How it works¶
What it does¶
Every prompt, tool call, and response that flows through an agent harness session is captured by the plugin, scanned against your rule packs, and routed to an outcome — before the content reaches the model (prompts, tool inputs) or after it responds (tool outputs) — then logged.
How rules are applied¶
Every event is scanned against your installed rule packs.
- Most rules match with regex — a pattern shaped like an AWS access key, an email address, a bank routing number — since that covers the majority of secrets and PII, which have a predictable shape.
- A smaller set of rules match on keyword presence (contextual phrases like "[REDACTED:PII] is"), and some regex matches pass through a post-match validator — a Luhn checksum for card numbers, a Shannon-entropy check for high-entropy secrets — to cut down false positives.
- Either way, a match becomes a Finding: the rule id, category, severity, and matched span, before policy decides what happens to it.
Tip
See Built-in Detections for the full catalog, or Writing Rules to add your own.
Policy outcomes¶
Every finding resolves to one of five outcomes:
| Outcome | What happens |
|---|---|
| Monitor | Logged only — every rule ships active under this default, so nothing is enforced until you promote it |
| Warn | Surfaces a warning in the session; the content still goes through unchanged |
| Redact | The matched value is replaced in place before it reaches the model — only available on tool inputs/outputs, not prompt text |
| Block | The prompt or tool call is stopped entirely, with a message explaining what fired |
| Exception | A manually-granted, exact-value override that lets one specific match through despite its rule's policy |
Promote any detection to Warn, Redact, or Block from the dashboard, per rule or per category.
Granting exceptions¶
Sometimes a blocked or redacted value is legitimate such as a sandbox credential, a documented test fixture. An exception is the sanctioned way through: an explicit, audited, exact-value grant made from a terminal, never from inside the session it would exempt. See Adding Exceptions for the full walkthrough.
Key concepts¶
| Term | Description |
|---|---|
| Event | A prompt, response, or code change captured from an agent harness session |
| Finding | A rule match produced by the detection engine against an event |
| Rule | A JSON file describing what to detect: keyword list, regex pattern, or validator |
| Rule Pack | A directory of rules + mandatory fixtures with a manifest.json |
| Policy | A decision: what action to take when a rule or category fires |
| Plugin | The harness extension (hooks) that intercepts sessions — one package, used by both Claude Code and Claude Desktop |