Brainfile › Claude Code Guardrails Guide
Claude Code · Guardrails

Why Claude Ignores Your Rules
— and How to Enforce Them

A rule in CLAUDE.md is a strong suggestion, not a lock. Real guardrails stack three layers: guidance, deterministic enforcement, and governance. Here’s how to build all three — with a copy-paste settings example.

Start here → Build a free starter
In this guide

CLAUDE.md is guidance, not a guarantee

Here’s the thing tool marketing avoids saying: rules you put in CLAUDE.md are delivered to the model as context, not as hard enforcement. The model reads them and usually follows them — but compliance is probabilistic, not guaranteed. Writing “never run destructive commands” in a markdown file is a strong suggestion, not a lock on the door.

That doesn’t make CLAUDE.md useless — it makes it one layer of three. Real guardrails come from stacking guidance with deterministic enforcement and human review. Miss the bottom two layers and you don’t have guardrails; you have hopes written down.

Why your rule got ignored

When Claude does something your CLAUDE.md “forbade,” it’s not malfunctioning. A soft instruction lost to a stronger, more immediate signal in the conversation. The fix isn’t a louder rule — it’s moving that rule to a layer that can’t be overridden.

The three layers of a real guardrail

LayerWhere it livesStrengthUse it for
GuidanceCLAUDE.md, project instructionsProbabilistic — the model usually compliesConventions, style, architecture intent, “prefer X over Y”
EnforcementPermissions, hooks, managed settingsDeterministic — the model cannot bypass itBlocking dangerous commands, restricting paths, requiring checks before a tool runs
GovernanceVersion control, review, audit logHuman — changes are owned and traceableWho can change the rules, what changed, and why

The mistake almost everyone makes is trying to do all three jobs with layer one. If a rule genuinely must hold — secrets, destructive commands, protected files — it belongs in enforcement, not in prose the model is free to reweigh.

Move “must-hold” rules into enforcement

Claude Code supports settings that gate what a tool is even allowed to do — independent of what the model “decides.” A permission/hook layer turns a soft rule into a deterministic one. A minimal example that denies risky commands and requires a check runs before edits are accepted:

.claude/settings.json — enforcement layer (example)
{ "permissions": { "deny": [ "Bash(rm -rf*)", "Bash(git push --force*)", "Read(.env*)", "Read(**/secrets/**)" ] }, "hooks": { "PreToolUse": [ { "matcher": "Edit|Write", "hooks": [ { "type": "command", "command": "npm run lint --silent" } ] } ] } }
Guidance vs. enforcement, in one line

“Please don’t read secrets” in CLAUDE.md is guidance. Read(.env*) in the deny list is enforcement. Write the intent in CLAUDE.md so the model understands why; put the hard stop in settings so it can’t cross the line even if it wanted to.

For an organization, the same idea scales up: managed settings can define policies that individual developers can’t override, and every action can be logged for an audit trail. That’s the difference between a rule you hope is followed and a control you can prove was in place.

Governance: who owns the guardrails

A guardrail nobody owns decays. Governance is the third layer — the boring, essential part:

We cover the versioning side in depth in the CLAUDE.md version-control guide.

Guardrail mistakes to avoid

Where Brainfile fits

Guardrails are three layers. Brainfile ships all three.

Most setups are one layer — a CLAUDE.md full of good intentions. That’s guidance the model can reweigh. The enforcement and governance layers are where safety actually lives, and they’re the parts a one-time generator skips.

Brainfile is a governed Claude Code operating system: 7 layers and 70+ components spanning guidance, deterministic enforcement, and versioned governance — maintained over time so your guardrails hold as your codebase and Claude Code change.

Build a free starter Brainfile →

Free in-browser builder · Brainfile Pro maintains & governs it: 7 layers, 70+ components, $99/mo

Frequently Asked Questions

Why does Claude ignore rules in my CLAUDE.md?

Because those rules are delivered as context, so the model follows them probabilistically. A stronger, more immediate signal in the conversation can outweigh them. For rules that must hold, use enforcement (permissions/hooks), not prose.

What is the difference between CLAUDE.md and settings.json?

CLAUDE.md is guidance the model reads and usually follows. .claude/settings.json defines what tools are allowed to do at all — deny lists, permissions, and hooks — which the model cannot bypass. Use both: intent in CLAUDE.md, hard stops in settings.

How do I stop Claude Code from touching secrets or running destructive commands?

Put them in the permissions deny list in .claude/settings.json (for example, deny reading .env files or running rm -rf). That is deterministic enforcement, unlike a written request in CLAUDE.md.

How do teams govern Claude Code guardrails?

Version CLAUDE.md and settings in git, assign an owner via CODEOWNERS, keep the change history as an audit trail, and review on a cadence. Managed settings can enforce org-wide policies developers can’t override.

Start free

Generate a starter Brainfile free.
Then let it stay maintained.

The free Brainfile Builder walks you through a few questions and generates a starter CLAUDE.md-style setup right in your browser — copy it or download the .md file and drop it in your repo. No account needed to try it.

A starter file is a snapshot. Brainfile Pro ($99/mo, or $999/yr) keeps it alive — 7 layers and 70+ components, versioned and governed, and refreshed as Claude Code and your codebase change, so your context never quietly rots.

14-day free trial · 30-day money-back guarantee · Cancel anytime

Team setup? Reach out →