Enterprise security proxy for Claude Code
Arfa is an open-source security gateway for Claude Code that gives organizations visibility and control over AI agent usage.
Key Features:
- Transparent HTTPS Proxy - Intercept and log all Claude Code API traffic
- Activity Monitoring - Track every tool call, file access, and command execution
- Policy Enforcement - Block dangerous operations based on organizational policies
- Zero Configuration - Automatic client detection and policy application
- Multi-Tenant SaaS - Centralized management across teams and organizations
The Problem:
- Companies want developers using Claude Code for productivity
- But IT/Security teams lack visibility into what the AI agent is doing
- No way to enforce policies (e.g., "don't write to production database", "don't access secrets")
- No audit trail for compliance
The Solution: Arfa's transparent proxy architecture lets you:
- See everything - Every API call, tool execution, file access is logged
- Control access - Block dangerous operations via declarative policies
- Audit usage - Complete audit trail for security/compliance reviews
- Enable safely - Developers use Claude Code freely within guardrails
┌─────────────────────────────────────────────────────────────┐
│ Developer's Machine │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ Claude Code │──────────▶│ Arfa Proxy │ │
│ │ │ HTTPS │ (localhost) │ │
│ └──────────────┘ └──────┬───────┘ │
│ Intercept, Log, Enforce │
│ │ │
└────────────────────────────────────┼────────────────────────┘
│
┌────────▼─────────┐
│ api.anthropic.com│
│ (Claude API) │
└────────┬─────────┘
│
┌────────▼─────────┐
│ Arfa Platform │
│ (Activity Logs, │
│ Policies) │
└──────────────────┘
How it works:
- CLI installs local HTTPS proxy (localhost:8082) with self-signed CA certificate
- Claude Code auto-configured via
HTTPS_PROXYandSSL_CERT_FILEenv vars - Proxy intercepts all API traffic to api.anthropic.com
- Policies enforced - dangerous tool calls blocked before reaching Claude
- Logs uploaded async to central platform for audit/analysis
# Clone repository
git clone https://github.com/rastrigin-systems/arfa.git
cd arfa
# Start PostgreSQL with Docker
docker compose up -d
# Database will auto-load schema and seed data
⚠️ Development credentials (local dev only, never use in production):
- Email:
admin@acme.com- Password:
password
# Install code generation tools
make install-tools
# Generate API types and database code
make generatecd services/api
go run cmd/server/main.goAPI server runs at http://localhost:8080
# Build and install CLI
cd services/cli
make install
# CLI installed to /usr/local/bin/arfa
arfa version# Login to platform (use admin@acme.com / password)
arfa login
# Start proxy
arfa proxy startProxy runs at http://localhost:8082
# In a new terminal, set environment variables
eval $(arfa proxy env)
# Now run Claude Code - all traffic is logged!
claude "list files in current directory"
# View logs
arfa logs view- Getting Started - Setup instructions
- Architecture Overview - System design
- Database Schema - Visual ERD + table reference
- Contributing - Code generation, TDD, best practices
- Testing Guide - Unit, integration, E2E testing
- PR Workflow - Git workflow, branch naming
- API Server - REST API, WebSocket, business logic
- CLI Client - Proxy, commands, setup
- Web UI - Next.js admin panel
- OpenAPI Spec - Complete API contract
arfa/
├── services/ # Self-contained services
│ ├── api/ # REST API (Go)
│ ├── cli/ # Proxy CLI (Go)
│ └── web/ # Admin UI (Next.js)
│
├── platform/ # Shared resources (source of truth)
│ ├── api-spec/ # OpenAPI 3.0.3 spec
│ └── database/ # PostgreSQL schema, queries, seeds
│
├── generated/ # Auto-generated code (not in git)
│ ├── api/ # From OpenAPI spec
│ └── db/ # From SQL schema
│
├── docs/ # Documentation
│ ├── architecture/ # System design
│ ├── development/ # Developer guides
│ └── database/ # Schema docs (auto-generated)
│
├── go.work # Go workspace config
├── docker-compose.yml # Local dev environment
└── Makefile # Build automation
- Language: Go 1.24+
- API Framework: Chi router, OpenAPI 3.0.3
- Database: PostgreSQL 15+ (multi-tenant with RLS)
- Proxy: goproxy with custom handlers
- Code Generation: oapi-codegen, sqlc
- Framework: Next.js 14 (App Router)
- Styling: Tailwind CSS
- API Client: OpenAPI TypeScript types
make help # Show all available commands
# Database
make db-up # Start PostgreSQL
make db-reset # Reset schema + load seeds
make db-down # Stop PostgreSQL
# Code generation
make generate # Generate all code
make generate-api # API types only
make generate-db # Database code only
# Testing
make test # Run all tests
make test-api # API tests only
make test-cli # CLI tests only
# Building
make build # Build all servicesWe welcome contributions! Please see our Contributing Guide for details.
- Fork the repository
- Create feature branch:
git checkout -b feature/my-feature - Make changes following TDD
- Run tests:
make test - Commit with descriptive message
- Push and create Pull Request
DO NOT open public GitHub issues for security vulnerabilities.
Instead, email: sergei@rastrigin.systems
- JWT Authentication - Secure API access
- Row-Level Security - Database-level multi-tenancy
- HTTPS Proxy - TLS interception with self-signed CA
- Policy Enforcement - Block dangerous tool calls
- Audit Logging - Complete activity trail
This project is licensed under the MIT License - see the LICENSE file for details.
- Documentation: docs/
- Bug Reports: GitHub Issues
- Discussions: GitHub Discussions
Built with:
- Go - Systems programming language
- PostgreSQL - Powerful open source database
- Next.js - React framework
- goproxy - HTTP/HTTPS proxy library
- sqlc - Type-safe SQL code generation
Made with love for teams embracing Claude Code safely