Stop clicking approve.
Let Claude Code run.
You wanted an autonomous agent, not a permission prompt that fires every thirty seconds. Rubric lets Claude Code run unattended and silently allows the safe stuff — while blocking the commands that can actually wreck your machine: rm -rf /, force-pushes, secret reads, curl | sh. Free, local, no account.
Pairs with claude --dangerously-skip-permissions — so skipping prompts isn't a leap of faith.
Policy block-secret-files matched.
input.file_path matched (?i)(\.env|\.pem$|/\.ssh/|…)
Today you get two options. Both are bad.
You babysit the prompt
Claude Code stops on every Bash, every write, every fetch and waits for you to click. You're not running an autonomous agent — you're a human in a permission loop, and you rubber-stamp “yes” until you stop reading them.
You skip and pray
Flip on YOLO mode and the prompts vanish — along with every guardrail. Now one stray git reset --hard, a cat of your .env, or a curl piped into a shell runs with nothing standing in front of it.
Rubric is the third option: skip the prompts, keep a floor under you. The safe 99% runs untouched; the genuinely dangerous 1% is stopped cold.
Yes to everything safe.
No to what's actually dangerous.
Rubric runs as a hook on every tool call Claude Code makes. The vast majority — reads, edits, tests, builds, ordinary git — are waved straight through, no prompt. Only the small set of genuinely destructive actions is stopped, with the reason printed inline so the model adapts instead of stalling.
Runs at machine speed, unattended
No “1. Yes 2. No” to answer. The agent works through its task end to end while you're in another window — Rubric only interrupts for the calls that warrant it.
Default-deny on the dangerous set
A safety pack ships the moment you install. The genuinely destructive stuff is denied outright; a tunable middle tier (sudo, recursive deletes, writes under /etc) asks first; everything else runs free.
Named reasons, in your terminal
Every stop prints the exact policy that fired, inline in Claude Code. You know precisely why — and the model reads it too, so it routes around the wall instead of flailing into it.
One editable file. Plain allow / ask / deny — no DSL to learn.
The short list of things we’ll never let run unattended
Autopilot isn't reckless. Even with permissions skipped entirely, this set is denied or held for a prompt every time — the commands that, run on their own, can lose your work, leak your secrets, or torch your machine.
Destructive shell, denied
rm -rf /, pipe-to-shell (curl | sh), forkbombs, chmod 777 /, force-push to main — denied outright. sudo, recursive deletes, and writes under /etc route to a prompt first.
Secret files, shielded
Reads of .env, .pem, and SSH / AWS / kube credentials are denied before the agent ever sees them — in their common path and verb forms.
SSRF / metadata, blocked
Fetches to localhost, private ranges, link-local, and cloud-metadata endpoints (169.254.169.254 and friends) are denied.
Your repo, protected
force-push to main, history rewrites, and branch deletes are stopped — the operations that turn an unattended run into a bad afternoon.
Yours to tune
The danger set is an editable local file. Loosen what your workflow needs, tighten what it doesn’t — in plain allow / ask / deny.
CLAUDE.md, made deterministic
The rules you already wrote — “never push to main,” “ask before committing” — applied the same way every time, instead of decaying after the next compaction.
allow · ask · deny — one editable file at ~/.config/rubric/policies.json
And if something destructive slips through —
rewind it in one command.
No safety floor is perfect, so autopilot ships with a net under the net. Rubric snapshots your working tree the instant before a destructive git command runs — into a hidden shadow repo your real .git never sees — so rubric undo can bring it back. Claude Code's own /rewind can't undo bash-driven changes; this can.
Snapshots before the damage
reset --hard, checkout -- ., restore, clean -fd, stash drop/clear, rebase, branch -D — each is snapshotted into a hidden shadow repo your real .git never sees.
rubric undo brings it back
Restores modified and deleted files and removes whatever the agent created after. Each snapshot is labeled with the prompt the agent was working on, so you know which point to pick. The undo is itself reversible.
Entirely local
The shadow repo lives on your machine and never leaves it. On by default; opt out with RUBRIC_SEATBELT=0.
Runaway circuit breaker
Coming soonThe other half of unattended: pause an agent stuck in a loop — same command N times, or N calls with no file progress — and cap a session by tool calls or wall-clock. The thing that stops the $4,000 weekend bill. Only a stateful daemon can do it.
Runs on your machine. Records nothing. Costs nothing.
No account, no login, no telemetry. In solo mode the daemon wires a no-op sink — nothing about your code, commands, or paths ever leaves your machine. Even the seatbelt's snapshots are local-only. The SDK is open source under MIT, on GitHub.
Want your guardrails to follow you across machines, or to share a safety pack with a team? That's where Rubric grows up →
On autopilot in under a minute
Install, then init
npm install -g @rubric-app/claude-code && rubric init — installs the CLI, then patches ~/.claude/settings.json and starts the loopback daemon.
Pick “just protect me”
The solo path: no login, nothing leaves your machine. The default safety pack and git seatbelt are armed immediately.
Let it run
Start Claude Code — skip the permission prompts and walk away. Dangerous calls are stopped or held, and a snapshot is waiting if anything destructive slips through.
Let it run.
Your safety harness.
One command. No account. Skip the prompts, keep the floor. Uninstall anytime — rubric uninstall removes the hooks and config cleanly.
Best-effort, not bulletproof — keep your commits. Rubric is the seatbelt, not a reason to stop wearing one.
Running agents in production? See Rubric for security & compliance teams →