diff --git a/README.md b/README.md index fdcc2be..f543622 100644 --- a/README.md +++ b/README.md @@ -145,19 +145,22 @@ repo: Cursor rules are read automatically at the start of every session — Claude Code, Codex/ChatGPT, Gemini, Cursor, any MCP client, **zero setup on anyone's end.** -- **Enforcement, mechanical.** A Claude Code PreToolUse hook in - `.claude/settings.json` gates tool calls through the warrant (deny blocks, - ask prompts, allow is silent), and `.mcp.json` gives any MCP client the - native tools. The hook routes by content and stays out of the way when no - loop claims a call (pass-through); pin one loop with `--loop`, or `--strict` - to ask on anything uncovered. - -It's merge-safe (your existing `settings.json` hooks and MCP servers are -preserved), idempotent (add a loop, re-run, the context refreshes), and +- **Enforcement, mechanical** *(one-time approval per developer).* A Claude + Code PreToolUse hook in `.claude/settings.json` gates tool calls through the + warrant (deny blocks, ask prompts, allow is silent), and `.mcp.json` gives + any MCP client the native tools. The hook routes by content and stays out of + the way when no loop claims a call (pass-through); pin one loop with + `--loop`, or `--strict` to ask on anything uncovered. + +The two layers set up different expectations, and it's worth being precise: +the **context** travels instantly — everyone who clones is under the warrant +with zero setup. The **enforcement hook** asks each developer to approve the +committed hook once, the first time it runs; that prompt is Claude Code's own +safety gate (a cloned repo shouldn't run commands on your machine unattended — +the exact ambient-execution risk docket exists to catch). It's also merge-safe +(existing `settings.json` hooks and MCP servers are preserved), idempotent, and zero-dependency. Commit `.docket/` and the files above, and the whole team -inherits it on the next `git pull`. Claude Code asks each collaborator to -approve the committed hook once — a cloned repo can't silently run commands, -which is the same ambient-execution risk docket exists to catch. +inherits it on the next `git pull`. Prefer to wire a single tool by hand? `docket init` → `docket new` → `docket compile --target --write` does one target at a time; the diff --git a/docs/index.html b/docs/index.html index d2d4ef4..78a340d 100644 --- a/docs/index.html +++ b/docs/index.html @@ -425,6 +425,8 @@ @media (max-width: 760px) { .install-points { grid-template-columns: 1fr; gap: 16px; } } .install-points .pt { font-size: 11px; font-weight: 700; letter-spacing: 0.1em; text-transform: uppercase; color: var(--red); } .install-points p { margin-top: 6px; color: var(--mut); font-size: 14.5px; line-height: 1.55; } +.install-note { margin-top: 24px; border-top: 1px solid var(--hair); padding-top: 18px; font-size: 13.5px; line-height: 1.6; color: var(--faint); } +.install-note b { color: var(--mut); font-weight: 700; } .per-tool-head { margin-top: 68px; display: flex; align-items: baseline; justify-content: space-between; gap: 16px; flex-wrap: wrap; border-top: 1px solid var(--hair); padding-top: 34px; } .per-tool-head h3 { font-size: 19px; font-weight: 800; letter-spacing: -0.02em; } .per-tool-head .sub-note { color: var(--faint); font-size: 14px; max-width: 40ch; } @@ -763,6 +765,13 @@

Two commands, and the repo is governed

dependencies. Delete docket and you lose nothing but the tooling.

+

One honest detail: the context layer (the compiled + rule files) is read automatically — truly zero setup for everyone who clones. The + enforcement hook is different: Claude Code asks each developer to approve the + committed hook once, the first time it runs. That prompt is Claude Code’s own safety + gate — a cloned repo shouldn’t be able to run commands on your machine unattended — + and it’s the exact ambient-execution risk docket exists to catch. Rules and record + travel instantly; mechanical enforcement is one click per person.