sasy-guard — Policy-compiled security for Claude Code
sasy-guard is a security guard for Claude Code, built on
policy-compiler ideas. It compiles your policy into Soufflé
Datalog rules and reasons over a dependency graph rebuilt from the
whole session, so every tool call is judged by a fast, deterministic
engine running outside the model.
That catches multi-step attacks a single-command check misses: a secret
that is read and later leaves the machine, a git push with no clean
secret scan, a large unreviewed change about to ship.
Install
Section titled “Install”# 1. install the runtimeuv tool install sasy-guardsasy-guard install
# 2a. enable it globally, for every Claude Code session:claude plugin marketplace add sasy-labs/sasy-democlaude plugin install sasy-guard
# 2b. ...or enable it for one project only:cd your-project && sasy-guard enable