blastshield-guard provides command-argument-level filtering as a complement to the sandbox-exec profiles. While sandbox-exec operates at the file/process level and cannot filter by command arguments, blastshield-guard intercepts mutating subcommands before they reach tools such as Terraform, gcloud, kubectl, and gh.
When you launch an agent with blastshield, temporary runtime wrappers are injected automatically and mutating commands are hard-blocked. Persistent wrappers installed for regular shell use still prompt for Touch ID or your sudo password.
Philosophy: read-only by default. Any subcommand that isn’t explicitly read-only is treated as mutating and requires authentication.
Agent runs: terraform apply
PATH lookup finds wrapper first
Wrapper checks: is "apply" read-only? ─── NO
Runtime guard blocks command
Exit 1; run it yourself outside the agent sandbox
Runtime wrappers — blastshield creates temporary wrappers for guarded CLIs found on your current PATHPATH interception — The temporary guard directory is prepended to PATH before the sandboxed command startsRead-only check — Each wrapper checks if the subcommand is in the read-only allowlistDefault deny — If the subcommand isn’t read-only, it is treated as mutatingRuntime block — Inside blastshield, mutating commands exit with a clear block messagePass-through — Read-only commands execute immediately without any interruption
No installation is required for the runtime guard. blastshield enables it automatically:
blastshield codex --dangerously-bypass-approvals-and-sandbox
Disable automatic guard injection when you explicitly need raw PATH behavior:
blastshield --no-guard claude
You can also install persistent wrappers for regular shell use outside BlastShield:
# Install to default location (~/.blastshield/guard)
blastshield-guard install
# Install to custom location
blastshield-guard install ~/bin/guard
Then add the guard directory to your PATH before the real CLI paths:
export PATH = " $HOME /.blastshield/guard: $PATH "
For AI agents, add this to their environment configuration.
Read-Only (auto-allow) Mutating (requires auth) init, plan, fmt, validateapply, destroyshow, output, consoleimport, taint, untaint, refreshstate list, state showstate rm, state mvworkspace list, workspace selectworkspace delete, workspace newproviders, version, graph
Read-Only (auto-allow) Mutating (requires auth) list, describe, getdelete, create, deploy, updateauth, status, versionadd, remove, patch, set, resetconfig, helprestart, resize, enable, disablesubmit, cancel
Read-Only (auto-allow) Mutating (requires auth) describe-*, list-*, get-*delete, create, put, updatehead-*, waitdeploy, terminate, run-*s3 ls, s3 cp (download), s3 presignstart-*, stop-*, rebootsts get-caller-identityauthorize, revoke, send, cancellogs describe-*, logs get-*dynamodb scan/query/get-itemiam list-*/get-*
Read-Only (auto-allow) Mutating (requires auth) list, showdelete, create, update, deployaccount show/listset, remove, add, lock, unlockversion, helpscale, restart
Read-Only (auto-allow) Mutating (requires auth) get, describe, logsapply, create, delete, patchtop, eventsscale, taint, execapi-resources, api-versions, explaincordon, uncordon, drainauth can-irollout restart, rollout undoconfig view, config get-contextslabel, annotate, setrollout status, rollout historyexpose, run, cp, debugversion
Read-Only (auto-allow) Mutating (requires auth) repo list/view/clone/forkrepo delete/edit/renamepr list/view/diff/checkoutpr merge/closeissue list/viewissue closerelease list/view/downloadrelease deleteworkflow list/viewworkflow disable/enableauth statusrun cancelapi -X DELETE/PUT/PATCH
Read-Only (auto-allow) Mutating (requires auth) list, status, historyinstall, upgradeshow, searchdelete, uninstall, rollbackversion, repo list/updatepush
Read-Only (auto-allow) Mutating (requires auth) list, ls, view, infoinstall, ci, addoutdated, search, whyuninstall, remove, rm, raudit, dedupe, diffupdate, publish, deprecatefund, root, prefixaccess, org, token, profileconfig list, config getstar, unstar, login, logoutversion, help, packrebuild, cache *
Read-Only (auto-allow) Mutating (requires auth) list, ls, info, whyadd, install, removeoutdated, search, versionupgrade *, up, dedupe *help, pack, dircache *, set *, config setconfig, plugin listlogin, logout, publishnpm info/tag/viewunlink, link, init
Read-Only (auto-allow) Mutating (requires auth) list, ls, info, whyadd, install, ioutdated, search, versionremove, rm, update, upgradehelp, pack, auditimport, store prune/addfund, root, config, getlogin, logout, publishstore pathset, config set, rebuilddeploy, fetch
Read-Only (auto-allow) Mutating (requires auth) list, show, searchinstall, uninstallcheck, freezedownload, buildconfig list, config getwheel, compiledebug, hash, inspectconfig set, config editversion, help
Read-Only (auto-allow) Mutating (requires auth) list, ls, infoinstall, reinstallsearch, desc, outdateduninstall, remove, rmdoctor, configtap *, untapleaves, uses, depslink, unlink, switchcat, home, logpin, unpin, cleanupoptions, versionmigrate, extract
Read-Only (auto-allow) Mutating (requires auth) list, search, queryinstall, uninstallspec, dependencyupdate *, build, pushoutdated, info, helpowner *, yank, cleanupenvironmentsignin, signoutexec
Read-Only (auto-allow) Mutating (requires auth) search, tree, listinstall, uninstalllocate-project, metadataadd, rm, removeversion, helpupdate, upgradepublish, ownerlogin, logoutpublish *, yank
Read-Only (auto-allow) Mutating (requires auth) list, search, helpinstall, uninstallversion, info, envupgrade
Read-Only (auto-allow) Mutating (requires auth) list, search, showinstall, remove, purgecache, policy, versionautoremove, autocleanhelp, simulationclean, mark, source
Read-Only (auto-allow) Mutating (requires auth) list, search, infoinstall, removecheck, check-updateautoremove, cleanrepolist, repoqueryupgrade, upgrade-minimalversion, helpdistro-sync
blastshield-guard install [DIR]
Creates wrapper scripts in the specified directory. Only wraps CLIs that are found on the system.
blastshield-guard uninstall [DIR]
Removes the wrapper scripts from the specified directory.
Shows all guarded CLIs with their read-only and mutating patterns.
blastshield-guard check <cli> [args...]
Tests whether a specific command would be allowed or blocked:
# Check if terraform apply would be blocked
blastshield-guard check terraform apply
# Output: BLOCKED (mutating — requires auth): terraform apply
# Check if terraform plan would be allowed
blastshield-guard check terraform plan
# Output: ALLOWED (read-only): terraform plan
Runtime wrappers created by blastshield do not prompt for authentication. Mutating commands are blocked and must be run by you outside the agent sandbox.
Persistent wrappers installed with blastshield-guard install use sudo as their authentication mechanism:
Touch ID — On MacBooks with Touch ID, sudo can prompt for biometric authenticationPassword — Falls back to your macOS user passwordFresh auth required — sudo -k invalidates the timestamp, ensuring a fresh prompt each time
Automatic runtime guards cover repo-local and Hermit shims when the command is resolved through PATH, such as terraform apply with ./bin already on PATH. Direct path execution bypasses argument filtering.
Layer 1 (sandbox) is the hard boundary. It blocks credential access regardless of how the CLI is invoked. Use both layers together for defense in depth.
Always use with Layer 1 — The guard alone is not sufficient; always run agents inside blastshield sandbox-exec profilesInvoke tools by command name — Runtime guards cover commands resolved through PATH, including Hermit shimsDefault deny — Any subcommand not in the read-only list is treated as mutating. Add new read-only patterns cautiously.Layer 1 is your safety net — Even if an agent bypasses the guard, it still cannot read credentials (blocked by sandbox) 
