Permission gate · Claude Code plugin

You decide what Claude Code is allowed to run.

fencepost inspects every command, file edit, and tool call Claude Code makes, before it happens, and resolves each one to allow, ask, or deny from a YAML policy you control. Bash is parsed with tree-sitter, not pattern-matched, so the same command always lands the same way.

Quick start How it works

Tiny ~280 KB bundleRuns on Node or BunFail-closed by default

claude code · PreToolUse

Claude wants to runrm -rf $BUILD_DIR

denyrecursive force-delete on an unbounded path

rm -rf ./dist — scoped to the project

Claude wants to rungit push origin main

askpush to a shared branch — needs a human

Claude wants to runbun test --coverage

allowmatched allow rule · runs silently

every tool call, checked before it runs

How it works

One gate between Claude and your machine.

It sees the call

fencepost runs on Claude Code's PreToolUse hook, so it intercepts every tool call — Bash, edits, MCP tools — the instant before it would execute.

It checks your policy

The call is matched against a YAML rule set you own. Import curated presets for git, kubernetes, helm and more, then layer your own rules on top.

It returns a verdict

allow runs silently, ask prompts you, and deny blocks the call — handing Claude a concrete alternative instead of a dead end.

The decision model

Three outcomes. Nothing fuzzy.

Rules resolve in a fixed precedence, the same way every time. The most restrictive matching tier wins, so you can never allow your way past a deny.

allownobody is interrupted

The tool runs immediately and silently. Your fast path for the commands you trust.

askyou approve

Claude Code pauses and prompts you. The right call for anything reversible-but-risky.

denyClaude is redirected

The call is blocked and Claude is steered toward the safe alternative, not left to retry the wall.

What you get

A perimeter you can actually read.

presets

Composable presets

Import battle-tested rule sets for git, kubernetes, helm, ansible and the filesystem with one line. Your own rules always layer on top.

Learn more bash

Real bash understanding

Commands are parsed with tree-sitter, not matched as strings. fencepost reasons about redirections, every argument, and inline python -c or node -e.

Learn more sandbox

A scratch sandbox

Funnel temp files into /tmp/claude and grant destructive permissions scoped to it. The rest of the filesystem stays gated.

Learn more feedback

Denials that redirect

A block is not a dead end. Every deny carries an alternative, steering Claude to the right command instead of letting it thrash.

Learn more posture

Fail-closed safety

A broken security config denies everything until a human fixes it. Un-checkable commands ask. Verify the whole policy in CI with one command.

Learn more audit

Audit & tune

Every decision is logged. The /audit skill turns real usage into concrete config suggestions — promote, prune, tighten.

Learn more

Configuration

Small file. Curated policy.

Drop a single .claude/fencepost.yaml, or split rules across a conf.d directory by domain. Import presets as the base; your rules always win.

Configuration guide

.claude/fencepost.yaml

import:
  - claude    # built-ins + sandbox
  - git
  - kubernetes

default: ask    # nothing matched
onError: ask  # can't decide

tools:
  bash:
    deny:
      - git push --force
    allow:
      - bun test

Put up the fence.

Install the plugin, import a preset or two, and Claude Code starts the next session inside a perimeter you control.

Install fencepost View on GitHub