Claude Code의 세션별 보안

Per-session security for Claude Code. Allow agents the access they need, and nothing more. # Locked-down coding agent: no network, can only touch this one repo. CLAUDE_GUARD_NETWORK_MODE=sandbox \ CLAUDE_GUARD_WORKSPACE_GUARD=on \ CLAUDE_GUARD_ALLOWED_ROOTS="$HOME/Github/my-app" \ claude -p "fix the scroll bug" --dangerously-skip-permissions Built by Derek Larson. Read the backstory: Keys to the Castle. Step 1: Add the marketplace source /plugin marketplace add derek-larson14/claude-guard Step 2: Install the plugin /plugin install claude-guard@claude-guard Then run setup: /claude-guard:setup Setup asks about your environment and configures the right protections. Using a PreToolUse hook, four guards run in sequence, the first deny blocks the action. Tool call → claude-guard.sh (dispatcher) → path-guard.sh blocks access to sensitive paths → write-guard.sh blocks dangerous writes → workspace-guard.sh optional: scopes to project dir → network-guard.sh sandboxes or blocks network → audit-log.sh logs to JSONL Path guard blocks access to sensitive paths — credentials, browser sessions, keychains, clipboard, shell history, and more. Patterns are organized into categories that can be individually toggled in claude-guard.toml or via env vars. Network guard has three modes: sandbox (macOS, kernel-level network blocking on all Bash), pattern (cross-platform, blocks weaponized patterns), or off (pattern checks still run as defense-in-depth). File write sandbox uses the same sandbox-exec mechanism as network sandbox. Set CLAUDE_GUARD_SANDBOX_DENY_WRITE to block Bash writes to specific directories, with CLAUDE_GUARD_SANDBOX_ALLOW_WRITE for exceptions. Activates automatically when deny-write paths are set, independent of network mode. Combined with workspace guard, this gives kernel-level write protection for Bash and hook-level protection for file tools. Workspace guard is optional. Restricts Read/Write/Edit/Grep/Glob to your project directory. Useful for locked-down automated scripts. Defualt settings can be overridden by putting environment variables inline before the claude command. # This Claude session has network sandboxing and workspace restriction. # The next one won't, unless you set these again. CLAUDE_GUARD_NETWORK_GUARD=on \ CLAUDE_GUARD_NETWORK_MODE=sandbox \ CLAUDE_GUARD_WORKSPACE_GUARD=on \ CLAUDE_GUARD_ALLOWED_ROOTS="$HOME/Github/my-app:$HOME/Github/my-lib" \ claude -p "fix the scroll bug" --dangerously-skip-permissions File write sandbox example: # Agent can write to any repo, but exec/ is kernel-locked except scratch/build/. # Even python/node scripts spawned by Bash inherit this restriction. CLAUDE_GUARD_NETWORK_MODE=sandbox \ CLAUDE_GUARD_SANDBOX_DENY_WRITE="$HOME/Github/exec" \ CLAUDE_GUARD_SANDBOX_ALLOW_WRITE="$HOME/Github/exec/scratch/build" \ claude -p "build the feature" --dangerously-skip-permissions Available overrides: CLAUDE_GUARD_NETWORK_GUARD=on # force-enable (even if disabled in config) CLAUDE_GUARD_PATH_GUARD=off # disable for this session only CLAUDE_GUARD_NETWORK_MODE=sandbox # switch network mode CLAUDE_GUARD_ALLOWED_ROOTS="/a:/b" # restrict workspace to these dirs CLAUDE_GUARD_SANDBOX_DENY_WRITE="/protected/path" # kernel-block Bash writes to path CLAUDE_GUARD_SANDBOX_ALLOW_WRITE="/protected/path/ok" # exception within denied path # Path guard category overrides (turn individual categories on/off) CLAUDE_GUARD_PATH_CAT_CREDENTIALS=off # allow credential file access CLAUDE_GUARD_PATH_CAT_CLIPBOARD=off # allow clipboard access CLAUDE_GUARD_PATH_CAT_BROWSER_SESSIONS=off # allow browser data access # Categories: credentials, browser-sessions, messages, keychains, # password-managers, system-data, shell-history, claude-internals, # clipboard, browser-hijacking /claude-guard:setup # first-time setup /claude-guard:scan # full security audit /claude-guard:configure # view/change guard settings /claude-guard:toggle # turn all guards on or off Credentials — SSH keys, AWS creds, API tokens, .env files, Docker/Kubernetes config Browser sessions — Cookies and local storage for Chrome, Arc, Firefox, Safari, Brave, Edge, Dia Password managers — 1Password vaults, system keychains, GNOME keyring, GPG keys Messages and email — iMessage, Mail, Signal databases Clipboard — pbpaste, pbcopy, xclip, xsel Shell history — .bash_history, .zsh_history, .psql_history, .python_history Network exfiltration — Kernel-level sandbox on all Bash commands (macOS), plus pattern blocking for cookie theft, reverse shells, scp/rsync File write sandbox — Kernel-level restriction on which directories Bash can write to (macOS). Covers all child processes: python, node, compiled binaries. Set deny/allow paths per session to lock an agent to specific directories Persistence — LaunchAgents, crontab, systemd services, shell rc files, SSH authorized_keys Browser hijacking — --remote-debugging-port , Puppeteer/Playwright connect, Chrome DevTools Protocol Guards configured through claude-guard.toml . Use /claude-guard:configure or ed