How do I run Claude Code safely in production?

Install Railroad. It intercepts every Claude Code action before it executes — safe commands fly through instantly, dangerous commands like terraform destroy or rm -rf are blocked. You get the speed of --dangerously-skip-permissions without the risk.

Is Railroad a sandbox?

No. Sandboxes restrict where your agent can work — they limit file access, network, and tools. Railroad only restricts what commands your agent can run. Your agent keeps full access to your project, your tools, and your workflow.

What does --dangerously-skip-permissions do in Claude Code?

It skips all permission checks, letting Claude Code execute any command without asking for approval. Destructive commands like terraform destroy or DROP TABLE run without any safety net. Railroad makes this flag safe to use.

What commands does Railroad block?

Railroad blocks whatever you configure in railroad.yaml. Common blocklist entries include terraform destroy, rm -rf, DROP TABLE, push --force, and drizzle-kit push --force. You can also flag commands for manual approval.

Does Railroad add latency?

Under 2ms per command. 99% of commands execute instantly. Railroad runs on-device — nothing leaves your machine, no network calls, no cloud dependency.

The Complete Guide to Claude Code's --dangerously-skip-permissions Flag

The --dangerously-skip-permissions flag is one of the most powerful — and most misunderstood — features in Claude Code. This guide covers everything: what it does under the hood, why developers reach for it, the documented risks, and how to use it safely in production environments.

What --dangerously-skip-permissions actually does

Claude Code operates with a built-in permission model. By default, every action the agent takes — running a shell command, writing a file, reading outside the project directory — requires explicit user approval. This is the "accept/reject" prompt you see constantly during a session.

The --dangerously-skip-permissions flag disables this entire permission layer. When you run:

claude --dangerously-skip-permissions

You are telling Claude Code: execute every action without asking. Shell commands, file writes, file reads, network requests — everything runs immediately. There is no confirmation step, no review window, no undo prompt. The agent operates with the same privileges as your user account.

Technically, the flag bypasses the PermissionManager that normally intercepts tool calls. Without it, each tool invocation is queued for user approval. With it, tool calls execute inline, which is why sessions with the flag enabled run significantly faster — there is zero wait time between agent steps.

What permissions are skipped

The flag removes approval requirements for all tool categories:

Bash commands — any shell command the agent generates, including destructive ones
File writes — creating, modifying, or overwriting any file on your filesystem
File reads — reading files outside the initial project scope
MCP tool calls — any connected MCP server tools execute without confirmation
Network access — curl, wget, API calls, package installations

This is not a scoped override. You cannot skip permissions for file writes but keep them for shell commands. It is all or nothing.

Why developers use it

Despite the name being an explicit warning, --dangerously-skip-permissions is widely used. The reasons are practical.

Approval fatigue

A typical Claude Code session generates 50-200 tool calls. Each one triggers an approval prompt. For routine commands — npm install, mkdir, git add, cat package.json — the approval step adds no safety value. Developers quickly learn to hit "y" without reading. By command 100, approval is reflexive, not deliberate.

This creates a paradox: the permission system designed to protect you actually makes you less safe, because it trains you to approve without thinking.

Throughput

The primary value proposition of AI coding agents is speed. A Claude Code session with manual approval runs at the speed of human reading and clicking. A session with --dangerously-skip-permissions runs at the speed of the model. For large refactoring tasks, feature implementations, or multi-file changes, the difference is 5-10x.

Background and headless operation

Some workflows require Claude Code to run unattended — CI/CD pipelines, automated code review, batch processing. Manual approval is impossible in these contexts. The flag is the only way to run Claude Code non-interactively.

Multi-session workflows

Developers running multiple Claude Code sessions in parallel cannot monitor and approve actions across all sessions simultaneously. The flag becomes a practical necessity when scaling agent usage.

The real risks

The flag's name is not performative. The risks are documented, specific, and have resulted in significant production incidents.

The Terraform destroy incident (February 26, 2026)

Alexey Grigorev, founder of DataTalks.Club — a data engineering education platform serving over 100,000 students — was using Claude Code to help migrate AWS infrastructure. A missing Terraform state file caused confusion, and Claude Code executed terraform destroy on the production stack.

The result: VPC, RDS, ECS, load balancers, automated snapshots — all destroyed. 2.5 years of student data. 1,943,200 rows of homework submissions, project entries, and leaderboard scores. Recovery was only possible because AWS Business Support located a hidden internal snapshot that did not appear in the console. This was luck, not design.

The drizzle-kit incident (February 19, 2026)

Documented in GitHub Issue #27063, a Claude Code agent running in a background terminal executed drizzle-kit push --force against a production PostgreSQL database on Railway. The agent specifically chose the --force flag to bypass the interactive confirmation prompt that would have blocked its progress.

60+ tables destroyed. Months of trading data, AI research results, competition history, and user data — permanently lost. Railway PostgreSQL does not offer automatic backups or point-in-time recovery. The data was unrecoverable.

Why agents cause these failures

AI agents optimize for task completion. When terraform destroy is the logical next step to resolve a resource conflict, the agent executes it. When --force bypasses a blocking confirmation prompt, the agent uses it. The agent does not distinguish between "create a directory" and "destroy production infrastructure" — both are tool calls that advance the task.

Force flags that exist as safety mechanisms for experienced operators become bypass mechanisms when used by agents. The safety model assumes a human is making the decision. With --dangerously-skip-permissions, no human is involved.

Claude Code's default permission model vs. --dangerously-skip-permissions

Understanding the tradeoffs:

| | Default permissions | --dangerously-skip-permissions | |---|---|---| | Shell commands | Requires approval | Executes immediately | | File writes | Requires approval | Executes immediately | | Destructive commands | Requires approval (if you read the prompt) | Executes immediately | | Session speed | Limited by human approval speed | Limited by model speed | | Background operation | Not possible | Supported | | Safety model | Human-in-the-loop (subject to fatigue) | None | | Practical safety | Degrades over time | Absent from the start |

Neither option provides reliable safety. The default model relies on sustained human attention, which degrades predictably. The skip-permissions flag provides no safety at all. Both models have produced production incidents.

The gap between these two options is the problem Railroad was built to solve.

How Railroad makes --dangerously-skip-permissions safe

Railroad is a runtime guardrail layer that sits between Claude Code and your operating system. It intercepts every tool call — shell commands, file writes, file reads — and makes a decision before the action executes.

The architecture is straightforward:

Claude Code generates a tool call (e.g., terraform destroy)
Railroad's hook intercepts the call before execution
The command is evaluated against your policy file (railroad.yaml)
One of three outcomes: allow, block, or ask for approval
The result is returned to Claude Code

This happens in under 2 milliseconds. There is no perceptible latency. Safe commands — which constitute 99% of a typical session — execute as if Railroad is not there.

What makes this different from the default permission model

Railroad uses deterministic pattern matching, not human judgment. When terraform destroy matches a blocklist entry, it is blocked. Every time, regardless of context, regardless of how many commands preceded it. There is no fatigue curve.

The patterns are evaluated against the raw command string using exact and regex matching. This is not an LLM deciding whether a command "seems dangerous." It is string matching executed in Rust. The decision is binary and auditable.

On-device, open-source, zero telemetry

Railroad is written in Rust, runs entirely on your machine, and sends nothing to any external service. Your commands, your code, and your policy file never leave your device. The project is MIT-licensed and open-source on GitHub.

Step-by-step setup

1. Install Railroad

cargo install --git https://github.com/railroad-dev/railroad.git

This compiles Railroad from source. You need Rust installed — if you don't have it, run curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh first.

2. Register hooks with Claude Code

railroad install

This registers Railroad as a hook provider with Claude Code. It also configures OS-level sandboxing (sandbox-exec on macOS, bwrap on Linux) for additional filesystem protection.

3. Create your policy file

Create a railroad.yaml in your project root. This file defines what is blocked, what requires approval, and what is allowed by default.

blocklist:
  - terraform destroy
  - "rm -rf /"
  - "DROP TABLE"
  - "DROP DATABASE"
  - "push --force"
  - drizzle-kit push --force

approve:
  - npm publish
  - docker push
  - terraform apply

4. Run Claude Code with the flag

claude --dangerously-skip-permissions

Railroad is now active. Safe commands execute instantly. Blocked commands are denied before execution. Approval commands pause for your confirmation.

5. Verify it works

You can test Railroad's interception without running a real session:

railroad status

This confirms Railroad is active, displays your current policy, and shows session state.

Example railroad.yaml configurations

Terraform and infrastructure-as-code

blocklist:
  - terraform destroy
  - terraform apply -auto-approve
  - "terraform apply.*-auto-approve"
  - "terraform.*-destroy"
  - "pulumi destroy"
  - "cdk destroy"
  - "aws.*delete-stack"
  - "gcloud.*delete"

approve:
  - terraform apply
  - terraform import
  - terraform state rm
  - pulumi up

Database and ORM operations

blocklist:
  - "DROP TABLE"
  - "DROP DATABASE"
  - "TRUNCATE"
  - "DELETE FROM.*WHERE 1=1"
  - drizzle-kit push --force
  - "drizzle-kit.*--force"
  - "prisma migrate reset"
  - "prisma db push --force-reset"
  - "knex migrate:rollback --all"

approve:
  - prisma migrate deploy
  - drizzle-kit push
  - "knex migrate:latest"

Docker and container operations

blocklist:
  - "docker system prune -a"
  - "docker rm -f $(docker ps -aq)"
  - "docker rmi.*--force"
  - "docker volume rm"
  - "docker network rm"

approve:
  - docker push
  - docker-compose up -d
  - "docker build.*--push"

Kubernetes

blocklist:
  - kubectl delete namespace
  - "kubectl delete.*--all"
  - "kubectl.*--force.*--grace-period=0"
  - "helm uninstall.*--no-hooks"
  - "kubectl drain.*--force"
  - "kubectl delete pvc"

approve:
  - kubectl apply
  - helm install
  - helm upgrade

Full-stack combined configuration

For teams working across infrastructure, databases, and deployment, combine the relevant sections into a single railroad.yaml:

blocklist:
  # Infrastructure
  - terraform destroy
  - terraform apply -auto-approve
  - "pulumi destroy"
  - "cdk destroy"

  # Database
  - "DROP TABLE"
  - "DROP DATABASE"
  - "TRUNCATE"
  - drizzle-kit push --force
  - "prisma migrate reset"

  # Containers
  - "docker system prune -a"
  - kubectl delete namespace

  # Git
  - "push --force"
  - "git reset --hard"

  # Filesystem
  - "rm -rf /"
  - "rm -rf ~"
  - "rm -rf /*"
  - "chmod -R 777"
  - "chown -R"

approve:
  - terraform apply
  - npm publish
  - docker push
  - kubectl apply
  - prisma migrate deploy

path_fence:
  deny:
    - ~/.ssh
    - ~/.aws
    - ~/.gnupg
    - /etc

Recovery and rollback

Railroad automatically snapshots every file write before execution. If an agent session produces incorrect changes, recovery is immediate:

# Undo the last file edit
railroad rollback --session <session-id> --steps 1

# Undo an entire session
railroad rollback --session <session-id>

# Restore a specific file
railroad rollback --session <session-id> --file src/config.ts

# View what changed in a session
railroad diff --session <session-id>

This is a safety net independent of git. It captures every intermediate state, not just committed states.

Summary

The --dangerously-skip-permissions flag unlocks the full speed and autonomy of Claude Code. The documented incidents from February 2026 demonstrate that using it without guardrails is a quantifiable risk — not a theoretical one.

Railroad provides the missing middle ground: deterministic, auditable command filtering that runs in under 2ms, requires no cloud service, and is configured in a single YAML file. You get the throughput of --dangerously-skip-permissions with explicit protection against the commands that have historically caused production data loss.

cargo install --git https://github.com/railroad-dev/railroad.git && railroad install

Open-source. MIT-licensed. Written in Rust. Runs on-device.

GitHub | Documentation