Railyard – open and secure runtime for Claude Code

We're a small startup (but have ~15 years of experience building software), so we try to run Claude Code as autonomously as possible. The goal is to spend most of our time talking to customers instead of babysitting the agent. But --dangerously-skip-permissions felt a bit too wild west for us.

So we built a runtime to make autonomous use safer. Railyard is an open-source runtime that sits between Claude Code and the shell and adds guardrails to agent commands.

*How it works*

Every command Claude runs goes through Railyard first. Most commands pass straight through. The ones that could cause damage (e.g. terraform destroy) get blocked or require approval. Under the hood it runs commands inside an OS-level sandbox (sandbox-exec on macOS, bwrap on Linux) and applies deterministic rules. No LLM scoring commands or guessing about intent — a command either matches a rule or it doesn't. The check takes ~2ms.

Things it blocks or protects by default:

* destructive commands (terraform destroy, rm -rf)

* access to sensitive paths like ~/.ssh, ~/.aws, /etc

* certain network calls

* simple evasion tricks (base64 / hex / variable obfuscation)

It also snapshots file writes so you can roll back a session if something goes wrong.

*What this means*

In practice this lets us run Claude Code with --dangerously-skip-permissions, but with guardrails underneath so we can move fast without breaking or deleting production assets.

We built this because we wanted Claude Code to behave more like a software factory. Factories run at high volume, but only because the production line has quality and safety checks. Railyard is the guardrail layer that makes that possible for us.

Repo: https://github.com/railyarddev/railyard

It's MIT licensed and free to use. If you're experimenting with autonomous agents, feel free to clone it and try it out. I'm especially curious how people push or break these guardrails.

Happy to answer any Qs about how it works.