Security Layer
CLI commands

policy check

Dry-run policy simulation

Simulates policy evaluation for a command without executing it. Shows the full evaluation results from all layers.

Usage

sl policy check "<cmd>" [--session <name>]

Flags

FlagDefaultDescription
--command <cmd>(positional)The command to simulate
--session <name>claude-codeSession to evaluate against

Output

The command displays:

  • Input — Command, session, taint level, current working directory
  • Layer results — Capability gate, rules engine, LLM judge, risk score
  • Timing — Breakdown of time spent in each layer
  • Final decisionALLOW, DENY, or REQUIRE_APPROVAL

Example

$ sl policy check "rm -rf /"

  Command:  rm -rf /
  Session:  claude-code
  Taint:    OWNER
  CWD:      /home/user/project

  Layer Results:
    Capability gate: ALLOW (exec granted)
    Rules:           DENY (recursive delete of root)
    LLM judge:       DANGEROUS (confidence: 0.95)
    Risk score:      1.0

  Timing:
    Total:      45ms
    Capability: 0ms
    Rules:      2ms
    LLM:        43ms

  Decision: DENY

Exit codes

CodeMeaning
0Always exits successfully

See also

learn

Enable learning/monitor mode.

capabilities

Display capability grants for sessions, channels, and skills.

On this page

UsageFlagsOutputExampleExit codesSee also