How do you enforce guardrails on Claude agents taking real actions?

Question

Been running an autonomous Claude agent for a month (makes its own decisions between heartbeats, spawns subagents, uses tools). Prompt-level guardrails keep failing: "never delete more than 10 records" works until context gets long or an edge case hits, then the model ignores it.Approaches I've tried or seen: - Separate validation layer before tool execution - Hard-coded pre/post conditions in the tool wrapper - Secondary model auditing planned actions before they runThe secondary-model approach doubles costs. Tool wrappers work but need defensive code for every tool.What's actually working in production? Specifically for agents that write to databases, send emails, or call APIs where mistakes are hard to undo.

nikisweeting · Accepted Answer

- ZFS snapshot all your state, makes it trivial to roll back changes
- gate access to secrets via external service that replaces placeholder values with actual secrets, e.g. something like agentvault.co
- have it perform the action on a staging env with fake data, then replay the recorded action on real data without the LLM involvement (e.g. use something like stagehand / director.ai to write the initial browser automation script, but then replay the recorded LLM actions deterministically after you see it work the first time)