Metadata-Version: 2.4
Name: sasy-guard
Version: 0.1.4
Summary: SASY policy enforcement runtime for Claude Code (engine + daemon + native hook)
Project-URL: Homepage, https://github.com/sasy-labs/sasy-demo
Author: SASY Labs
License: Apache-2.0
Keywords: claude-code,datalog,enforcement,policy,security
Requires-Python: >=3.9
Description-Content-Type: text/markdown

# sasy-guard

The **SASY policy-enforcement runtime for Claude Code**, distributed as a
platform-specific wheel. `uv tool install sasy-guard` puts the prebuilt binaries
on your machine — no need to clone the SASY repo or install a build toolchain.

This is the *runtime* (the binaries you run), distinct from the
[`sasy`](https://pypi.org/project/sasy/) package, which is the pure-Python
*SDK* (a client library you import).

## What's inside

The wheel for your OS/arch vendors three binaries:

- `sasy` — the (restricted) policy engine
- `sasy-watch` — the enforcement daemon: reconstructs the message-dependency
  graph from Claude Code's transcript and runs the policy check
- `sasy-hook` — the native, fail-closed `PreToolUse` hook (~2 ms)

plus the policy profiles and the SessionStart/PostToolUse/SessionEnd scripts.

## Install & enable

```bash
uv tool install sasy-guard                          # 1. the runtime (binaries vendored)
sasy-guard install                                  # 2. binaries → ~/.sasy/bin + policy config
claude plugin marketplace add sasy-labs/sasy-demo   # 3. add the marketplace
claude plugin install sasy-guard                    #    install the hooks (standard way)
```

Then run `claude` — every tool call is checked against the `security` policy;
denials surface a `[SASY] …` reason the agent relays.

- Select rule groups: `sasy-guard install --rule-off a,b` (drop) / `--rule-on a,b` (opt-in).
- Inspect the install: `sasy-guard doctor`.
- No-marketplace alternative: `sasy-guard enable [project]` writes the hooks
  straight into `<project>/.claude/settings.json` instead.

## Building (maintainers)

Wheels are built per platform by CI and assembled with `build-wheel.sh`, which
injects the binaries, syncs the profiles/scripts from `plugins/sasy-guard`, and
retags the wheel for the current platform. See `make sasy-guard-wheel` and
`make sasy-guard-publish`.
