Setup for software developers

Surface: Coding assistant hooks Modes supported: Local Hosted Hybrid Tiers: Free Solo Teams

Who this is for

You use an AI coding assistant -- Claude Code, Cursor, Codex CLI, or Gemini CLI -- and you want a safety net on what it can do to your machine and your repo, without slowing down your flow.

What you typically want governed

Destructive shell. No rm -rf, no force-push to main, no piping curl into a shell.
Sensitive files. The assistant reads and writes your project, but not your SSH keys, cloud credentials, or /etc.
Secret egress. Tokens and keys do not leave in a tool call.

Which surface to install

Coding hooks. One command wires Control Zero into your assistant. Every shell command, file write, and tool call is checked against your policy before it runs. Your assistant behaves exactly as before; only dangerous actions get stopped.

controlzero install claude-code

Swap claude-code for cursor, codex-cli, or gemini-cli as needed. As a single developer you can run fully local -- no signup, no account.

Starter policy

The installer drops a starter policy at ~/.controlzero/policy.yaml. This version blocks the classic foot-guns and allows everything else, so it never gets in your way on normal work.

The coding hook normalizes each tool call to a canonical name: shell commands become Bash:<command> (so rm -rf is Bash:rm), and file access becomes file_read:read / file_write:write with the target path carried in the call context. Your rules target those names:

version: '1'
settings:
  # Permissive default: only the explicit denies below stop anything.
  default_action: allow
  default_on_missing: allow
  default_on_tamper: warn
rules:
  - id: block-rm
    deny: 'Bash:rm'
    reason: 'Review deletes manually instead of letting the assistant run rm.'
  - id: block-secret-file-read
    deny: 'file_read:read'
    when:
      path: '*/.ssh/*'
    reason: 'SSH keys are off-limits to the assistant.'
  - id: block-aws-creds
    deny: 'file_read:read'
    when:
      path: '*/.aws/*'
    reason: 'Cloud credentials are off-limits to the assistant.'
  - id: allow-everything-else
    allow: '*'
    reason: 'Default-allow so normal coding is never interrupted.'

This blocks rm and reads of ~/.ssh / ~/.aws while leaving everything else alone. To cover more commands and paths -- force-push, curl-into-shell, /etc, the rest of your secret tree -- copy the fuller patterns from Scoped file access and Block outbound network, which list the exact tokens each agent emits.

What you'll see

When the assistant tries a blocked action, the hook denies it before it runs and the assistant gets a clear "blocked by policy" signal it can work around.
Every decision is logged locally. Follow it live while you work:
```
controlzero tail
```

Next steps

Govern Claude Code, Cursor, Codex CLI, Gemini CLI -- the full coding-hooks walkthrough.
Scoped file access -- read/write your repo and /tmp, deny secrets.
Block outbound network -- stop exfiltration via curl / wget / ssh.
Coding assistant hooks -- surface reference and supported agents.

Who this is for​

What you typically want governed​

Which surface to install​

Starter policy​

What you'll see​

Next steps​