Using TameFlare with Claude Code: Govern Agentic Coding Sessions
Claude Code executes shell commands, edits files, and calls APIs autonomously. Route its HTTP traffic through TameFlare to enforce policies, isolate credentials, and audit every external action - without changing how you use Claude Code.
What Claude Code does
Claude Code is Anthropic's agentic coding tool. It runs in your terminal and can:
git, npm, curl, etc.)Unlike a chatbot, Claude Code acts autonomously. When you say "fix this bug and open a PR," it reads your code, edits files, runs tests, commits, pushes, and creates a pull request - all without asking for confirmation on each step.
The risk
Claude Code's power is also its risk. A single agentic coding session can:
main instead of a feature branch.env files or hardcoded API keysnpm install on an attacker-controlled dependencyClaude Code has built-in permission prompts for some actions, but these are client-side confirmations. Once you grant permission, there is no server-side enforcement layer.
How TameFlare governs Claude Code
TameFlare sits between Claude Code and the external APIs it calls. Every outbound HTTP request passes through the proxy, which enforces your policies.
Claude Code (terminal)
↓ HTTP requests
TameFlare Cloud Gateway (proxy.tameflare.com)
↓ policy check → allow / deny / require approval
GitHub API / npm / CI webhooks / etc.
What TameFlare intercepts
Claude Code makes HTTP calls for:
| Action | HTTP target | TameFlare connector |
|---|---|---|
| Git push/pull | github.com | GitHub connector |
| Create PR | api.github.com | GitHub connector |
| npm install | registry.npmjs.org | Generic HTTP |
| API calls | Various | Generic HTTP / MCP |
| Webhook triggers | Your CI/CD URL | Generic HTTP |
github.pr.create, github.branch.delete, or github.repo.push. Each action is evaluated against your policies before the request is forwarded.
Setup: 3 steps
1. Create a gateway
Sign in to the TameFlare dashboard and create a gateway for your Claude Code sessions. Add the GitHub connector and any other connectors for APIs Claude Code will call.
2. Configure permissions
Set up access rules for your gateway:
| Connector | Rule | Decision |
|---|---|---|
| GitHub | github.pr.create | Allow |
| GitHub | github.pr.merge | Require approval |
| GitHub | github.branch.delete | Deny |
| GitHub | github.repo.push (branch: main) | Deny |
| GitHub | github.repo.push (branch: feature/*) | Allow |
| Generic HTTP | * | Deny (allowlist only) |
3. Run Claude Code through the proxy
# Install the CLI
npm install -g @tameflare/cli
# Run Claude Code through TameFlare
tf run -- "claude-code" claude
That's it. Claude Code runs normally, but every outbound HTTP request is routed through the TameFlare proxy. Claude Code doesn't know it's being governed - the proxy is transparent.
Policy examples for Claude Code
Block force-pushes to protected branches
In the TameFlare dashboard, create a policy:
github.repo.pushparameters.branch matches main|staging|productionRequire approval for PR merges
github.pr.mergeBlock npm publish
registry.npmjs.org AND method is PUTAllow read-only GitHub operations
github.repos.get, github.pr.list, github.issues.listWhat about MCP tool calls?
Claude Code can also use MCP (Model Context Protocol) to call tool servers. MCP's Streamable HTTP transport uses standard HTTP POST requests - which TameFlare intercepts automatically.
If Claude Code calls an MCP tool server at mcp-server.example.com, the request passes through the proxy just like any other HTTP call. Add a Generic HTTP connector for the MCP server's domain and set permissions accordingly.
No special MCP configuration needed - the same gateway that governs Claude Code's direct API calls also governs its MCP tool calls.
Comparison: Claude Code permissions vs TameFlare
| Feature | Claude Code built-in | TameFlare |
|---|---|---|
| Permission prompts | Yes (client-side) | Server-side enforcement |
| Granular API rules | No | Yes (per action type, per branch, per connector) |
| Credential isolation | No (reads env vars) | Yes (encrypted vault, injected at proxy) |
| Audit trail | Conversation log | Structured action log with policy match |
| Kill switch | Close the terminal | Scoped kill switch (per connector or global) |
| Approval workflow | Accept/reject in terminal | Slack, dashboard, or CLI approval |
| Works offline | Yes | Gateway runs locally, works offline |
Tips for Claude Code + TameFlare
- Start in monitor mode. Set the gateway enforcement level to "monitor" first. Watch the traffic log to see what HTTP calls Claude Code makes, then write policies based on real traffic patterns.
- Use wildcard permissions for reads.
github.repos.get,github.pr.list,github.issues.list- read operations are low risk. Allow them withgithub.*.getandgithub.*.listwildcards.
- Block by default, allow explicitly. TameFlare is deny-all by default. Only add allow rules for the specific actions Claude Code needs. If it tries something unexpected, the proxy blocks it and logs the attempt.
- Review the audit trail after each session. The traffic page shows every action Claude Code took. Use it as a post-session review before merging any changes.
Next steps
Related articles
How to Secure AI Agent API Calls with a Policy Gateway
AI agents make HTTP calls on your behalf. Without a policy layer, a single misconfigured agent can delete production data, leak secrets, or rack up API bills. Here's how to add a security boundary.
Using TameFlare with LangChain: Zero-Code Agent Governance
LangChain agents call external APIs with zero built-in security. Add policy enforcement, credential isolation, and audit logging without changing a single line of agent code.
Building a Custom TameFlare Connector in Go
TameFlare ships with 8 built-in connectors, but your agents probably call APIs we haven't covered yet. This guide walks through building a custom connector from scratch - domain matching, request parsing, credential injection, and registration.