How I stopped worrying about Claude Code touching files it shouldn't

Claude Code is powerful. It can also silently write to your .env or run rm -rf. You find out after it happens. Waymark is an MCP server that intercepts every agent action before it executes... Waymark sits between an AI agent (Claude Desktop, Claude Code) and the filesystem. Every write_file, read_file, and bash call passes through Waymark before execution. Waymark: Checks policy — blocks or queues the action if it violates waymark.config.json Logs to SQLite — records every action with full input, output, and policy decision Exposes a web UI — live dashboard at http://localhost:3001 showing all actions Supports rollback — restores any overwritten file, or deletes any newly created file Approval flow — pending actions can be approved (executes the action) or rejected from the UI or Slack Setup: cd your-project npx @way_marks/cli init npx @way_marks/cli start What policies would you add to the default config? What files should be protected that aren't already? github/waymarks npmjs/wayma