← Integrations AI coding

Claude Code, governed.

Anthropic's terminal coding agent reads your files, edits your code, and runs your shell. Raidu sits between Claude Code and the Anthropic API, redacts everything that should never leave, authorizes every tool call, and hands you a signed record of what actually happened.

Book a meeting See the runtime
The tool
Claude Code
Anthropic's coding agent in your terminal.

Claude Code drives the terminal, reads the repo, edits files, and executes shell commands on your behalf. That surface area is the new audit boundary.

Without governance

The risk surface of a terminal agent.

Claude Code is fast because it acts. Every action it takes is also a compliance event your auditor will ask about.

Risk 01

Repo-wide context leaks

Claude Code reads whatever it needs to solve the task: config files, .env, credentials, internal docs. Without governance, all of it can flow outbound as prompt context with no record of what was sent or why.

Risk 02

Shell execution without review

Claude Code runs shell commands to test, install, deploy. A single unreviewed command can touch production, modify infrastructure, or execute a remote payload. There is no signed trail of what ran, against what policy, or who approved it.

Risk 03

File edits that ship to main

When the agent commits code that reaches production, regulators ask who authored it, who reviewed it, and under what policy. Commit metadata alone is not evidence. A signed pre-commit record is.

Risk 04

Credential scope drift

A developer's Anthropic key opens the whole model. Inside regulated repos, you need per-repo policies, per-branch gates, and revocable scopes. Raw API keys give you none of that.

With Raidu

How Raidu governs Claude Code.

The same five-checkpoint runtime that governs every other Raidu-wrapped agent. No CLI change. No plugin. Point Claude Code at Raidu's Anthropic-compatible endpoint and you are done.

01

Outbound redaction on every prompt

Checkpoint 02 · Before LLM

File context, shell output, and user instructions are scanned before they reach the Anthropic API. Secrets, keys, customer PII, and flagged internals are replaced with deterministic tokens the model still reasons with. Nothing unmasked leaves your network.

02

Tool-call authorization

Checkpoint 03 · Before Tool

Every bash, edit, read, and write that Claude Code wants to invoke passes through a per-tool policy. Allowlist shell commands, restrict writes to specific paths, require approval for destructive operations. Denials are signed too.

03

Response scanning for exfiltration and harm

Checkpoint 05 · Agent Response

Model output is inspected for hallucinated packages, insecure code, license-flagged snippets, and data-exfiltration attempts before it reaches the terminal. Clean output streams through. Risky output is held with a reason.

04

Signed, WORM-persisted evidence

Post-execution

Every session becomes a chain of signed records: prompts, tool calls, responses, decisions, policy version, developer identity. RSA-4096 signed. SHA-256 chained. RFC 3161 timestamped. 10-year retention by default.

Integration

One env var. Governance on.

Claude Code honors the standard Anthropic client env vars. Route traffic through Raidu and every session is governed, scoped, and signed.

Claude Code · terminal shell
# Point Claude Code at Raidu's Anthropic-compatible endpoint.
export ANTHROPIC_BASE_URL=https://proxy.raidu.com/acme-corp/anthropic
export ANTHROPIC_API_KEY=raidu_xxx   # scoped, rotatable, revocable
export RAIDU_POLICY=coding.eng.v7   # per-repo or per-team

claude code

# Every message from the agent now carries:
#   x-raidu-policy:     coding.eng.v7
#   x-raidu-record-id:  rec_01JBVX7P9A8Z8PTQJG4K9NDJ4W
#   x-raidu-decision:   allow | mask | deny | approval-required
#   x-raidu-signature:  MIIFxjCCA66gAwIBAgI...
Questions

Questions from security and engineering.

Does Raidu require a modified Claude Code CLI? +
No. Claude Code uses the standard Anthropic client env vars. Setting ANTHROPIC_BASE_URL routes traffic through Raidu. Nothing else in the CLI changes, including MCP servers and subagents.
Can Raidu govern the bash and edit tools Claude Code uses? +
Yes. Tool calls are intercepted at Checkpoint 03. You can allowlist specific shell commands, restrict file writes to path globs, require approval for anything destructive, and block tool calls that match unsafe patterns. Denials are signed.
What is the latency overhead per message? +
Under 100 ms per checkpoint at p95, measured on n2-standard-4 in GCP us-east1. For a typical Claude Code turn the overhead is amortized across the streaming response.
How does Raidu handle MCP servers and subagents? +
Each MCP tool is treated as an external service. Connector-aware PII rules apply: the Slack MCP sees Slack PII, the Jira MCP does not. Subagents inherit the parent session's policy and record chain.
Can my auditor verify the trail without access to our environment? +
Yes. Every record carries a public verifiable signature. The auditor submits a record ID to the verification endpoint and gets a signed response with the full chain. No environment access needed.
Does this work for self-hosted or on-prem Anthropic deployments? +
Yes. Raidu can deploy inside your VPC (Private Cloud mode) or air-gapped (On-Prem mode) and front any Anthropic-compatible endpoint, including Bedrock and Vertex.