Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 15 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -145,19 +145,22 @@ repo:
Cursor rules are read automatically at the start of every session — Claude
Code, Codex/ChatGPT, Gemini, Cursor, any MCP client, **zero setup on anyone's
end.**
- **Enforcement, mechanical.** A Claude Code PreToolUse hook in
`.claude/settings.json` gates tool calls through the warrant (deny blocks,
ask prompts, allow is silent), and `.mcp.json` gives any MCP client the
native tools. The hook routes by content and stays out of the way when no
loop claims a call (pass-through); pin one loop with `--loop`, or `--strict`
to ask on anything uncovered.

It's merge-safe (your existing `settings.json` hooks and MCP servers are
preserved), idempotent (add a loop, re-run, the context refreshes), and
- **Enforcement, mechanical** *(one-time approval per developer).* A Claude
Code PreToolUse hook in `.claude/settings.json` gates tool calls through the
warrant (deny blocks, ask prompts, allow is silent), and `.mcp.json` gives
any MCP client the native tools. The hook routes by content and stays out of
the way when no loop claims a call (pass-through); pin one loop with
`--loop`, or `--strict` to ask on anything uncovered.

The two layers set up different expectations, and it's worth being precise:
the **context** travels instantly — everyone who clones is under the warrant
with zero setup. The **enforcement hook** asks each developer to approve the
committed hook once, the first time it runs; that prompt is Claude Code's own
safety gate (a cloned repo shouldn't run commands on your machine unattended —
the exact ambient-execution risk docket exists to catch). It's also merge-safe
(existing `settings.json` hooks and MCP servers are preserved), idempotent, and
zero-dependency. Commit `.docket/` and the files above, and the whole team
inherits it on the next `git pull`. Claude Code asks each collaborator to
approve the committed hook once — a cloned repo can't silently run commands,
which is the same ambient-execution risk docket exists to catch.
inherits it on the next `git pull`.

Prefer to wire a single tool by hand? `docket init` → `docket new` →
`docket compile --target <tool> --write` does one target at a time; the
Expand Down
9 changes: 9 additions & 0 deletions docs/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -425,6 +425,8 @@
@media (max-width: 760px) { .install-points { grid-template-columns: 1fr; gap: 16px; } }
.install-points .pt { font-size: 11px; font-weight: 700; letter-spacing: 0.1em; text-transform: uppercase; color: var(--red); }
.install-points p { margin-top: 6px; color: var(--mut); font-size: 14.5px; line-height: 1.55; }
.install-note { margin-top: 24px; border-top: 1px solid var(--hair); padding-top: 18px; font-size: 13.5px; line-height: 1.6; color: var(--faint); }
.install-note b { color: var(--mut); font-weight: 700; }
.per-tool-head { margin-top: 68px; display: flex; align-items: baseline; justify-content: space-between; gap: 16px; flex-wrap: wrap; border-top: 1px solid var(--hair); padding-top: 34px; }
.per-tool-head h3 { font-size: 19px; font-weight: 800; letter-spacing: -0.02em; }
.per-tool-head .sub-note { color: var(--faint); font-size: 14px; max-width: 40ch; }
Expand Down Expand Up @@ -763,6 +765,13 @@ <h3>Two commands, and the repo is governed</h3>
dependencies. Delete docket and you lose nothing but the tooling.</p>
</div>
</div>
<p class="install-note"><b>One honest detail:</b> the context layer (the compiled
rule files) is read automatically — truly zero setup for everyone who clones. The
<b>enforcement hook</b> is different: Claude Code asks each developer to approve the
committed hook once, the first time it runs. That prompt is Claude Code’s own safety
gate — a cloned repo shouldn’t be able to run commands on your machine unattended —
and it’s the exact ambient-execution risk docket exists to catch. Rules and record
travel instantly; mechanical enforcement is one click per person.</p>
</div>

<div class="per-tool-head">
Expand Down
Loading