Ask the user what tool invocation they want to understand. Examples:
- •"Would
git pushbe allowed?" - •"What happens if I try to read ~/.ssh/id_rsa?"
- •"Why was my last command denied?"
Run the explain command with the tool type and the command/path:
bash
$CLASH_BIN explain bash "git push" $CLASH_BIN explain read "/etc/passwd" $CLASH_BIN explain write "/tmp/output.txt" $CLASH_BIN explain edit "src/main.rs"
For machine-readable output (useful when chaining with other tools):
bash
$CLASH_BIN explain bash "git push" --json
Parse and present the results clearly:
- •Decision — Whether the invocation would be ALLOWED, DENIED, or REQUIRES APPROVAL
- •Matched rules — Which rules matched and why
- •Skipped rules — Which rules were considered but didn't match
- •Sandbox policy — Any sandbox restrictions that apply (for bash commands)
Suggest next steps based on the result:
- •If denied and the user wants to allow it: suggest
/clash:allowor/clash:edit - •If allowed and the user wants to restrict it: suggest
/clash:denyor/clash:edit - •To test multiple scenarios: suggest
/clash:test