Excited to share something awesome the team has been working on: Prempti, a policy and visibility layer for AI coding agents.
If you’re running Claude Code or similar tools day to day, you’ve probably wondered at some point what it’s actually touching on your machine. Prempti hooks into every tool call before it executes and enforces rules you define - allow, deny, or ask for confirmation. It uses Falco’s rule engine under the hood, so policies are plain YAML and you get a full audit trail with structured fields.
The demo shows Claude Code getting blocked from writing to ~/.ssh/ and reading ~/.ssh/known_hosts even after the user explicitly told it to proceed. The policy holds regardless of what the model decides.
Runs entirely in user space, no root required. Default ruleset covers sensitive paths, working-directory boundaries, MCP config poisoning, and a handful of other threat patterns. Custom rules go in ~/.prempti/rules/user/.
Two modes: monitor (full audit log, no blocking) and guardrails (verdicts enforced).
Known limitations: this is hook-level interception, not syscall-level, and it’s not a sandbox. Works best alongside sandboxing and least-privilege setups, not instead of them.
Still experimental, but working well on Linux, macOS, and Windows with Claude Code. Would love to hear what rules people end up using it for, how it works for you all, and what you’d like to see next.
Repo: https://github.com/falcosecurity/prempti
Blog: Introducing Prempti: Runtime security for AI coding agents, powered by Falco | Sysdig
Technical writeup: https://falco.org/blog/introducing-prempti