Security Layer
CLI commands

check

Standalone policy check for shell shims.

Evaluates a command against the security policy without executing it. Used internally by shell shims, but also useful for testing.

Usage

sl check --command "<cmd>" [--tool <type>] [--caller <name>] [--format json|text]

Flags

FlagDefaultDescription
--command <cmd>(required)The command to evaluate
--tool <type>execTool type being checked
--caller <name>(auto-detected)Caller identity — auto-detected from environment if not provided
--format json|texttextOutput format

Text output

ALLOW — capability granted, no rules matched

JSON output

{
  "decision": "ALLOW",
  "reason": "capability granted, no rules matched",
  "caller": "claude-code",
  "taint": "OWNER",
  "timing": { "total": 12 }
}

In learning mode, blocked actions are allowed with additional context:

{
  "decision": "ALLOW",
  "original_decision": "DENY",
  "learning_mode": true,
  "reason": "known dangerous pattern: rm -rf /",
  "timing": { "total": 8 }
}

Exit codes

CodeMeaning
0ALLOW (or learning mode override)
1DENY or error
2REQUIRE_APPROVAL

See also

  • hook — Hook handler for Claude Code integration
  • Shell shim — How shell shims use check

status

Show the security status dashboard.

hook

Hook handler called by AI tool integrations.

On this page

UsageFlagsText outputJSON outputExit codesSee also