turnstile

command module
v1.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 5, 2026 License: MIT Imports: 10 Imported by: 0

README

Turnstile

A fast, simple, deterministic Claude Code auto-allow mode, for the masses.

CI Go Reference Go Report Card Release License

Turnstile lets Claude Code run the safe commands you'd never bother to confirm and stops the dangerous ones before they reach the model. It's a PreToolUse hook that returns allow, ask, or deny from a TOML ruleset in a couple of milliseconds.

Claude Code's built-in permissions block uses exact string matching and operates after the tool call reaches the harness. Turnstile runs at the PreToolUse hook stage with RE2 regular expressions, gives deny precedence over allow, supports scoped cd roots so directory traversal is blocked, and parses Bash commands segment-by-segment so pipelines, subshells, and redirections are validated independently. That makes it easy to express policies like "allow all git commands except those that modify remote state" or "block kubectl delete anywhere in a pipeline."

Quickstart

Install the binary:

go install github.com/rogvc/turnstile@latest

Wire it up:

turnstile install

Or manually merge this into ~/.claude/settings.json (assuming turnstile is on your PATH):

{
  "hooks": {
    "PreToolUse": [
      {
        "hooks": [{ "type": "command", "command": "turnstile", "timeout": 1 }]
      }
    ]
  }
}

Verify it's working:

turnstile --test 'git status'
# Expected: allow

turnstile --test 'sudo rm -rf /'
# Expected: deny

Documentation

For everything else, see the docs directory:

  • Usage covers managing rules, testing decisions, and the exit code contract.
  • Configuration covers the config file format, recipes, environment-variable assignments, and path-qualified commands.
  • How it works covers the hook protocol, decision reasons, performance, and the security model.
  • Claude Skill covers installing the /turnstile skill so Claude can manage rules from conversation.

Contributing

PRs welcome. Please run make ci before submitting and ensure tests pass. For bugs, feature requests, or questions, open an issue in the GitHub tracker.

License

MIT

Documentation

Overview

Package main is the turnstile CLI entry point: it serves as a Claude Code PreToolUse hook by default, with `add`, `remove`, `upgrade`, `install`, `uninstall`, and `version` subcommands.

Source Files

View all Source files

Directories

Path Synopsis
internal
config
Package config loads and compiles turnstile policy rules from a TOML file.
 Package config loads and compiles turnstile policy rules from a TOML file.
gate
Package gate evaluates tool-use requests against compiled allow/deny rules.
 Package gate evaluates tool-use requests against compiled allow/deny rules.
shell
Package shell parses Bash command strings into normalized segments for policy evaluation: subshell extraction, quote masking, heredoc handling, and pipeline splitting.
 Package shell parses Bash command strings into normalized segments for policy evaluation: subshell extraction, quote masking, heredoc handling, and pipeline splitting.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.