It sends the email, ships the migration, moves the money. Docket is the one page that says what yours may do — allow, ask, or deny — and the tamper-evident record that proves what it did. Anything you didn’t write down, it has to ask about. Silence is never permission.
MIT · npx docket-agent init is the whole install
For two years the whole field optimized one thing: making the model know more. That was the right fight — while the worst case was a bad answer.
The model forgot, or guessed. You read a wrong paragraph, corrected it in chat, and moved on. Nothing outside the conversation changed.
Blast radius: the chat window.
Agents use tools. A misread doesn’t come back as a paragraph — it goes out as a sent email, a filed ticket, a merged PR, a dropped table. You can’t un-send it.
Blast radius: the real world.
A coding agent deleted a company’s production database during an explicit code freeze — after being told, eleven times, in all caps, not to touch anything. Then it reported that rollback was impossible (it wasn’t) and generated thousands of fake records to hide the damage.
An agent drafted an appeal for a denied insurance claim. When its owner went quiet, it sent the appeal to the insurer on its own — reading silence, plus frustration, as a yes.
Every lab is still racing on the first question: bigger context, longer memory. Almost no one is shipping the second. That answer isn’t a model feature. It’s a file.
You write it once, in plain English, per recurring task. The agent checks it before it acts; it lands on the record after.
One plain-English file per task: what the agent should know, what it may do alone, what stays yours.
Every action gets a verdict before it happens. Not listed? It asks. Marked never? Denied — even with approval.
Every check and action joins a hash-chained log. Any edit breaks the chain at the exact entry. Proof, not trust.
Every entry commits cryptographically to the one before it. Edit the underlined words in entry 02, then verify — the chain names the exact entry that was touched.
That’s the difference between “the agent says it rolled back” and proof of what it actually ran. The log is a plain file in your repo — grep it, commit it, hand it to an audit.
And it feeds back: docket review turns repeated asks into
proposed rule updates. You approve each one — the agent never widens its
own permissions.
The same log is your autonomy dashboard: docket metrics
reads back the auto-approve / ask / deny split, the longest unattended run, and
actions per intervention — so you climb the autonomy ladder on measured posture,
not vibes. See the metrics →
So we try to break it on every build — and publish the number.
Six suites every CI run: real-incident scenarios, adversarial phrasing, 10,000
fuzzed targets, 239 tamper attempts, a live hook gate. Nothing risky slipped
through, nothing permitted was blocked, nothing failed open. npm run eval
reproduces every digit.
Every check and every action in a tamper-evident log — evidence you can hand to a client, a boss, or a compliance review, not a story you reconstruct from chat.
Plain Markdown and JSONL in your repo. One rule file compiles to every AI tool; a model switch is a recompile, and deleting docket loses you nothing but the tool.
Stuffing every rule into the agent’s context stops
scaling after a handful of tasks. Docket keeps one line per loop in context —
the agent routes each task with docket match and pulls in only the
loop it needs.
Routing fails closed: no matching loop means ask, not best guess. The context window holds a table of contents and one open chapter; the checker holds every rule, at zero context cost.
$ docket compile --index --target claude --write
✓ compiled index of 23 loops → CLAUDE.md
$ docket match "draft an appeal for my denied claim"
1 candidate loop for "draft an appeal for my denied claim"
appeal Build the appeal, cite the policy — stop before send.
score 14 — trigger: denied claim, denial letter
$ docket match "wire funds to a vendor"
NO LOOP "wire funds to a vendor"
No loop covers this task. Work outside a loop
defaults to ask # exit 2 — hooks can gate on itNo per-developer setup, no client to standardize on. One command installs docket into the repo and commits it — so every agent that touches the code, and everyone who clones, works under the same rules and leaves the same record.
Write one rule file for a recurring task, then install — docket compiles the warrant into every agent’s context, wires the enforcement hook, and adds the MCP config, all in files that live in your repo.
npx docket-agent new deploy --template prod-hotfix # one rule file for a recurring task npx docket-agent install # wire it into the repo for every agent
It travels with the repo. Every clone inherits the warrant and the record — zero setup on any teammate’s machine.
Claude Code, Codex / ChatGPT, Gemini, Cursor, and any MCP client — governed from one rule file, not configured tool by tool.
Merge-safe (your existing config is preserved), idempotent, zero dependencies. Delete docket and you lose nothing but the tooling.
One honest detail: the context layer (the compiled rule files) is read automatically — truly zero setup for everyone who clones. The enforcement hook is different: Claude Code asks each developer to approve the committed hook once, the first time it runs. That prompt is Claude Code’s own safety gate — a cloned repo shouldn’t be able to run commands on your machine unattended — and it’s the exact ambient-execution risk docket exists to catch. Rules and record travel instantly; mechanical enforcement is one click per person.
Every path is init → new →
compile into the file that tool already reads. docket install
does all of these at once.
docket new walk you through the five layers step by step.docket hook claude into PreToolUse — the harness enforces allow/ask/deny on every tool call, and denied calls are mechanically blocked, whether or not the model cooperates.npx docket-agent init npx docket-agent new hotfix --template prod-hotfix npx docket-agent compile --target claude --write # optional — native tools for checks + record: claude mcp add docket -- npx docket-agent mcp # optional — enforce the warrant (.claude/settings.json): # hooks.PreToolUse: npx -y docket-agent hook claude --loop hotfix
That’s it — Claude starts every session knowing the rules, and asks before anything you didn’t allow. With the hook installed, the warrant isn’t advice — it’s the harness’s own permission decision, and a denied call can’t run.
npx docket-agent init npx docket-agent new appeal --template insurance-appeal npx docket-agent compile --target agents --write
AGENTS.md is an open convention — the same compile also covers Zed, Amp, and other tools that read it.
npx docket-agent init npx docket-agent new appeal --template insurance-appeal npx docket-agent compile --target gemini --write
Running Claude and Gemini side by side? Compile both targets — one rule file governs both.
.cursor/rules/docket.mdc.npx docket-agent init npx docket-agent new hotfix --template prod-hotfix npx docket-agent compile --target cursor --write
Commit .docket/ and the compiled rules — your whole team inherits them.
AGENTS.md is injected into the system prompt every session.SOUL.md stay untouched.cd ~/.openclaw/workspace npx docket-agent init npx docket-agent new followup --template client-follow-up npx docket-agent compile --target agents --write
Your OpenClaw agent now starts every session under the warrant — and every send-shaped action has to ask first.
AGENTS.md context files.~/.hermes/config.yaml so Hermes checks warrants natively.npx docket-agent init npx docket-agent new followup --template client-follow-up npx docket-agent compile --target agents --write # ~/.hermes/config.yaml — under your MCP servers: # docket: { command: npx, args: ["-y", "docket-agent", "mcp", "--dir", "."] }
Hermes builds skills from experience — docket makes sure the experience stays inside the warrant, on the record.
{ "mcpServers": { "docket": {
"command": "npx",
"args": ["docket-agent", "mcp",
"--dir", "/path/to/your/project"] } } }Works with Claude Desktop, and any other MCP-capable client.
Agent permissions become written, versioned, and reviewable — in the repo, under code review, inherited by everyone who clones. When something goes wrong (or an auditor asks), the answer is a file and a log, not a reconstruction from chat history. And none of it bets the workflow on a single AI vendor.
A file format, a CLI, and a log — not a platform. Deterministic verdicts with exit codes you can gate CI on, a JSONL hash chain, an MCP server, a PreToolUse gate. Zero dependencies, so the supply chain that holds your agent’s permissions is readable in an afternoon.
Yes — that’s the point. Decide the boundaries once, calmly, in writing. The agent drafts the appeal, builds the plan, writes the follow-up — and stops exactly where you said. It never sends without you.
Docket bounds authority and proves what happened; a sandbox bounds what the process can physically reach. Run both — a sandbox can’t tell the authorized email from the unauthorized one. The warrant can.
No runtime, no server, no account. Plain files in your repo; deleting docket loses you nothing but the tooling. It sits under whichever agent you already use — and whichever you try next.
A cooperative agent follows the compiled rules; the Claude Code hook enforces them mechanically; either way, every check lands on the record. Each layer is exactly as strong as it claims — and the eval numbers are measured, not asserted.
That’s not the risk. The risk is handing that autonomy away with no boundary you wrote and no record you can trust. Docket is the smallest possible answer: a file that says what it may do, and a file that proves what it did.