Enforce Cli Safe Flags using data collected by Claude Collector. Automatically check devex build and ci standards on every PR.
How Claude Collector Powers This Guardrail
The Claude Collector gathers metadata from your systems. This data flows into Lunar's Component JSON, where the Cli Safe Flags guardrail evaluates it against your standards.
When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement with actionable feedback.
Quick Start Configuration
Add both the collector and policy to your lunar-config.yml to enable this guardrail.
# Step 1: Enable the Claude Collector
collectors:
- uses: github://earthly/lunar-lib/collectors/claude@v1.0.5
# with: ...
# Step 2: Enable the Claude Guardrails
policies:
- uses: github://earthly/lunar-lib/policies/claude@v1.0.5
include: [cli-safe-flags]
# with: ...What Claude Collector Collects
This collector gathers the following data that the Cli Safe Flags guardrail evaluates.
code-reviewer
Detects Claude Code Review check-runs on pull requests by querying the GitHub check-runs API. Waits for scan completion and writes a normalized entry to ai.code_reviewers[].
run-code-review
Runs the Claude CLI in review mode against pull request diffs. Captures review findings, severity levels, and affected files. Writes results to ai.native.claude.code_review for Claude-specific policy evaluation.
cicd
Detects Claude Code CLI invocations in CI pipelines. Records the command string, version, and extracted flags (--allowedTools, --disallowedTools, --mcp-config) for policy-level analysis. Also appends to ai.code_reviewers[] when it detects review-mode invocations (e.g. claude --review).
Example Data Flow
Here's an example of the data that Claude Collector writes to the Component JSON, which Cli Safe Flags then evaluates.
{
"ai": {
"code_reviewers": [
{
"tool": "claude",
"check_name": "Claude Code Review",
"detected": true,
"last_seen": "2024-01-14T08:00:00Z"
}
],
"instructions": {
"all": [
{
"path": "CLAUDE.md",
"dir": ".",
"filename": "CLAUDE.md",
"lines": 85,
"bytes": 3200,
"is_symlink": true,
"symlink_target": "AGENTS.md"
}
]
},
"native": {
"claude": {
"instruction_file": {
"exists": true,
"path": "CLAUDE.md",
"lines": 85,
"bytes": 3200,
"is_symlink": true,
"symlink_target": "AGENTS.md"
},
"cicd": {
"cmds": [
{
"cmd": "claude -p --output-format json --allowedTools Bash(git*) Read 'review this PR'",
"tool": "claude",
"version": "1.0.20",
"allowed_tools": "Bash(git*) Read"
}
]
},
"code_review": {
"ran": true,
"findings_count": 3,
"findings": [
{
"severity": "warning",
"file": "src/auth.ts",
"line": 42,
"message": "Token expiry not checked before use"
}
]
}
}
}
}
}Configuration Options
Claude Collector Inputs
| Input | Required | Default | Description |
|---|---|---|---|
path |
Required | — | JSON component path for run-prompt results (e.g., ".code_patterns.feature_flags") |
prompt |
Required | — | Prompt for Claude to run on the component repository (run-prompt only) |
json_schema |
Required | — | Optional JSON schema for structured output in run-prompt |
Claude Guardrails Inputs
| Input | Required | Default | Description |
|---|---|---|---|
dangerous_flags |
Optional |
--dangerously-skip-permissions,--allow-dangerously-skip-permissions
|
Comma-separated dangerous flags for Claude CLI |
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements