Quick Start

From zero to enforced policy in three steps.

1. Install

curl -fsSL https://raw.githubusercontent.com/empathic/clash/main/install.sh | bash

On Intel Mac, use cargo install clash instead.

2. Initialize

clash init

This creates a policy file at ~/.clash/policy.star, installs the Claude Code plugin, and configures permissions so Clash is the sole decision-maker.

To skip the wizard and use sensible defaults:

clash init --quick

3. Use it

claude

Every tool call now passes through your policy. Check that it's working:

clash status

To see which rule matches a specific command:

clash explain bash "git push"

What you get out of the box

The default policy:

• allow file reads and writes within your project directory
• allow all command execution inside a sandbox
• deny git push --force, git push --force-with-lease, git reset --hard
• ask for network access (WebFetch, WebSearch)
• ask for everything else not covered by a rule

Customize it

Open your policy in your editor:

clash policy edit --raw

Or use the CLI to add rules directly:

# allow cargo commands
clash policy allow "cargo build"
clash policy allow "cargo test"

# block dangerous operations
clash policy deny "rm -rf"

# check what you've got
clash policy list

Format your policy file:

clash fmt

Next steps

• Tutorial — Build a policy from scratch, step by step
• Reference — Full documentation for all policy builders and CLI commands