You are viewing the development version. Switch to v0.4.5 (latest release).

clash

Sandbox anything, trust what you run.

Command Line Agent Safety Harness — a pattern-matching policy engine with kernel-enforced sandboxes for AI agents, build scripts, or anything you don't fully trust.

curl -fsSL https://raw.githubusercontent.com/empathic/clash/main/install.sh | bash

One tool, two modes

Clash works standalone or as an agent plugin. Same policy engine, same kernel sandboxes, same rules.

Sandbox any command

Run any command inside a sandbox with restricted filesystem and network access. No agent needed — just clash sandbox exec.

# create a sandbox: read-only project, no network
clash sandbox create build --network deny
clash sandbox add-rule build ./src --caps read

# run a build script inside it
clash sandbox exec --sandbox build --cwd . \
  make build

Guard your AI agent

Write policy rules that auto-approve safe operations, block dangerous ones, and prompt you only when it matters. Hooks into your agent's plugin system.

clash init    # install the agent plugin
claude        # every tool call now goes through your policy

Kernel-enforced, not honor-system

Clash doesn't ask processes to behave. It tells the kernel what they're allowed to touch.

On Linux, Landlock restricts filesystem access and seccomp + proxy filters network calls. On macOS, Seatbelt profiles do the same. Either way: restrictions are inherited by every child process, can't be escaped, and work on any binary — not just programs that opt in.

# verify your platform supports sandboxing
clash sandbox check

# test it interactively
clash sandbox test

Yes, we see the irony

Our install instructions say curl | bash. So does every Rust toolchain, Node version manager, and Homebrew setup guide. You've probably run a dozen of these this year. Each one had full access to your home directory, your SSH keys, your shell history, everything.

What if you could sandbox that?

# create a sandbox for install scripts:
# write only to ~/.local/bin, read the rest, no network after download
clash sandbox create installer --network deny
clash sandbox add-rule installer ~/.local/bin --caps write
clash sandbox add-rule installer / --caps read

# now run any install script inside it
curl -fsSL https://example.com/install.sh \
  | clash sandbox exec --sandbox installer --cwd /tmp bash

The script can write to ~/.local/bin and nowhere else. It can't read your SSH keys, can't modify your shell profile, can't phone home. If it tries, the kernel says no.

This is what Clash is for. Not just AI agents — anything you don't trust.

Policies that read like English

# ~/.clash/policy.star
load("@clash//builtin.star", "base")
load("@clash//std.star", "exe", "policy", "cwd", "domains")

def main():
    my_rules = policy(default = ask, rules = [
        # project files: read and write
        cwd(follow_worktrees = True).allow(read = True, write = True),

        # cargo and git are fine — except the destructive parts
        exe("cargo").allow(),
        exe("git", args = ["push"]).deny(),
        exe("git", args = ["reset", "--hard"]).deny(),
        exe("git").allow(),

        # network: GitHub only
        domains({"github.com": allow}),
    ])
    return base.update(my_rules)

Three effects: allow auto-approves, deny blocks, ask prompts you. First match wins. Edits take effect immediately.

Policies are Starlark (a Python dialect), compiled to a decision tree at load time. Evaluation is in-process and instant — no network, no external process.

How it thinks

Pattern match

Every invocation is tested against a tree of pattern-matching rules. Rules match across three domains — exec (commands), fs (files), and net (network). First match wins.

Sandbox

A matched rule can carry a sandbox — kernel-level restrictions on what the process can touch. Filesystem paths, network access, all inherited by child processes, all inescapable.

Decide

The match resolves to one of three effects: allow (proceed), deny (block), or ask (prompt the user). No match falls through to the policy default.

Use cases

AI agents

Stop clicking "yes" hundreds of times per session. Write policy rules that let your agent work freely on safe operations while blocking dangerous ones. Currently supports Claude Code, with more agents planned.

Build scripts & CI

Sandbox make, npm run, or any build command. Restrict it to the source tree and deny network access — so a compromised dependency can't phone home or read your SSH keys.

Untrusted code

Running something you didn't write? Give it read-only access to what it needs and nothing else. Kernel enforcement means it can't escape — even if it tries.

Get started

  1. Install 
    curl -fsSL https://raw.githubusercontent.com/empathic/clash/main/install.sh | bash
    Downloads the latest binary for your platform (Apple Silicon, Linux x86_64, Linux aarch64). On Intel Mac: cargo install clash.
  2. Sandbox a command 
    clash sandbox create mybox --network deny
clash sandbox add-rule mybox ./src --caps read
clash sandbox exec --sandbox mybox --cwd . cat ./src/main.rs
    You just ran a command with kernel-enforced filesystem and network restrictions.
  3. Or hook into your agent 
    clash init
claude
    Every tool call now evaluates against your policy. Use /clash:status to see it working.

Agent support

Clash's policy engine and sandboxes are agent-independent. The integration layer hooks into each agent's plugin system.

Agent Status
Claude Code Supported
Codex CLI Planned
Gemini CLI Planned
OpenCode Planned

Want to bring Clash to another agent? Contributions welcome.