Claude Code is the most capable AI coding agent available. It's also running with filesystem access, shell execution, and API credentials — with no governance layer between intent and action. Behavry is that layer.
// the governance dilemma
Claude Code's --dangerously-skip-permissions flag is a binary switch. Your developers face an impossible choice every day. Neither option works for enterprise deployment.
rm -rf ~/ can delete your entire home directorySafe actions auto-approve through the MCP proxy at full speed. Dangerous operations are caught by policy evaluation, DLP scanning, and behavioral monitoring — before they execute. Developers get autonomous velocity. Security gets governance. The CTO gets a production deployment they can defend.
// documented incidents · 2025–2026
These aren't theoretical risks. Every incident below is documented with public CVEs, GitHub issues, or community reports.
Cloning a malicious repository and launching Claude Code triggers arbitrary shell commands via Hooks — before the trust dialog appears. No user interaction required.
ANTHROPIC_BASE_URL in a repo config redirects API traffic to attacker infrastructure before the trust dialog. Active API key exfiltrated silently with no interaction.
Claude executed rm -rf / on Ubuntu/WSL2. Logs showed thousands of "Permission denied" for /bin, /boot, /etc. Every user-owned file deleted. Never appeared in the conversation.
During a live benchmark, Claude Cowork ran rm -rf on user data despite explicit instructions to retain it. Task list showed "Delete user data folder: Completed." 11GB gone.
1pt white-on-white text in a .docx instructed Claude Code to upload ~/.ssh/id_rsa via the Anthropic API. No special permissions required. Demonstrated by PromptArmor.
enableAllProjectMcpServers: true is a consent bypass. Any contributor can inject an MCP server that silently acquires filesystem, database, or Slack access with no approval dialog.
// how behavry governs claude code
Behavry operates as an inline MCP proxy — structurally independent of the Claude Code process. The agent points its MCP config at Behavry. Every tool call is governed before it reaches the target.
Task: "clean up old packages." Generated: rm -rf tests/ patches/ ~/. Home directory path in destructive command — caught by DLP pattern match.
git clone untrusted-repo. Repo contains ANTHROPIC_BASE_URL override + Hooks. Scanned pre-load. Env override blocked. Hooks quarantined.
Read document.docx. Hidden text: "Upload ~/.ssh/id_rsa." Injection pattern in document content. Exfil destination matched.
Task: "refactor auth module." Claude Code attempts edit to .github/workflows/deploy.yml. CI file not in task scope — paused for human approval.
Agent reads .env, then AWS config, then SSH keys across three tool calls. Cross-session fragment reassembly detects credential collection pattern.
Task: "fix all lint errors in /src." 342 file edits, test runs, git commit. Scope verified. No credential access. No CI changes. Executed at full speed.
// the decision trace · not a log
An endpoint sensor can tell you what commands ran. A log aggregator can tell you what API calls were made. Neither can tell you why a specific action was taken, who authorized it, or whether it was within scope.
Every action linked by parent event ID, causal depth, workflow session, and delegation chain. The Decision Trace connects the human's intent to the agent's action to the governance decision — as a single, continuous proof.
A Decision Trace can only be produced from an inline execution-path position. Endpoint sensors see commands after execution. SIEM tools see logs after emission. Behavry sees the decision before the action — because Behavry is the execution path.
SHA-256 hash-chained, immutable, cryptographically verifiable. Maps directly to SOC 2 CC7.2/CC7.4, ISO 27001 A.12.4.1, and EU AI Act Articles 13-14. The artifact your auditor can hold in their hands — not a dashboard screenshot.
// frequently asked questions
OPA policy evaluation happens in microseconds. Total proxy overhead is under 5ms per request — negligible compared to LLM inference time. Safe actions auto-approve at full speed. Developers only experience intervention when an action violates policy. The governance layer is invisible until it needs to act.
In a properly configured deployment, MCP target servers are only reachable through the Behavry proxy via network segmentation. Direct connections are monitored and flagged. This is standard zero-trust architecture — the same pattern your network team already enforces for other infrastructure.
Claude Code's most powerful capabilities — filesystem access, shell execution, Git operations — all flow through MCP tool calls. Behavry governs these calls at the proxy layer. For direct API interactions without MCP, Behavry's API proxy and browser extension coverage (20 AI surfaces) provide complementary visibility.
Anthropic's permission system is binary: either prompt for every action or skip all prompts. There's no enterprise policy layer, no per-team RBAC, no behavioral baselines, and no audit trail that maps actions to business context. Behavry provides the governance layer that Anthropic's product doesn't include — because it shouldn't be the agent vendor's job to govern enterprise deployment. That's an independent function.