Claude Code is powerful.
It can also silently write to your .env or run rm -rf.
You find out after it happens.
Waymark is an MCP server that intercepts
every agent action before it executes...
Waymark sits between an AI agent (Claude Desktop, Claude Code) and the filesystem. Every write_file, read_file, and bash call passes through Waymark before execution. Waymark:
- Checks policy — blocks or queues the action if it violates waymark.config.json
- Logs to SQLite — records every action with full input, output, and policy decision
- Exposes a web UI — live dashboard at http://localhost:3001 showing all actions
- Supports rollback — restores any overwritten file, or deletes any newly created file
- Approval flow — pending actions can be approved (executes the action) or rejected from the UI or Slack
Setup:
cd your-project
npx @way_marks/cli init
npx @way_marks/cli start
What policies would you add to the default config?
What files should be protected that aren't already?
Top comments (1)
The problem statement hits precisely: Claude Code is powerful, and that power is exactly why you need a control layer between the agent and the filesystem. The Waymark intercept pattern (block/queue policy violations, log everything, expose a dashboard) is the right architectural instinct.
The filesystem is the local development version of a broader problem. In production, the same issue appears at the MCP server layer: agents calling GitHub, databases, Slack, internal APIs — all with tool-call access that's hard to audit, impossible to selectively terminate, and rarely protected against PII leakage into the LLM context.
Vinkius (vinkius.com) addresses this at the production infrastructure level. It runs 2,000+ pre-governed MCP servers inside V8 Isolate sandboxes, with SHA-256 cryptographic audit trails per tool call, compiled PII redaction before payloads reach the model, and a global kill switch. The SDK is Vurb.ts. The architecture mirrors what Waymark does locally — intercept before execute, log with immutability, maintain override capability — but at the protocol layer across all MCP tool calls in production.
Waymark solves the local developer trust problem. Vinkius solves the production deployment trust problem. Both are necessary. Good write-up — the "you find out after it happens" framing is exactly why proactive interception is the right architecture.