2025-12-22 · Authensor

How to Prevent AI from Accessing Other Git Repositories

SafeClaw by Authensor restricts AI agents to a single git repository by denying file access and git commands outside your designated project path. With deny-by-default action gating, the agent cannot read source code, commit history, or configuration from any other repository on your machine. Install with npx @authensor/safeclaw and your other projects are invisible to the agent immediately.

Why Cross-Repo Access Is Dangerous

Developers often have multiple repositories on their machine — client projects, personal code, company proprietary software, and side projects with different licensing. An AI agent working in one repository should not be able to:

Read proprietary source code from a client project
Access .env files in a different repository containing production secrets
View commit history that reveals business logic or team members
Copy code between repositories, potentially violating licenses

Even if the agent is trustworthy, cross-repo access increases the context window with irrelevant data and raises confidentiality concerns.

Step 1: Install SafeClaw

npx @authensor/safeclaw

Works with Claude Code, OpenAI agents, Cursor, and all major frameworks. Zero dependencies, MIT licensed.

Step 2: Scope File Access to One Repository

# safeclaw.policy.yaml rules: # Allow file operations only within the current repo - action: file.* path: "/home/user/projects/current-repo/**" effect: allow reason: "Agent is scoped to current-repo only" # Block access to the parent projects directory - action: file.* path: "/home/user/projects/**" effect: deny reason: "Block access to sibling repositories"

# Block access everywhere else - action: file.* effect: deny reason: "All file access outside current-repo is blocked"

The first-match-wins order is critical: the specific allow for current-repo must come before the broader deny for the projects directory.

Step 3: Block Git Commands Targeting Other Repos

An agent might use git commands to access other repositories:

rules: - action: shell.execute command_pattern: "git clone *" effect: deny reason: "Block cloning additional repositories" - action: shell.execute command_pattern: "git -C *" effect: deny reason: "Block git operations with -C (change directory flag)" - action: shell.execute command_pattern: "git --git-dir=*" effect: deny reason: "Block git operations targeting other .git directories" - action: shell.execute command_pattern: "git remote add *" effect: deny reason: "Block adding remotes to other repos"

- action: shell.execute command_pattern: "git submodule add *" effect: deny reason: "Block adding submodules from other repos"

Step 4: Block Directory Traversal

Prevent the agent from navigating to sibling directories:

rules: - action: shell.execute command_pattern: "cd ..*" effect: deny reason: "Block navigating to parent directories" - action: shell.execute command_pattern: "ls /home/user/projects" effect: deny reason: "Block listing the projects directory"

- action: shell.execute command_pattern: "find /home/user/projects *" effect: deny reason: "Block searching across all projects"

Step 5: Handle Monorepo Workspaces

If you work in a monorepo and want to restrict the agent to a specific workspace:

rules:
  # Allow access to the specific workspace
  - action: file.*
    path: "/home/user/projects/monorepo/packages/my-package/**"
    effect: allow
    reason: "Agent scoped to my-package workspace"

# Allow reading shared config at repo root
  - action: file.read
    path: "/home/user/projects/monorepo/tsconfig.json"
    effect: allow
    reason: "Allow reading shared TypeScript config"

- action: file.read
    path: "/home/user/projects/monorepo/package.json"
    effect: allow
    reason: "Allow reading root package.json"

# Block everything else in the monorepo
  - action: file.*
    path: "/home/user/projects/monorepo/**"
    effect: deny
    reason: "Block access to other workspaces"

Step 6: Test and Audit

npx @authensor/safeclaw --simulate

Ask the agent to read a file in a different repo:

[DENIED] file.read: "/home/user/projects/other-repo/src/index.ts"
  Rule: "Block access to sibling repositories"

Review the hash-chained audit trail:

npx @authensor/safeclaw audit --filter "effect:deny"

SafeClaw is open-source with 446 tests and works with both Claude and OpenAI providers.

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw