Runwall

Runtime security for Claude Code, Codex, and MCP-native coding clients. Protect shell, git, MCP, secrets, plugins, skills, and risky agent actions before they turn into damage.

Runwall adds a practical security layer around coding-agent runtimes to reduce prompt injection fallout, secret leakage, unsafe command execution, dangerous git operations, and risky MCP, plugin, or skill configurations.

It now does both:

• audit mode for scanning agent configs, hooks, MCP servers, skills, plugins, and instruction files
• runtime mode for inline enforcement, prompting, blocking, and redaction

It is built for solo builders, startups, security-minded teams, and larger orgs that want safer defaults around AI coding workflows.

Why Runwall?

Coding agents are useful because they can read files, run shell commands, use git, connect to MCP tools, and increasingly work across more than one runtime.

That is also exactly why they need guardrails.

Runwall helps reduce real-world risk around:

• secret leakage
• agent session theft and desktop credential store access
• prompt injection and exfiltration paths
• indirect prompt injection hidden in files, web pages, shell output, and MCP responses
• unsafe shell execution
• dangerous git and repo actions
• SSH trust downgrades and audit evasion
• shell-profile, scheduled-task, and SSH-key persistence
• hosts-file and sudo-policy tampering
• plaintext git, netrc, and registry credential stores
• risky MCP and tool trust boundaries
• malicious skill, command, and instruction-doc poisoning
• cloud key creation and direct production shell access
• weak local defaults in agent workflows

It is practical, transparent, and built for real developer environments.

Runwall now supports four integration styles:

• native runtime adapters where hooks exist today, starting with Claude Code
• plugin or bundle installs for Codex and OpenClaw
• inline MCP gateway mode for Cursor, Windsurf, Claude Desktop, Claude Cowork, Codex fallback, and other MCP-capable clients
• CLI evaluation for pipeline and automation gates

What It Does

Runwall helps you:

• scan agent/runtime config and produce a scored report before you install anything
• block high-confidence risky actions before they run
• enforce MCP tool calls inline before they reach upstream servers
• scan MCP tool responses before they reach the runtime
• redact secret or prompt-smuggling content out of upstream tool responses while keeping JSON valid where possible
• block staged shell snippets and risky response payloads before they turn into follow-on execution
• fingerprint trusted MCP servers and tools over time instead of trusting same-name metadata forever
• detect server drift, schema drift, capability expansion, and same-name tool collisions before trust quietly widens
• require local review for suspicious multi-target MCP requests
• enforce outbound destination policy for private IPs, metadata endpoints, webhooks, paste sites, raw gist-style hosts, and non-allowlisted egress
• warn when tool output itself contains hidden prompt injection or jailbreak bait
• protect secrets, keys, tokens, and sensitive files
• block persistence through shell profiles, launch items, cron, systemd, and SSH authorized keys
• protect trusted config and instruction files from symlink hijack or stealth cleanup
• reduce dangerous shell, git, and repo behavior
• stop local trust-boundary tampering such as hosts-file remaps and sudoers weakening
• keep plaintext git, netrc, and registry credentials out of agent reach
• tighten MCP, plugin, skill, and tool trust boundaries
• block cloud key creation and direct prod-shell break-glass behavior
• explain every runtime decision with masked previews, evidence, confidence, and a safer alternative
• export masked incident bundles for review, triage, and post-incident handoff
• apply a safer default profile quickly
• keep security useful without turning the workflow into sludge

It works well on top of Claude Code sandbox mode too. Sandboxing helps contain damage. Runwall adds guard logic on top of that containment layer.

Who It Is For

• solo developers who want safer local AI coding
• startups moving fast but trying not to leak secrets or wreck repos
• security engineers and AppSec teams reviewing agent risk
• DevSecOps teams adopting MCP-based tools
• larger orgs that need a cleaner baseline before enterprise policy layers come later

It is much less relevant for plain chat-only usage where no tools, shell, git, or file actions are involved.

Fast Install

The cleanest install path is now the plugin or bundle path for the runtime you already use.

Claude Code Plugin

/plugin marketplace add efij/secure-claude-code
/plugin install runwall@runwall

Codex Plugin Bundle

This repo now ships a Codex bundle manifest in .codex-plugin/plugin.json and a shared MCP definition in .mcp.json.

If your Codex supports local plugin or bundle install, install this repo directly as runwall and restart Codex.

If you want the manual fallback:

./bin/runwall generate-runtime-config codex balanced

OpenClaw Plugin Bundle

OpenClaw can install this repo directly as a compatible bundle because it detects Claude and Codex bundle markers and imports supported skills and MCP tools.

openclaw plugins install ./secure-claude-code
openclaw plugins list
openclaw plugins inspect runwall
openclaw gateway restart

Use the CLI path when you want profile switching, update, uninstall, doctor repair, runtime config generation, or a separate local install home.

Cursor

Generate a Cursor-ready mcp.json:

./bin/runwall generate-runtime-config cursor balanced

Then place that output in the MCP config file Cursor expects on your machine. It now points at the inline Runwall gateway instead of the older helper-only companion server.

Windsurf

Generate a Windsurf-ready mcp_config.json:

./bin/runwall generate-runtime-config windsurf balanced

Then place that output in the MCP config file Windsurf expects on your machine. It now points at the inline Runwall gateway instead of the older helper-only companion server.

Claude Desktop

Generate a Claude Desktop-ready claude_desktop_config.json:

./bin/runwall generate-runtime-config claude-desktop balanced

Then merge that output into your Claude Desktop MCP config. It now points at the inline Runwall gateway instead of the older helper-only companion server.

macOS / Linux

curl -fsSL https://raw.githubusercontent.com/efij/secure-claude-code/main/scripts/bootstrap.sh | bash -s -- --repo efij/secure-claude-code --ref main --profile balanced

Windows

irm https://raw.githubusercontent.com/efij/secure-claude-code/main/scripts/bootstrap.ps1 | iex; Install-Runwall -Repo "efij/secure-claude-code" -Ref "main" -Profile "balanced"

Local Checkout

git clone https://github.com/efij/secure-claude-code.git
cd secure-claude-code
./bin/runwall install balanced

install.sh, update.sh, and uninstall.sh still exist, but they are only thin compatibility wrappers around the main CLI.

Quick Start

Apply a safer baseline

./bin/runwall install balanced

Run an audit first

./bin/runwall audit .
./bin/runwall audit . --format html --output runwall-audit.html
./bin/runwall audit . --format sarif --output runwall-audit.sarif --fail-on high

Validate the setup

./bin/runwall doctor
./bin/runwall validate

Review active protections

./bin/runwall list protections

Review supported runtimes

./bin/runwall list runtimes

Inspect recent blocks and warnings

./bin/runwall logs 20
./bin/runwall logs 50 --json

Start the inline gateway and dashboard

./bin/runwall gateway serve strict --config ./config/gateway.json --api-port 9470

Then open http://127.0.0.1:9470 to inspect events, redactions, and pending approvals.

The dashboard now makes three flows explicit:

• request-side blocks and prompts before upstream execution
• response-side redaction, prompts, and blocks before tool output reaches the runtime
• outbound destination decisions for metadata endpoints, private IPs, webhooks, paste sites, gist-like hosts, and non-allowlisted egress

It also shows:

• tool and server identity drift with baseline-vs-current diffs
• masked request and response previews by default
• exportable incident bundles for a single event, drift review, or runtime investigation

Generate a baseline CI workflow

./bin/runwall init .

That creates:

• .runwall/audit-baseline.json
• .github/workflows/runwall-audit.yml

Multi-Runtime Support

Runwall is now structured around runtime adapters, bundle installs, and the inline MCP gateway:

• Claude Code: native hook mode with direct pre-tool and post-tool enforcement
• Codex: plugin bundle plus inline gateway fallback mode
• OpenClaw: compatible bundle install that maps Runwall skills and MCP tools into OpenClaw
• Cursor: generated mcp.json gateway config
• Windsurf: generated mcp_config.json gateway config
• Claude Desktop: generated `claud