Empathic contributor

Clash

empathic/clash·1 plugin

Enforce policy-based rules on which Claude Code tools can run, with optional OS-level sandboxing before you let agents touch production repos or secrets.

Overview

Clash is a plugin marketplace for the Ship phase that enforces Claude Code tool permissions with policy rules and optional kernel sandboxing on Linux and macOS.

What is this marketplace?

  • Policy-based permission enforcement for Claude Code tool usage
  • Hierarchical settings so org and project rules can stack cleanly
  • Optional kernel-enforced sandboxing via Landlock/seccomp (Linux) and Seatbelt (macOS)
  • Marketplace ships one security-category plugin (clash v0.1.0)
  • Focused on tool access control rather than generic lint or dependency audit
  • 1 plugin in marketplace (clash)
  • Marketplace and plugin version 0.1.0
  • 2 optional kernel sandbox backends (Landlock/seccomp on Linux, Seatbelt on macOS)

Compatible agents: Claude Code, any compatible agent

Community signal: 30 GitHub stars.

What problem does it solve?

An unconstrained coding agent can invoke powerful tools against the wrong paths or credentials, and prompt-level “please be careful” is not enforceable policy.

Who is it for?

Solo builders and small teams hardening Claude Code before it touches monorepos, customer data, or CI-connected environments.

Skip if: Builders who only use read-only chat with no tool execution, or orgs that already enforce agent policy entirely outside Claude Code via a separate enterprise gateway.

What do I get? / Deliverables

After installing clash, tool calls are evaluated against hierarchical policies and can run inside optional OS sandboxes so shipped agent workflows have predictable, auditable boundaries.

  • Installed clash plugin (v0.1.0) with configured permission policies
  • Hierarchical rule set governing Claude Code tool access
  • Optional sandboxed execution path for high-risk tool invocations

Plugins in this marketplace

1 plugin — install individually after you add the marketplace.

PluginVersion
ClashPermission enforcement for Claude Code tool usage with policy-based rules, hierarchical settings, and optional kernel-enforced sandboxing via Landlock/seccomp (Linux) and Seatbelt (macOS)0.1.0

Recommended Marketplaces

AuthZed
Authzed Marketplaceauthzed/authzed-marketplace
1 plugins2 stars
Chainguard
Chainguard Pluginschainguard-demo/claude-plugins
2 plugins7 stars
Anthropic
Claude For Legalgtgspot/clegal
13 plugins
Anthropic
Claude For Legalanthropics/claude-for-legal
13 plugins8.2k stars
trumb
Claude Nginx Hardeningtrumb/claude-nginx-hardening
1 plugins1 stars
HawkannG
Claude Warden MarketplaceHawkannG/Claude-Warden
1 plugins2 stars

Journey fit

Idea
Validate
Build
Ship
Launch
Grow
Operate
Primary fit
ShipSecurity

Canonical shelf is Ship because permission enforcement and sandboxing are adopted when you are hardening how the coding agent acts on real codebases and credentials. Security subphase fits clash’s core promise: hierarchical policy rules and kernel-enforced sandboxes (Landlock/seccomp on Linux, Seatbelt on macOS) for tool access control.

How it compares

Permission and sandbox enforcement plugin, not a vulnerability scanner skill or an MCP integration for third-party APIs.

Common Questions / FAQ

Who is Clash for?

Clash is for Claude Code users who need enforceable tool permissions—indie devs and small teams shipping agent-assisted changes on real repositories.

When should I use Clash?

Use it in the Ship phase (security subphase) when you enable shell, file, or network tools and want policy rules plus optional Landlock/seccomp or Seatbelt sandboxing before production-adjacent work.

How do I add Clash to my agent?

Add the empathic/Clash marketplace to Claude Code, install the Clash plugin from the marketplace manifest, then configure hierarchical policy settings and optional sandbox modes for your project.

This week for builders

Five minutes, every Monday — the tools, releases and tactics for shipping solo.

unsubscribe anytime.