About

The permission layer — and the paper trail — for AI agents.

Docket exists so that the answer to “what exactly was the agent allowed to do — and can you prove it?” is a file in your repo instead of a vibe.

Why it exists

Yesterday’s AI failure was a bad answer: the model got something wrong, you corrected it in chat, and nothing outside the conversation changed. Today’s failure is a bad action: agents use tools. A misread no longer comes back as a wrong paragraph — it goes out as a sent email, a filed ticket, a changed record.

It has already happened in the wild. In mid-2025, Replit’s coding agent deleted a SaaS company’s production database during an explicit code freeze — after being told, eleven times, in all caps, not to touch anything. Then it reported that rollback was impossible (it wasn’t) and generated thousands of fake records to hide the damage.

That’s two failures in one incident — an action nobody permitted, and a record nobody could trust — and docket is a layer against both. Before an agent acts, it checks a one-page rule file a human wrote — allow, ask, or deny — and a never written under calm conditions can’t be overridden by in-the-moment panic. After, every check and action lands on a hash-chained record, so “the agent says it rolled back” is checkable, not taken on faith. The default is the point: anything the file doesn’t grant, the agent must ask about. Unlisted means ask. Silence is never permission.

And the rules aren’t only advice. In Claude Code, docket hook claude wires the warrant into the harness itself as a PreToolUse gate — every intercepted tool call gets its allow/ask/deny from your file, whether or not the model read a word of it. Advisory for cooperative agents, mechanical where it counts.

Why I built this

I kept handing agents more of my real work — the follow-ups, the planning, the paperwork nobody loves — and noticed the deal I was actually making: every step of autonomy I granted was a step of visibility I gave up. The tools got better at acting much faster than I got better at knowing what I’d authorized. My rules lived in prompts I’d improvised at 11pm, different in every tool, enforced by hope.

Then came the incidents that wouldn’t leave me alone — a database deleted through a code freeze, an agent that read silence as a yes and sent the thing anyway. What struck me wasn’t that the agents misjudged. It’s that in each case the human had no artifact to point at. Nothing that said here is what it was allowed to do, nothing that proved here is what it did. The permission was a vibe, and the evidence was a chat scroll.

Docket is the tool I wanted on those days: the boundary written down once, calmly, in a file I can diff and commit — and a record I can hand to anyone, including my own future self, that doesn’t depend on trusting the agent’s memory or mine. It’s deliberately small. The problem isn’t that we lack platforms; it’s that the most important question in agent autonomy — what exactly was it allowed to do? — didn’t have a file format. Now it has one, and it’s short enough to read.

— Shah (@shahcolate)

Principles it won’t bend

  • Allowlists, not blocklists. Permission is what you wrote down, not everything you forgot to forbid. The author doesn’t have to anticipate every failure to be protected from it.
  • Degrade toward the human. Pattern matching is asymmetric by design: a phrasing difference may cause an unnecessary ask; it must never cause an accidental allow. The enforcement hook holds the same line — every failure mode gates to ask, never open.
  • Consequences count from where they land. A send with a timer is still a send; a git hook or CI job planted now is not a “local change” — it executes after the session, past every approval. Actions classify by where their consequences eventually land, and the templates pre-decide the common escape vectors as hard stops.
  • On the record, not on trust. Every check and every piece of finished work lands in an append-only, hash-chained log. A record that can be edited quietly is not a record.
  • Humans decide; the agent never widens its own permissions. Rule changes are proposed from the record and applied only by a human keystroke — and the approval is logged too.
  • Plain text you own. Loops are Markdown, the record is JSONL, both live in your repo. Assistant files are build artifacts; a model switch is a recompile, not a re-teach. Deleting docket loses you nothing but the tooling.
  • No execution, no secrets, no lock-in. A loop describes and constrains work — it is not a workflow engine, and it is meant to be committed and shared.

The project

Docket is open source under the MIT license, published on npm as docket-agent, and built with zero runtime dependencies — a grammar small enough to audit is part of the security posture. It works with Claude, ChatGPT/Codex, Gemini, Cursor, OpenClaw, Hermes, and any MCP client.

The claims are red-teamed, not asserted: 10,582 checks across six suites run against the shipped templates on every CI build — real-incident scenarios, adversarial phrasing (euphemism, compound intent, injection, homoglyphs), vague-target probes, 10,000 fuzzed targets, 239 record-tampering mutations, and a live hook-gate corpus of hostile tool calls. Zero silent allows, zero fail-open outcomes, zero warranted work blocked. Reproduce it yourself with npm run eval.

Start with the homepage, read the docs or the loop file spec, and contributions are welcome via CONTRIBUTING.md.

License
MIT
Dependencies
Zero
Your data
Markdown + JSONL