Using SafeClaw with Claude Code: Developer Workspace Policy

Scenario

You are a solo developer running Claude Code on your local machine. Claude Code has access to your terminal, filesystem, and network. You want it to help you write code, run tests, and search documentation, but you do not want it deleting critical files, pushing to production branches, or exfiltrating data to unknown endpoints.

SafeClaw sits between Claude Code and your operating system, evaluating every action request against a policy you define. It runs locally with sub-millisecond evaluation, so Claude Code does not feel slower. No third-party dependencies are introduced into your toolchain.

Threat Model

Without action-level gating, Claude Code can:

• Overwrite critical config files such as ~/.ssh/config, ~/.gitconfig, or ~/.env with malformed content.
• Execute destructive shell commands like rm -rf /, git push --force origin main, or docker system prune -af.
• Exfiltrate source code by sending repository contents to arbitrary network endpoints via curl or fetch.
• Install malicious packages by running npm install with typosquatted or compromised packages.
• Modify CI/CD configs such as .github/workflows/*.yml to inject supply-chain attacks.

Recommended Policy

# Claude Code Developer Workspace Policy
policy:
  name: "claude-code-dev-workspace"
  default: DENY

rules:
    # --- File Read ---
    - action: file_read
      path: "/Users/you/projects/**"
      decision: ALLOW

- action: file_read
      path: "/Users/you/.config/safeclaw/**"
      decision: ALLOW

# --- File Write ---
    - action: file_write
      path: "/Users/you/projects/current-project/src/**"
      decision: ALLOW

- action: file_write
      path: "/Users/you/projects/current-project/tests/**"
      decision: ALLOW

- action: file_write
      path: "/Users/you/projects/current-project/package.json"
      decision: REQUIRE_APPROVAL

- action: file_write
      path: "/Users/you/.ssh/**"
      decision: DENY

- action: file_write
      path: "/Users/you/.env"
      decision: DENY

# --- Shell Exec ---
    - action: shell_exec
      command: "npm test*"
      decision: ALLOW

- action: shell_exec
      command: "npm run build*"
      decision: ALLOW

- action: shell_exec
      command: "git status*"
      decision: ALLOW

- action: shell_exec
      command: "git diff*"
      decision: ALLOW

- action: shell_exec
      command: "git commit*"
      decision: ALLOW

- action: shell_exec
      command: "git push*"
      decision: REQUIRE_APPROVAL

- action: shell_exec
      command: "npm install*"
      decision: REQUIRE_APPROVAL

- action: shell_exec
      command: "rm -rf*"
      decision: DENY

# --- Network ---
    - action: network
      domain: "registry.npmjs.org"
      decision: ALLOW

- action: network
      domain: "api.anthropic.com"
      decision: ALLOW

- action: network
      domain: "github.com"
      decision: ALLOW

- action: network
      domain: "*"
      decision: DENY

Example Action Requests

1. Claude Code reads a source file (ALLOW)

{
  "action": "file_read",
  "path": "/Users/you/projects/current-project/src/index.ts",
  "agent": "claude-code",
  "timestamp": "2026-02-13T10:15:00Z"
}
// Decision: ALLOW — path matches /Users/you/projects/**

2. Claude Code writes to SSH config (DENY)

{
  "action": "file_write",
  "path": "/Users/you/.ssh/config",
  "content": "Host *\n  ForwardAgent yes",
  "agent": "claude-code",
  "timestamp": "2026-02-13T10:16:00Z"
}
// Decision: DENY — .ssh/** is explicitly denied for writes

3. Claude Code runs git push (REQUIRE_APPROVAL)

{
  "action": "shell_exec",
  "command": "git push origin feature-branch",
  "agent": "claude-code",
  "timestamp": "2026-02-13T10:20:00Z"
}
// Decision: REQUIRE_APPROVAL — you review and approve or reject in the dashboard

4. Claude Code attempts to curl an unknown endpoint (DENY)

{
  "action": "network",
  "domain": "evil-exfil.example.com",
  "method": "POST",
  "agent": "claude-code",
  "timestamp": "2026-02-13T10:22:00Z"
}
// Decision: DENY — domain not in allowlist, wildcard catch-all denies

5. Claude Code installs a package (REQUIRE_APPROVAL)

{
  "action": "shell_exec",
  "command": "npm install lodash",
  "agent": "claude-code",
  "timestamp": "2026-02-13T10:25:00Z"
}
// Decision: REQUIRE_APPROVAL — npm install always requires your sign-off

Setup Steps

1. Install SafeClaw in your project directory:

   npx @authensor/safeclaw

1. Select the "Developer Workspace" template from the wizard. This pre-loads sensible defaults for a solo coding workflow.

1. Customize paths to match your actual project structure. Replace /Users/you/projects/current-project/ with your real working directory.

1. Set shell command rules to allow your test runner and build tool. Add REQUIRE_APPROVAL for anything that modifies external state (push, publish, install).

1. Lock down network access by adding only the domains Claude Code legitimately needs: your package registry, API provider, and source control host.

1. Enable simulation mode first. Run your normal Claude Code workflow and review the audit trail in the browser dashboard. Every action is logged with its would-be decision. No actions are blocked yet.

1. Switch to enforcement mode once you are satisfied the policy matches your workflow. From this point, SafeClaw evaluates every action in real time with sub-millisecond latency.

1. Review the audit trail periodically. SafeClaw maintains a tamper-proof SHA-256 hash chain of every action request and decision. If an action was denied that should have been allowed, update your policy through the dashboard.

Cross-References

• SafeClaw Quickstart Guide — Full installation and first-run walkthrough
• Action Types Reference — Complete list of file_read, file_write, shell_exec, and network action schemas
• Deny-by-Default Architecture — Why SafeClaw blocks everything unless explicitly allowed
• Simulation Mode FAQ — How to test policies before enforcing them
• Audit Trail and Hash Chain — Technical details on tamper-proof logging