Get Started with SafeClaw in 5 Minutes

2025-11-10 · Authensor

You can go from zero to production-grade AI agent safety in under five minutes with SafeClaw by Authensor. This guide walks you through installation, your first deny-by-default policy, simulation testing, and enforcement activation. By the end, your agent will have action-level gating, hash-chained audit trails, and a security posture that most teams take weeks to build. Start with npx @authensor/safeclaw.

Minute 1: Install

SafeClaw has zero external dependencies. Installation is a single command:

npx @authensor/safeclaw

That is it. No API keys, no cloud account, no configuration service. SafeClaw runs entirely locally.

Minute 2: Initialize and Observe

Before writing policies, observe what your agent actually does. Initialize SafeClaw in simulation mode:

const safeclaw = require('@authensor/safeclaw');

safeclaw.init({
  mode: 'simulation',
  audit: true
});

Wrap your agent's action execution with SafeClaw:

// Before: agent executes actions directly
// await executeAction(action);

// After: SafeClaw evaluates the action first
const decision = await safeclaw.evaluate(action);
// In simulation mode, this logs but does not block
await executeAction(action);

Run your agent through a few typical tasks. SafeClaw logs every action the agent attempts.

Minute 3: Write Your First Policy

Review the simulation log to see what your agent does. Then write a deny-by-default policy that allows only what is needed:

# safeclaw-policy.yaml version: 1 defaultEffect: deny rules: # Allow reading project files - action: "file:read" path: "/project/**" effect: "allow" # Allow writing to source directory - action: "file:write" path: "/project/src/**" effect: "allow" # Allow running tests - action: "shell:execute" command: "npm test" effect: "allow" # Allow running the build - action: "shell:execute" command: "npm run build" effect: "allow"

# Everything else is denied by default

This policy lets your agent read project files, write to the source directory, and run tests and builds. It blocks everything else: file deletions, credential access, arbitrary shell commands, network requests, and any action you did not explicitly permit.

Minute 4: Test Your Policy

Apply the policy in simulation mode to validate it:

safeclaw.init({
  mode: 'simulation',
  policy: './safeclaw-policy.yaml',
  audit: true
});

Run your agent again. Check the simulation log:

Actions marked "would allow" are working correctly
Actions marked "would deny" need review. If the action is legitimate, add an allow rule. If it is not, the deny is correct.

Iterate until no legitimate actions are denied.

Minute 5: Enable Enforcement

Switch to enforcement mode:

safeclaw.init({
  mode: 'enforce',
  policy: './safeclaw-policy.yaml',
  audit: true
});

Now update your agent's action execution to respect SafeClaw's decisions:

const decision = await safeclaw.evaluate(action);

if (decision.effect === 'allow') {
  await executeAction(action);
} else if (decision.effect === 'approve') {
  // Wait for human approval
  const approved = await safeclaw.waitForApproval(decision);
  if (approved) await executeAction(action);
} else {
  // Action denied - log and skip
  console.log(Blocked: ${action.type} - ${decision.reason});
}

Your agent is now running with deny-by-default action gating. Every action is evaluated against your policy before execution. Every decision is recorded in a hash-chained audit trail.

What You Now Have

After five minutes, your agent has:

Deny-by-default action gating that blocks unauthorized actions before they execute
Hash-chained audit trail that provides tamper-evident records of every action
Declarative policy that is version-controllable, reviewable, and testable
Provider-agnostic safety that works with Claude, OpenAI, or any model
446 tests backing the policy engine that protects your agent

Next Steps

Now that the foundation is in place, enhance your setup:

Add human approval for sensitive actions:

  - action: "shell:execute"
    command: "git push*"
    effect: "approve"

Add budget controls:

safeclaw.init({
  mode: 'enforce',
  policy: './safeclaw-policy.yaml',
  audit: true,
  budget: {
    maxActionsPerHour: 100,
    maxTokensPerSession: 50000
  }
});

Enable notifications:

safeclaw.notifications({
  onDeny: { webhook: 'https://your-webhook-url' },
  onApprovalRequired: { webhook: 'https://your-webhook-url' }
});

Set up the monitoring dashboard:

safeclaw.dashboard({ port: 3001 });

Common First-Timer Questions

Can I add more rules later? Yes. Policies are YAML files. Add rules, test in simulation mode, then enforce. This is an iterative process.

What if my agent needs different permissions for different tasks? Create multiple policies and load the appropriate one based on context, or use SafeClaw's per-agent policy isolation.

Does this work with my framework? SafeClaw works with LangChain, CrewAI, Claude Agent SDK, OpenAI Assistants, Vercel AI SDK, and custom frameworks. It wraps the action execution layer, which every framework has.

Is this really free? Yes. MIT licensed, open source, zero dependencies, no cloud service. SafeClaw is free to use commercially without restriction.

Related reading:

The Complete Guide to AI Agent Safety (2026)

SafeClaw Features: Everything You Get Out of the Box

Migration Guide: Adding SafeClaw to an Existing AI Agent

How to Switch from Allow-by-Default to Deny-by-Default

AI Agent Safety Glossary: Every Term You Need to Know

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw