/clampd-guard

Security for Claude Code and Cursor โ€” no code changes.

A pre/post tool-call hook for Claude Code and Cursor. Every Bash, Read, Write, Edit, WebFetch the IDE tries to run gets verified by the Clampd gateway before it executes. Install with one command, hook with one more, then forget about it.

cargo binstall clampd-guard clampd-guard setup --target claude-code
Targets: Claude Code ยท Cursor Install: single binary Hooks: pre + post tool Tests: 33 covering hook protocol
The problem

The default trust model in Claude Code and Cursor is "the LLM picks the tool, the tool runs with whatever credentials your shell has." A shell command is a shell command. A file write is a file write. Your IDE doesn't differentiate between "list my files" and "delete my SSH keys."

The good news: both Claude Code and Cursor expose pre and post tool-call hooks. They don't currently use these for security; they're meant for telemetry. That's the seam we use.

How it works 
Developer uses AI tool
  โ†“
IDE calls clampd-guard (PreToolUse hook, stdin = JSON payload)
  โ†“
clampd-guard reads stdin:
  { "hook_event_name": "PreToolUse",
    "tool_name": "Bash",
    "tool_input": { "command": "rm -rf /" } }
  โ†“
POST /v1/proxy to gateway โ†’ 263 detection rules + Cedar policies
  โ†“
Exit 0 (allow) or Exit 2 (block, with reason)
  โ†“
IDE calls clampd-guard again (PostToolUse hook)
  โ†“
POST /v1/inspect โ†’ output checked for PII, secrets, credential leaks

Claude Code and Cursor pass hook data via stdin as JSON (not environment variables). The guard reads stdin, parses, sends the call to the Clampd gateway, and returns the verdict via exit code. The IDE respects exit code 2 as a block.

Integration flow
01 IDE / coding agent about to run a tool Claude Code, Cursor, Cline 02 clampd-guard pre-hook fires before tool runs file writes, shell, network 03 Clampd Gateway evaluates the call rules, policy, session stdin JSON POST /v1/proxy allow (exit 0) deny (exit 2) Tool runs with IDE privileges Post-hook scans output, audit emit stdout Audit logged PII, secrets, outcome /v1/inspect Blocked reason returned to IDE structured reason returned to IDE

Pre-hook stops the tool before damage. Post-hook logs the outcome. Same exit-code contract every IDE understands.

What it catches

The guard inherits the gateway's full ruleset (263 detection rules across 12 categories). Concretely, on the AI-coding-tool surface:

ToolScopeWhat gets checked
Bash, terminalexec:shell:runShell injection, destructive ops (rm -rf, dd if=), reverse shells, crypto-mining persistence, unauthorised package installs
Read, Glob, Grepfs:file:readSensitive file access (.env, .ssh/, credentials, .aws/), path traversal
Write, Editfs:file:writeWrites outside approved directories, executable file drops, persistence mechanisms
WebFetch, WebSearchnet:http:outboundSSRF (cloud metadata endpoints), exfiltration patterns, credential leakage in URLs
Agentagent:delegate:spawnDelegation depth limits, cycle detection, scope-violation sub-agents
mcp__github__*, mcp__*__*scm:git:* etc.Per-MCP-server tool category mapping; rules apply per category

Tools that haven't been mapped to a scope category get empty scopes (denied by default). This is deliberate: it prevents auto-generated scopes from bypassing rule detection. The dashboard's Tool Descriptors page is where admins assign categories.

Capabilities

Tool discovery

clampd-guard sync walks Claude Code's built-ins, Cursor's built-ins, and any MCP servers configured in ~/.claude/settings.json or ~/.cursor/mcp.json. Each tool is registered in the gateway dashboard for category assignment.

One-step setup

clampd-guard setup validates the gateway, writes config to ~/.clampd/guard.json, and installs hooks in your IDE settings file in one command. Idempotent.

Configurable strictness

fail_open controls behaviour when the gateway is unreachable. skip_low_risk bypasses gateway calls for read-only tools (Read, Glob, Grep) so a network blip doesn't block routine reads. timeout_ms bounds the per-call wait.

PostToolUse output check

After the tool runs, the guard sends the output to /v1/inspect for PII, secrets, and credential-leak detection. Catches the case where the tool itself returned sensitive data.

Commands 
# One-step setup (validates gateway, writes config, installs hooks in your IDE)
clampd-guard setup --url https://gateway.clampd.dev --key ag_live_... \
  --agent <uuid> --secret ags_... --target claude-code

# Discover and register all available tools
clampd-guard sync                            # Claude Code + Cursor + MCP servers
clampd-guard sync --target claude-code        # Claude Code only
clampd-guard sync --target cursor             # Cursor only

# Hook lifecycle (install / uninstall hook registration in IDE settings)
clampd-guard hook install                    # Claude Code (default)
clampd-guard hook install --target cursor
clampd-guard hook uninstall
clampd-guard hook uninstall --target cursor

# Hook mode (called automatically by IDE โ€” reads stdin JSON, exits 0/2)
clampd-guard                                  # no subcommand

The hook install and hook uninstall commands are reversible โ€” they edit your IDE's settings file (~/.claude/settings.json or ~/.cursor/mcp.json) and can be backed out cleanly. The guard never modifies anything outside its own config and the IDE's hook configuration block.

Config 
// ~/.clampd/guard.json
{
  "gateway_url":    "https://gateway.clampd.dev",
  "api_key":        "ag_live_...",
  "agent_id":       "<uuid>",
  "secret":         "ags_...",
  "skip_low_risk":  false,
  "fail_open":      false,
  "timeout_ms":     2000
}
For enterprise, managed developer fleets

The single-developer install is fine for individual engineers. The high-leverage use case is protecting every employee's IDE in a 200 to 2000-person org: same gateway, same policy, same audit trail across the whole fleet of Claude Code, Cursor, and Cline installations. Security gets centralised visibility. Compliance gets one control to point at for SOC 2, HIPAA, and FedRAMP audits. The CISO gets a kill-switch that works the moment an engineer is offboarded.

What changes between one developer and a thousand isn't the runtime path. Every guard hook still goes to your gateway, every call still gets evaluated, every decision still gets logged. What changes is the fleet-management surface: how you install, how you authenticate, how you scope policies per team, and how you remotely stop a specific employee's IDE.

Available today, pilot-ready

  • Pre and post-hook contract on every developer's IDE routes to your central gateway
  • One policy applied to every employee's tool calls, gateway-side enforcement
  • Every Claude Code, Cursor, Cline action logged to your ClickHouse with reason
  • Kill-switch at the agent layer, instant deny across the fleet
  • Source-available under BSL-1.1, security team reads every line before deploying

Roadmap, design partners

  • MDM installers: Jamf, Intune, Kandji
  • SSO identity binding: Okta, Azure AD, Google Workspace
  • Team-scoped RBAC policies: engineering vs. marketing vs. data-science
  • Per-employee remote suspend, revoke a specific user's IDE access instantly
  • Tamper-resistant daemon mode: auto-restart, signed binary, audit gap if disabled
  • Fleet auto-update channel
What it stops in a real org

Code exfiltration

Engineer's coding assistant tries to push a private repo to a public mirror or send a file outside approved hosts. Blocked with reason logged to the audit trail.

Secret leakage

Cursor agent reads ~/.aws/credentials or a .env file and tries to forward to an LLM provider. Blocked before the request leaves the machine.

Destructive shell

Junior dev's coding assistant runs rm -rf, drops a production database, or pushes to main outside its sanctioned scope. Blocked, with the attempted command in the audit row.

Offboarding day

An engineer just left the company. Security admin suspends their guard instance. Every tool call from that IDE now returns a deny, immediately, without anyone touching the laptop.

Design partner programme

Running 50+ developers on Claude Code, Cursor, or Cline? We're taking enterprise design partners now. Get the available-today capabilities deployed in your fleet, give us input on the roadmap items above, get a custom shaping for your environment. Talk to us about a pilot.

Honest limits

The guard depends on Claude Code and Cursor honouring their own hook contracts. If the IDE updates its hook protocol or the user disables hooks, the guard stops being in the path. We track upstream protocol changes; check the changelog before upgrading the IDE in production environments. The guard is also not a sandbox โ€” once a call passes the gateway check, the actual tool runs with whatever process privileges the IDE has. Combine with OS-level least-privilege for full defence.

Three commands to install

Single binary. No agent rewrites. Works with Claude Code and Cursor today. Self-hosted gateway optional; managed gateway available.

cargo binstall clampd-guard

clampd-guard setup \
  --url https://gateway.clampd.dev \
  --key ag_live_YOUR_KEY \
  --agent YOUR_AGENT_UUID \
  --secret ags_YOUR_SECRET \
  --target claude-code

clampd-guard sync
Get a gateway โ†’ All products