Claude Code is powerful.
It can also silently write to your .env or run rm -rf.
You find out after it happens.
Waymark is an MCP server that intercepts
every agent action before it executes...
Waymark sits between an AI agent (Claude Desktop, Claude Code) and the filesystem. Every write_file, read_file, and bash call passes through Waymark before execution. Waymark:
- Checks policy — blocks or queues the action if it violates waymark.config.json
- Logs to SQLite — records every action with full input, output, and policy decision
- Exposes a web UI — live dashboard at http://localhost:3001 showing all actions
- Supports rollback — restores any overwritten file, or deletes any newly created file
- Approval flow — pending actions can be approved (executes the action) or rejected from the UI or Slack
Setup:
cd your-project
npx @way_marks/cli init
npx @way_marks/cli start
What policies would you add to the default config?
What files should be protected that aren't already?
Top comments (0)