Trust & Safety

Human-in-the-loop by architecture, not by prompting

๐Ÿง 

The Core Principle

Claude Code cannot execute anything without your explicit approval. Every task goes through a mandatory planning phase where you see exactly what will happen. This is not a prompt-based guardrail. It is built into the architecture.

Security Features

๐Ÿ“‹

Mandatory Plan Review

Every task starts in "plan mode." Claude Code analyzes your request but cannot execute anything. You see exactly what it intends to do (files to create/modify, commands to run) before clicking Execute.

๐Ÿ›ก๏ธ

CLI-Level Enforcement

Permission profiles use Claude Code's --disallowedTools flag for hard security boundaries. Blocked commands cannot be bypassed by prompt injection. They are enforced at the CLI level.

๐Ÿšซ

Deny-List Profiles

Standard profile blocks dangerous commands (sudo, rm -rf /, shutdown). Edit Files Only blocks all shell. Custom profiles let you define your own blocked patterns.

๐Ÿ”’

No Cloud Infrastructure

PlanDrop uses SSH and file-based communication. No WebSocket servers, no databases, no third-party services. Your data never leaves your network.

๐Ÿ“‚

Open Source

Every line of code is public on GitHub. Audit the extension, native host, and watcher scripts yourself. No black boxes, no hidden telemetry.

๐Ÿ”

Multi-Instance Protection

Lock mechanism prevents multiple browser tabs from sending conflicting commands to the same project. Only one tab can control a project at a time.

Threat Model

We've thought about what could go wrong

โš ๏ธ Threat: Claude Code runs dangerous commands
โœ… Mitigation: CLI-level --disallowedTools blocks sudo, rm -rf /, shutdown, etc. Cannot be bypassed by prompts.
โš ๏ธ Threat: Prompt injection bypasses safety
โœ… Mitigation: Permission enforcement happens at CLI level, not in prompts. Blocked tools are hard-rejected.
โš ๏ธ Threat: Extension sends data to third parties
โœ… Mitigation: Open source code. No analytics, no telemetry. Direct SSH connection only.
โš ๏ธ Threat: Multiple tabs cause conflicts
โœ… Mitigation: Lock mechanism ensures only one browser tab can control a project at a time.
โš ๏ธ Threat: Malicious plans slip through
โœ… Mitigation: Destructive commands (rm -rf, chmod 777, etc.) are highlighted with warnings in plan view.
โš ๏ธ Threat: API key exposure
โœ… Mitigation: Max subscription uses OAuth login, not API key. If using API, key stays on your machine.

Best Practices

  1. 1

    Start with restrictive profiles

    Use "Plan Only" to understand the task, then switch to a more permissive profile when you're ready to execute.

  2. 2

    Always deny sensitive paths

    Add "Write(~/.ssh/*)" and "Write(*.env)" to your deny list.

  3. 3

    Review plans carefully

    Read the file paths and commands before clicking Execute. If something looks wrong, ask Claude to explain or modify the plan.

  4. 4

    Use separate projects

    Keep production data in a separate project with restricted permissions. Use Full Access only for development environments.

  5. 5

    Export history for auditing

    Use plandrop-history to export complete logs. Track what Claude did and when.

Have security questions?

Open an issue on GitHub or email us directly.

Open an Issue Contact Us