Skip to main content
failproofai ships with 26 built-in policies that catch common agent failure modes. Each policy fires on a specific hook event type and tool name. Eight policies accept parameters that let you tune their behavior without writing code.

Overview

Policies are grouped into categories:
CategoryPoliciesHook type
Dangerous commandsblock-sudo, block-rm-rf, block-curl-pipe-sh, block-failproofai-commandsPreToolUse
Secrets (sanitizers)sanitize-jwt, sanitize-api-keys, sanitize-connection-strings, sanitize-private-key-content, sanitize-bearer-tokensPostToolUse
Environmentblock-env-files, protect-env-varsPreToolUse
File accessblock-read-outside-cwd, block-secrets-writePreToolUse
Gitblock-push-master, block-work-on-main, block-force-push, warn-git-amend, warn-git-stash-drop, warn-all-files-stagedPreToolUse
Databasewarn-destructive-sql, warn-schema-alterationPreToolUse
Warningswarn-large-file-write, warn-package-publish, warn-background-process, warn-global-package-installPreToolUse
Policies prefixed with block- stop the agent from proceeding. Policies prefixed with warn- give the agent additional context so it can self-correct. Policies prefixed with sanitize- scrub sensitive data from tool output before the agent sees it.

Dangerous commands

Prevent agents from running operations that are hard to undo or that could damage the host system.

block-sudo

Event: PreToolUse (Bash)
Default: Denies any sudo command. Blocks invocations that include the sudo keyword. Pattern matching is done on parsed command tokens, not the raw string, to prevent bypass via shell operator injection. Parameters:
ParamTypeDefaultDescription
allowPatternsstring[][]Exact command prefixes that are permitted. Each entry is matched against the parsed argv tokens.
Example: 
{
  "policyParams": {
    "block-sudo": {
      "allowPatterns": ["sudo systemctl status", "sudo journalctl"]
    }
  }
}
With this config, sudo systemctl status nginx is allowed, but sudo rm /etc/hosts is denied.
Patterns are matched against parsed tokens, not the raw command string. This prevents bypass via appended shell operators (e.g. sudo systemctl status x; rm -rf / does not match sudo systemctl status *).

block-rm-rf

Event: PreToolUse (Bash)
Default: Denies rm -rf, rm -fr, and similar recursive deletion forms. Parameters:
ParamTypeDefaultDescription
allowPathsstring[][]Paths that are safe to recursively delete (e.g. /tmp).
Example: 
{
  "policyParams": {
    "block-rm-rf": {
      "allowPaths": ["/tmp", "/var/cache"]
    }
  }
}

block-curl-pipe-sh

Event: PreToolUse (Bash)
Default: Denies curl <url> | bash, curl <url> | sh, wget <url> | bash, and similar patterns. No parameters.

block-failproofai-commands

Event: PreToolUse (Bash)
Default: Denies commands that would uninstall or disable failproofai itself (e.g. npm uninstall failproofai, failproofai policies --uninstall). No parameters.

Secrets (sanitizers)

Stop agents from leaking credentials into their context or output. Sanitizer policies fire on PostToolUse events. When Claude runs a Bash command, reads a file, or calls any tool, these policies inspect the output before it is returned to Claude. If a secret pattern is detected, the policy returns a deny decision that prevents the output from being passed back.

sanitize-jwt

Event: PostToolUse (all tools)
Default: Redacts JWT tokens (three base64url segments separated by .). No parameters.

sanitize-api-keys

Event: PostToolUse (all tools)
Default: Redacts common API key formats: Anthropic (sk-ant-), OpenAI (sk-), GitHub PATs (ghp_), AWS access keys (AKIA), Stripe keys (sk_live_, sk_test_), and Google API keys (AIza). Parameters:
ParamTypeDefaultDescription
additionalPatterns{ regex: string; label: string }[][]Additional regex patterns to treat as secrets.
Example: 
{
  "policyParams": {
    "sanitize-api-keys": {
      "additionalPatterns": [
        { "regex": "myco_[A-Za-z0-9]{32}", "label": "MyCo internal API key" },
        { "regex": "pat_[0-9a-f]{40}", "label": "Internal PAT" }
      ]
    }
  }
}

sanitize-connection-strings

Event: PostToolUse (all tools)
Default: Redacts database connection strings that contain embedded credentials (e.g. postgresql://user:password@host/db). No parameters.

sanitize-private-key-content

Event: PostToolUse (all tools)
Default: Redacts PEM blocks (-----BEGIN PRIVATE KEY-----, -----BEGIN RSA PRIVATE KEY-----, etc.). No parameters.

sanitize-bearer-tokens

Event: PostToolUse (all tools)
Default: Redacts Authorization: Bearer <token> headers where the token is 20 or more characters. No parameters.

Environment

Protect sensitive environment configuration from being read or exposed by agents.

block-env-files

Event: PreToolUse (Bash, Read)
Default: Denies reading .env files via cat .env, Read tool calls with .env as the file path, etc. Does not block .envrc or other environment-adjacent files - only files named exactly .env. No parameters.

protect-env-vars

Event: PreToolUse (Bash)
Default: Denies commands that print environment variables: printenv, env, echo $VAR. No parameters.

File access

Keep agents working inside project boundaries and away from sensitive files.

block-read-outside-cwd

Event: PreToolUse (Read, Bash)
Default: Denies reading files outside the current working directory (the project root). Parameters:
ParamTypeDefaultDescription
allowPathsstring[][]Absolute path prefixes that are permitted even if outside cwd.
Example: 
{
  "policyParams": {
    "block-read-outside-cwd": {
      "allowPaths": ["/shared/data", "/opt/company/config"]
    }
  }
}

block-secrets-write

Event: PreToolUse (Write, Edit)
Default: Denies writes to files commonly used for private keys and certificates: id_rsa, id_ed25519, *.key, *.pem, *.p12, *.pfx. Parameters:
ParamTypeDefaultDescription
additionalPatternsstring[][]Additional filename patterns (glob-style) to block.
Example: 
{
  "policyParams": {
    "block-secrets-write": {
      "additionalPatterns": [".token", ".secret"]
    }
  }
}

Git

Prevent accidental pushes, force-pushes, and branch mistakes that are hard to undo.

block-push-master

Event: PreToolUse (Bash)
Default: Denies git push origin main and git push origin master. Parameters:
ParamTypeDefaultDescription
protectedBranchesstring[]["main", "master"]Branch names that cannot be pushed to directly.
Example: 
{
  "policyParams": {
    "block-push-master": {
      "protectedBranches": ["main", "master", "release", "prod"]
    }
  }
}
To allow pushing to all branches (effectively disabling this policy without removing it from enabledPolicies), set protectedBranches: [].

block-work-on-main

Event: PreToolUse (Bash)
Default: Denies checking out main or master branches directly. Parameters:
ParamTypeDefaultDescription
protectedBranchesstring[]["main", "master"]Branch names that cannot be checked out directly.

block-force-push

Event: PreToolUse (Bash)
Default: Denies git push --force and git push -f. No parameters.

warn-git-amend

Event: PreToolUse (Bash)
Default: Instructs Claude to proceed carefully when running git commit --amend. Does not block the command. No parameters.

warn-git-stash-drop

Event: PreToolUse (Bash)
Default: Instructs Claude to confirm before running git stash drop. Does not block the command. No parameters.

warn-all-files-staged

Event: PreToolUse (Bash)
Default: Instructs Claude to review what it is staging when it runs git add -A or git add .. Does not block the command. No parameters.

Database

Catch destructive SQL operations before they execute against your database.

warn-destructive-sql

Event: PreToolUse (Bash)
Default: Instructs Claude to confirm before running SQL containing DROP TABLE, DROP DATABASE, or DELETE without a WHERE clause. No parameters.

warn-schema-alteration

Event: PreToolUse (Bash)
Default: Instructs Claude to confirm before running ALTER TABLE statements. No parameters.

Warnings

Give agents extra context before potentially risky but non-destructive operations.

warn-large-file-write

Event: PreToolUse (Write)
Default: Instructs Claude to confirm before writing files larger than 1024 KB. Parameters:
ParamTypeDefaultDescription
thresholdKbnumber1024File size threshold in kilobytes above which a warning is issued.
Example: 
{
  "policyParams": {
    "warn-large-file-write": {
      "thresholdKb": 256
    }
  }
}
The hook handler enforces a 1 MB stdin limit on payloads. To test this policy with small content, set thresholdKb to a value well below 1024.

warn-package-publish

Event: PreToolUse (Bash)
Default: Instructs Claude to confirm before running npm publish. No parameters.

warn-background-process

Event: PreToolUse (Bash)
Default: Instructs Claude to be careful when launching background processes via nohup, &, disown, or screen. No parameters.

warn-global-package-install

Event: PreToolUse (Bash)
Default: Instructs Claude to confirm before running npm install -g, yarn global add, or pip install without a virtual environment. No parameters.

AI behavior

Detect when agents get stuck or behave unexpectedly.

warn-repeated-tool-calls

Event: PreToolUse (all tools)
Default: Instructs Claude to reconsider when the same tool is called 3+ times with identical parameters - a common sign the agent is stuck in a loop. No parameters.

Beta policies

Some policies are marked beta and are not installed by default. To include them: 
failproofai policies --install --beta
Beta policies may have rough edges or generate false positives. Run failproofai policies to see which policies carry the beta flag.

Disabling individual policies

Remove a specific policy from enabledPolicies in your config, or toggle it off in the dashboard’s Policies tab. 
{
  "enabledPolicies": [
    "block-rm-rf",
    "sanitize-api-keys"
  ]
}
Policies not listed in enabledPolicies do not run, even if policyParams entries exist for them.