_pattern: "find *"
    working_directory: "/home/user/projects/my-app"
    effect: allow
    reason: "Allow find for file discovery"

- action: shell.execute
    command_pattern: "wc *"
    working_directory: "/home/user/projects/my-app"
    effect: allow
    reason: "Allow wc for line counting"

- action: shell.execute
    command_pattern: "git log*"
    effect: allow
    reason: "Allow reading git history"

- action: shell.execute
    command_pattern: "git diff*"
    effect: allow
    reason: "Allow reading diffs"

- action: shell.execute
    command_pattern: "git show*"
    effect: allow
    reason: "Allow reading commit details"

# Block everything else
  - action: shell.execute
    effect: deny
    reason: "All other shell commands are blocked in read-only mode"

Step 4: Create a Review-Mode Preset

For code review workflows, combine read-only file access with read-only git access:

# safeclaw.policy.yaml — Code Review Mode
rules:
  - action: file.read
    path: "/home/user/projects/my-app/**"
    effect: allow

- action: file.list
    path: "/home/user/projects/my-app/**"
    effect: allow

- action: shell.execute
    command_pattern: "git log *"
    effect: allow

- action: shell.execute
    command_pattern: "git diff *"
    effect: allow

- action: shell.execute
    command_pattern: "git blame *"
    effect: allow

- action: shell.execute
    command_pattern: "git show *"
    effect: allow

- action: "*"
    effect: deny
    reason: "Code review mode: all non-read actions are blocked"

The final catch-all rule denies every action not explicitly allowed above.

Step 5: Escalate from Read-Only to Read-Write

When you trust the agent's analysis and want to allow edits, swap the policy:

npx @authensor/safeclaw --policy safeclaw.readwrite.yaml

Keep separate policy files for different trust levels. Start with read-only, then escalate to read-write only when needed.

Step 6: Test and Audit

npx @authensor/safeclaw --simulate

Ask the agent to create a file. The log confirms:

[DENIED] file.create: "/home/user/projects/my-app/new-file.ts"
  Rule: "Read-only mode: file creation is blocked"

Check the hash-chained audit trail:

npx @authensor/safeclaw audit --tail 20

SafeClaw is open-source with 446 tests and works with both Claude and OpenAI providers.

Related Pages

• How to Limit an AI Agent to One Directory
• How to Prevent AI from Creating New Files Outside a Project
• Pattern: Least Privilege for AI Agents
• What Is Deny-by-Default for AI Agents?