From 773a2046149ee272efffcc2aadba19464272d7b7 Mon Sep 17 00:00:00 2001
From: Claude
Date: Sat, 4 Jul 2026 20:29:19 +0000
Subject: [PATCH] Make the hook trust trade-off explicit on the install card
and in the README
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The context layer is truly zero-setup for anyone who clones, but the
enforcement hook asks each developer to approve it once (Claude Code's own
safety gate). State that plainly so an enterprise evaluator isn't surprised —
and frame it as the feature it is: a cloned repo shouldn't run commands
unattended, which is the exact ambient-execution risk docket exists to catch.
- Site: an "One honest detail" note at the foot of the install card,
separating "rules and record travel instantly" from "mechanical
enforcement is one click per person."
- README: the enforcement bullet is now tagged "(one-time approval per
developer)" with the same precise two-layer explanation.
Docs-only; 118 tests green.
Co-Authored-By: Claude Fable 5
Claude-Session: https://claude.ai/code/session_01Uc3rGARtDBoXkqMFgppaP4
---
README.md | 27 +++++++++++++++------------
docs/index.html | 9 +++++++++
2 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/README.md b/README.md
index fdcc2be..f543622 100644
--- a/README.md
+++ b/README.md
@@ -145,19 +145,22 @@ repo:
Cursor rules are read automatically at the start of every session — Claude
Code, Codex/ChatGPT, Gemini, Cursor, any MCP client, **zero setup on anyone's
end.**
-- **Enforcement, mechanical.** A Claude Code PreToolUse hook in
- `.claude/settings.json` gates tool calls through the warrant (deny blocks,
- ask prompts, allow is silent), and `.mcp.json` gives any MCP client the
- native tools. The hook routes by content and stays out of the way when no
- loop claims a call (pass-through); pin one loop with `--loop`, or `--strict`
- to ask on anything uncovered.
-
-It's merge-safe (your existing `settings.json` hooks and MCP servers are
-preserved), idempotent (add a loop, re-run, the context refreshes), and
+- **Enforcement, mechanical** *(one-time approval per developer).* A Claude
+ Code PreToolUse hook in `.claude/settings.json` gates tool calls through the
+ warrant (deny blocks, ask prompts, allow is silent), and `.mcp.json` gives
+ any MCP client the native tools. The hook routes by content and stays out of
+ the way when no loop claims a call (pass-through); pin one loop with
+ `--loop`, or `--strict` to ask on anything uncovered.
+
+The two layers set up different expectations, and it's worth being precise:
+the **context** travels instantly — everyone who clones is under the warrant
+with zero setup. The **enforcement hook** asks each developer to approve the
+committed hook once, the first time it runs; that prompt is Claude Code's own
+safety gate (a cloned repo shouldn't run commands on your machine unattended —
+the exact ambient-execution risk docket exists to catch). It's also merge-safe
+(existing `settings.json` hooks and MCP servers are preserved), idempotent, and
zero-dependency. Commit `.docket/` and the files above, and the whole team
-inherits it on the next `git pull`. Claude Code asks each collaborator to
-approve the committed hook once — a cloned repo can't silently run commands,
-which is the same ambient-execution risk docket exists to catch.
+inherits it on the next `git pull`.
Prefer to wire a single tool by hand? `docket init` → `docket new` →
`docket compile --target --write` does one target at a time; the
diff --git a/docs/index.html b/docs/index.html
index d2d4ef4..78a340d 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -425,6 +425,8 @@
@media (max-width: 760px) { .install-points { grid-template-columns: 1fr; gap: 16px; } }
.install-points .pt { font-size: 11px; font-weight: 700; letter-spacing: 0.1em; text-transform: uppercase; color: var(--red); }
.install-points p { margin-top: 6px; color: var(--mut); font-size: 14.5px; line-height: 1.55; }
+.install-note { margin-top: 24px; border-top: 1px solid var(--hair); padding-top: 18px; font-size: 13.5px; line-height: 1.6; color: var(--faint); }
+.install-note b { color: var(--mut); font-weight: 700; }
.per-tool-head { margin-top: 68px; display: flex; align-items: baseline; justify-content: space-between; gap: 16px; flex-wrap: wrap; border-top: 1px solid var(--hair); padding-top: 34px; }
.per-tool-head h3 { font-size: 19px; font-weight: 800; letter-spacing: -0.02em; }
.per-tool-head .sub-note { color: var(--faint); font-size: 14px; max-width: 40ch; }
@@ -763,6 +765,13 @@ Two commands, and the repo is governed
dependencies. Delete docket and you lose nothing but the tooling.
+ One honest detail: the context layer (the compiled
+ rule files) is read automatically — truly zero setup for everyone who clones. The
+ enforcement hook is different: Claude Code asks each developer to approve the
+ committed hook once, the first time it runs. That prompt is Claude Code’s own safety
+ gate — a cloned repo shouldn’t be able to run commands on your machine unattended —
+ and it’s the exact ambient-execution risk docket exists to catch. Rules and record
+ travel instantly; mechanical enforcement is one click per person.