Help the user add a deny rule to their clash policy.
Steps
- •
Determine the rule from the conversation context. Consider what the user wants to block:
- •Example:
deny bash git push*(block git push) - •Example:
deny bash sudo *(block sudo commands) - •Example:
deny * *with--fs "write+delete:subpath(~/important)"(block writes to a directory) - •If unsure, ask the user what they want to deny.
- •Example:
- •
Confirm with the user before making any changes:
- •Show the exact rule that will be added
- •Show which profile it will be added to (the active profile by default)
- •Explain what the rule means in plain English
- •Remind the user that deny always wins — this rule will block the action even if a constrained allow or ask rule also matches
- •
Dry-run first to preview the change:
bash$CLASH_BIN policy add-rule "RULE" --dry-run
Show the output to the user.
- •
Get confirmation, then apply:
bash$CLASH_BIN policy add-rule "RULE"
- •
Report success and explain that the deny rule is now active.
Safety guidelines
- •Always dry-run first and show the result before applying
- •Explain that deny rules always take precedence, regardless of constraint specificity
- •Warn if the deny rule is very broad (e.g.,
deny bash *ordeny * *) as it may block legitimate operations - •Suggest using
askinstead ofdenyif the user might want to approve the action on a case-by-case basis