Home 零对冲(ZeroHedge)每日HackerNews

展示 HN:使用云端决策表实时 Claude 权限管理
Show HN: Control Claude permissions using a cloud-based decision table UI

原始链接: https://github.com/rulebricks/claude-code-guardrails

## Rulebricks:增强对Claude Code的治理 Rulebricks 提供了一种集中式、动态的方式来管理 Claude Code 代理的行为,相比直接编辑 `settings.json` 文件具有优势。虽然基本的 JSON 编辑适用于简单的模式匹配,但 Rulebricks 在即时策略更新、详细审计跟踪和条件逻辑(例如仅允许在 `node_modules` 上使用 `rm -rf`)方面表现出色。 它通过 `PreToolUse` 钩子拦截工具的使用,向 Rulebricks API 发送请求以获取允许/拒绝/询问的决策。设置过程包括在 rulebricks.com 创建帐户,fork 一个模板(Bash Guardrails、文件访问策略或 MCP 工具治理),自定义规则,并将您的 API 密钥复制到 Claude 环境中。 主要优势包括即时应用策略、可搜索的被阻止命令日志,以及非工程师管理规则的能力。Rulebricks 提供云部署和私有基础设施部署选项,并允许数据脱敏以保护隐私。移除 Rulebricks 涉及删除钩子脚本和相关的 Claude 配置设置。

## 使用视觉规则控制 Claude 一个新工具 Rulebricks (github.com/rulebricks) 允许用户使用视觉化的、基于云的决策表界面和 Claude 的 PreToolUse 钩子来控制 Claude 的行为。这为 AI 应用创建了一个强大的策略/门控层。 本质上,团队可以定义复杂的规则——例如限制危险命令(例如 `rm -rf /`)或要求批准才能访问网络——而无需修改代码。这些策略的更改可以立即部署,并立即影响所有用户和代理。 Rulebricks 提供轻量级的治理,易于适应新的工具和元数据,并提供对工具使用情况和被阻止的操作的集中可见性,帮助理解*为什么*某些操作被限制。开发者正在寻求反馈,了解其他人如何利用 PreToolUse 钩子。
相关文章
原文

Example Table

settings.json works if:

  • You're fine editing JSON and killing Claude Code sessions every time policy changes
  • Your security team is comfortable making PRs
  • You don't need to know what got blocked, when, or for whom
  • Basic pattern matching like Bash(rm:*) covers your use cases

Use this if:

  • Policy changes need to apply instantly across your team—no git pull, no restart
  • Security/compliance needs a clear audit trail of every blocked command
  • You need conditional logic: "allow rm -rf on node_modules, deny everywhere else"
  • Non-engineers need to edit rules without touching config files
Rulebricks gives you instant governance from one hook.
Claude Code → PreToolUse hook → Rulebricks API → allow / deny / ask
  1. Go to rulebricks.com and create an account
  2. Fork one of these templates from the "AI Agents" category:
    • Claude – Bash Guardrails — control shell commands
    • Claude – File Access Policy — control file read/write/edit
    • MCP Tool Governance — control MCP server operations
  3. Customize the rules for your team
  4. Publish the rule
  5. Copy your API key from the API tab

Automatically finds your rules

git clone https://github.com/rulebricks/claude-code-guardrails
cd claude-code-guardrails
./install.sh

Claude will detect your published rules and wire up the appropriate hooks.

You're done.

Template Matcher What it controls
Bash Command Guardrails Bash Shell commands
File Access Policy Read|Write|Edit File operations
MCP Tool Governance mcp__* MCP server calls

Environment variables in ~/.claude/settings.json:

{
  "env": {
    "RULEBRICKS_API_KEY": "your-api-key",
    "RULEBRICKS_VERBOSE": "1"
  }
}
Variable Description
RULEBRICKS_API_KEY Your Rulebricks API key (required)
RULEBRICKS_VERBOSE Set to 1 to log decisions to stderr

Edit your decision table and publish a new version. Changes apply immediately— no restart, no redeployment.

Review the history of blocked commands in the Logs tab. You can query by tool, approval decision, and more. There are other meaningful perks to this data, like finding out which tool is being blocked the most.

Example Logs

You're free to edit the guardrail however you'd like to redact sensitive data before it hits our platform.

Also– while this works with our cloud environment, you can also run this on private infrastructure, using your own logging provider. Reach out if that might be of interest.

# Remove hook script
rm ~/.claude/hooks/guardrail.py

# Remove from settings.json (manual)
# Edit ~/.claude/settings.json and delete:
#   - hooks.PreToolUse entry
#   - env.RULEBRICKS_* variables

Or, use this one-liner to remove the hook and settings:

rm ~/.claude/hooks/guardrail.py && python3 -c "
import json
p = '$HOME/.claude/settings.json'.replace('\$HOME', '$HOME')
s = json.load(open(p))
s.get('hooks', {}).pop('PreToolUse', None)
for k in list(s.get('env', {}).keys()):
    if k.startswith('RULEBRICKS_'): s['env'].pop(k)
json.dump(s, open(p, 'w'), indent=2)"
联系我们 contact @ memedata.com