clash
Be an agentic engineer, not an agent babysitter.
You define the capabilities. Clash enforces them. Your agent never sees a choice.
Claude interrupts us constantly asking whether it's okay to run some command.
This is why --dangerously-skip-permissions is so powerful: we can achieve so
much more per unit prompt.
Every tool call your agent makes requires a decision. Right now, that decision is yours - every single time or not at all.
Think of Clash as a new --safely-skip-permissions flag. A way to choose how
to run anything safely, not just whether Claude can run it as you.
Clash intercepts every tool call Claude makes and runs it through your policy — before anything executes.
Match
Every tool call is pattern-matched against your policy — commands, arguments, file paths, network targets. No AI judgment. Same input, same result, every time.
Decide
The most specific matching rule determines the effect. Allow runs silently. Ask prompts you. Deny blocks invisibly — Claude never knows the capability existed.
Sandbox
The action executes inside an OS-level sandbox. File access, network scope, and process boundaries are enforced by the kernel, not by convention.
Get started with Clash for Claude
Install:
curl -fsSL https://raw.githubusercontent.com/empathic/clash/main/install.sh | bash
Initialize:
clash init
Run w/ Claude:
claude
Three commands. One binary, one policy file, full enforcement. See the Quick Start for details.
Agent support
| Agent | Status |
|---|---|
| Claude Code | Supported |
| Gemini CLI | Protocol ready |
| Codex CLI | Protocol ready |
| Amazon Q CLI | Protocol ready |
| OpenCode | Protocol ready |
| Copilot CLI | Protocol ready |
Use clash init --agent <name> to set up any supported agent. Contributions welcome.