Hard Enforcement via Hooks

Hook-based Safety Guardrails

Hooks intercept dangerous commands before execution — independent of the agent's prompt. In our ToolEmu benchmark, AXME achieved 100% safety accuracy with 0% false positives on tested cases, including runs in bypassPermissions mode.

Get Started View on GitHub

The problem: agents run dangerous commands

AI coding agents have shell access. Prompts don't stop them. The consequences are real.

Prompts can be bypassed

Telling an agent "don't push to main" is a suggestion, not enforcement. The agent can rationalize around any prompt instruction. A convincing hallucination is all it takes.

Real horror stories

A terraform destroy that wiped 1.9 million database rows. The Clinejection supply chain attack that injected malicious code through AI agents. These aren't hypothetical.

2.74x more security vulnerabilities

Research shows AI-assisted code contains 2.74x more security vulnerabilities than human-written code. Agents move fast and break things — literally.

bypassPermissions makes it worse

Power users run Claude Code in bypassPermissions mode for speed. Every command auto-approved. One hallucinated rm -rf / away from disaster.

Hooks vs. Prompts

A prompt says "please don't." A hook says "you cannot."

Prompt-based safety

  • Instructions in CLAUDE.md or system prompt
  • Agent can rationalize around any instruction
  • No enforcement mechanism — just text
  • Fails silently — you only learn after damage
  • Bypassed by bypassPermissions mode

Hook-based safety (AXME Code)

  • pre-tool-use hook runs before every command
  • Exit code 2 = command blocked. Deterministic.
  • Cannot be bypassed — even in bypassPermissions mode
  • Fails loudly — agent sees block message and reason
  • Rules checked via pattern matching, not LLM reasoning

What's blocked by default

Out of the box, AXME Code blocks the most dangerous commands. No configuration needed.

Git operations

  • git push --force
  • git push --force-with-lease
  • git reset --hard
  • git tag / git push --tags

Destructive system commands

  • rm -rf /
  • chmod 777
  • curl | sh / wget | sh

Publishing & deployment

  • npm publish
  • gh release create
  • gh workflow run deploy-prod

Sensitive file writes

  • .env files
  • .pem / .key files
  • credentials.json

Add your own rules

The defaults cover the basics. Your project has its own constraints. Add custom safety rules during any session.

# During a Claude Code session, tell the agent:

"Add a safety rule: never run database migrations directly. Always use the migration tool."

# The agent calls axme_update_safety, which persists the rule.

# Or edit rules.yaml directly:

cat .axme-code/safety/rules.yaml

Real example: force push blocked

Here's what happens when your agent tries to run a dangerous command.

# Agent attempts:

git push --force origin main

BLOCKED by pre-tool-use hook

Rule: no-force-push

Pattern: git push --force

Reason: Force push to remote is prohibited. Use regular push or create a new branch.

Exit code: 2 (command not executed)

Agent sees the block message and adjusts:

git push origin feature-branch

✓ Allowed

Stop hoping your agent behaves

Install guardrails that work. One command, zero config.

# Install via Claude Code plugin (recommended)

/plugin marketplace add anthropics/claude-plugins-community

/plugin install axme-code@claude-community

# Or install the standalone CLI

curl -fsSL https://raw.githubusercontent.com/AxmeAI/axme-code/main/install.sh | bash

# Setup your project

cd your-project && axme-code setup

# Safety hooks are active immediately

claude

Read the Docs Star on GitHub