We grant permissions to Claude Code to run shell commands, read files, or write to the filesystem. However, we lack visibility into what’s actually happening beyond the chat window. The Falco project just announced Prempti . A tool that hooks into every Claude Code tool call before execution and returns a verdict: allow, deny, or ask. Runs in user space, no root required. Policies are Falco YAML with agent-specific fields ( tool.name , tool.input_command , tool.file_path ). It ships with a default ruleset that covers: sensitive paths working-directory boundaries MCP config poisoning persistence vectors And a handful of threat patterns that can be expanded with custom rules in ~/.prempti/rules/user/ . Known limitations: Prempti works at hook-level, not syscall-level. It sees what the agent declares it’s doing. If the agent compiles and runs a binary, Falco sees the compile and run commands, not what the binary does. They acknowledge Prempti is not a sandbox, and recommend working alongside one. Demo: The README contains a demo that shows Claude Code getting blocked from writing to ~/.ssh/ and then trying to read ~/.ssh/known_hosts after the user told it to proceed. Prempti blocks both and the agent gets a structured explanation each time. Prempti repo: https://github.com/falcosecurity/prempti Formal announcement: https://falco.org/blog/introducing-prempti submitted by /u/capitangolo
Originally posted by u/capitangolo on r/ClaudeCode