Claude Code
Connect Claude Code to LatchGate so every tool call goes through the execution security kernel.
Prerequisites
Section titled “Prerequisites”- LatchGate running (
latchgate upor production deployment) latchgate-mcpbinary on PATH (from GitHub Releases orbrew install latchgate-ai/tap/latchgate)- Claude Code installed (
npm install -g @anthropic-ai/claude-code)
Automatic setup
Section titled “Automatic setup”latchgate-mcp install --ide claude-codeThis writes the MCP server entry to ~/.claude/settings.json under the mcpServers key. Start a new Claude Code session to pick up the configuration.
Preview first without writing:
latchgate-mcp install --ide claude-code --dry-runManual setup
Section titled “Manual setup”Add to ~/.claude/settings.json:
{ "mcpServers": { "latchgate": { "command": "/usr/local/bin/latchgate-mcp", "args": ["serve", "--gate-url", "http://localhost:3000"], "env": { "LATCHGATE_AGENT_ID": "claude-code", "RUST_LOG": "warn" } } }}Adjust the binary path if installed elsewhere. Use which latchgate-mcp to find it.
Alternatively, use the Claude Code CLI:
claude mcp add latchgate \ --scope user \ --env LATCHGATE_AGENT_ID=claude-code \ --env RUST_LOG=warn \ -- latchgate-mcp serve --gate-url http://localhost:3000Project-scoped configuration
Section titled “Project-scoped configuration”For team sharing via git, use project scope. This writes to .mcp.json at the project root:
claude mcp add latchgate \ --scope project \ --env LATCHGATE_AGENT_ID=claude-code \ --env RUST_LOG=warn \ -- latchgate-mcp serve --gate-url http://localhost:3000Every developer who clones the repo gets the same LatchGate MCP configuration automatically.
End-to-end verification
Section titled “End-to-end verification”- Start LatchGate:
latchgate up --expose-http 127.0.0.1:3000 - Install config:
latchgate-mcp install --ide claude-code - Start a new Claude Code session.
- Ask Claude Code to perform an HTTP request (e.g. “fetch https://httpbin.org/get via latchgate”).
- Verify the audit trail:
latchgate audit --limit 5 - Confirm the full pipeline: lease ⇒ policy ⇒ WASM sandbox ⇒ receipt.
Combining with the agent sandbox
Section titled “Combining with the agent sandbox”Claude Code is a terminal agent that can run shell commands and edit files. For defense-in-depth, run Claude Code inside LatchGate’s agent sandbox so the process itself is contained:
latchgate sandbox -- claude-codeInside the sandbox, Claude Code runs in Linux namespaces with an empty network stack. It can only reach external systems through LatchGate (via the gate UDS) and the LLM API (via the HTTPS proxy). See Agent Sandbox for the full configuration reference.
When combining sandbox + MCP:
- The sandbox gives containment — Claude Code’s built-in tools (bash, file edit) are restricted to the sandbox namespace.
- The MCP adapter gives controlled external access — actions like HTTP calls, database writes, and email go through the gate’s full pipeline.
Production (UDS transport)
Section titled “Production (UDS transport)”Replace --gate-url with UDS + public base URL for production:
{ "mcpServers": { "latchgate": { "command": "/usr/local/bin/latchgate-mcp", "args": ["serve", "--public-base-url", "http://localhost:3000"], "env": { "LATCHGATE_AGENT_ID": "claude-code", "RUST_LOG": "warn" } } }}This connects via /run/latchgate/gate.sock (default) — no TCP exposure.
For production hardening with UDS transport, see Deployment.