Airlock Claude Code Enforcer

Airlock Claude Code Enforcer

Human approval for AI actions in Claude Code

GitHub

Prerequisites

  • Claude Code installed
  • Node.js 18 or later
  • An Airlock account
  • The Airlock Mobile Approver app installed on your phone (Android or iOS)

Getting Started

  1. 1

    Load the Plugin

    Add the Airlock marketplace and install the plugin: 

    /plugin marketplace add airlockapp/extensions
    /plugin install airlock@airlock-extensions
  2. 2

    Sign In

    In Claude Code, run /airlock:sign-in. The sign-in flow opens a verification URL in your default browser. Authenticate with your Airlock account.

  3. 3

    Pair with Mobile App

    Run /airlock:pair. A 6-character pairing code will be displayed. On the Airlock Mobile Approver app, go to Settings → Pair Another Workspace and enter the code. The daemon starts automatically after pairing.

  4. 4

    Enable Auto Mode

    Run /airlock:auto-off to ensure all tool use (shell commands, file edits, MCP calls) requires your mobile approval.

Plugin Commands

Command Description
/airlock:sign-inAuthenticate with the Gateway
/airlock:sign-outClear authentication and stop daemon
/airlock:pairPair with the Airlock mobile app (pairing code)
/airlock:unpairRemove paired device
/airlock:auto-onEnable auto-approve (skip gateway)
/airlock:auto-offDisable auto-approve (resume gating)
/airlock:statusShow mode, gateway URL, sign-in, and pairing state
/airlock:fail-mode <open|closed>Set behavior when daemon is unavailable
/airlock:approve <pattern>Auto-approve shell commands matching pattern
/airlock:disapprove <pattern>Remove an auto-approve pattern
/airlock:patternsList current auto-approve patterns

How It Works

The Airlock Claude Code Enforcer is a plugin that hooks into Claude Code's tool-use pipeline. When Claude attempts to run a shell command, edit a file, or make an MCP call, the plugin intercepts the action and forwards it to a local daemon. The daemon encrypts the action with AES-256-GCM and submits it to the Airlock Gateway. Your Mobile Approver receives a push notification — you review the action and sign your decision with Ed25519. The daemon verifies the signature locally before allowing execution.

The daemon starts and stops automatically with your Claude Code sessions. It maintains a persistent WebSocket connection for real-time presence, so the mobile app always shows your workspace status.

Security model: The enforcer operates in fail-closed mode by default. If the daemon is unreachable, the signature is invalid, or the request times out — the action is blocked. You can switch to fail-open mode with /airlock:fail-mode open if needed.

← All Docs Back to Airlock