An AI coding agent on your laptop runs with your shell. It can rm , it can curl secrets | nc , it can write to .github/workflows . The native guardrail in Claude Code is an allowlist: you pre-grant a set of permitted tools and it auto-denies the rest. That works, but it's blunt. It decides on the tool name, not on what the call is about to do. Bash is either allowed or it isn't. I wanted the gate to read each action instead. Read-only stuff runs. A test run runs. A write inside the directory I s