Enforce your AI coding assistant instruction files via hooks. Claude Code and Grok TUI currently provide the strongest support, including the ability to block tool calls for rules marked never. Other tools receive advisory enforcement via MCP. Every firing is audited and correlated with what the model actually did. One command. Local. Zero cost.
Enforcement strength depends on the assistant's integration surface:
"Never hand-write migrations" fires on Write but not Edit. Editing existing migrations is fine.
tree-sitter scans your codebase. Writing to migrations/ triggers alembic rules even without "alembic" in the file.
"Never push without tests" silences after cargo test runs. Arai remembers what happened this session.
Rules with never/forbids/must_not can deny the tool call in Claude Code and Grok TUI (the two assistants with native hook support today). always and prefers still advise. Incremental rollout via ARAI_DENY_MODE=off. Cursor, Windsurf and others get advisory enforcement via MCP.
arai severity alembic block pins one rule to deny while the rest of the set stays in advise. Survives arai scan. Ship the set in advise mode, watch which rules earn the trust, then flip them one at a time.
Every PostToolUse is correlated against its PreToolUse firings. Each rule gets an obeyed, ignored, or unclear verdict. arai audit --outcome=ignored tells you which rules the model keeps flouting; filter to a specific rule with --rule.
Every firing carries source file, line, and parser layer. Hook output shows the origin (e.g. [CLAUDE.md:42 layer-1] or [AGENTS.md:42 layer-1]) — no more guessing why a rule fired.
arai why "git push --force" replays a hypothetical tool call through the live match pipeline. Read-only. Ship new rules with confidence.
Annotate a rule with (expires 2026-12-31) or (until 2027-06-30). Arai filters it out after the date automatically — perfect for incident-driven rules that have a shelf life.
Every firing is appended to a local JSONL you can query. See which rules fire, on which tools, for which prompts. Nothing leaves your machine.
No network on the hook hot path. Enforcement, audit, compliance verdicts, and stats all run against the local SQLite + JSONL. Works offline, in restricted environments, and during outages — nothing to monitor, nothing to vendor-onboard.
Downloads verified against SHA-256 checksums.txt on every install path (curl, npm, cargo). arai:extends upstream policy fetches refuse loopback, RFC1918, link-local, cloud metadata, and redirects — and cached upstream files carry a SHA-256 sidecar so an at-rest tamper is detected before the rules reach the parser. MCP-source rules capped per project to bound a malfunctioning agent.
Every audit-log line carries prev_hash + hash (SHA-256 over canonical bytes); a per-day sidecar anchors the chain tip. arai audit --verify walks every day-bucket and exits non-zero on any tamper, reorder, or deletion. Owner-only on disk (0700/0600 on Unix; icacls-pinned on Windows). Day-buckets are retained indefinitely — bucketing is the segmentation, no auto-prune.
The agent-facing MCP server supports an optional shared-secret via ARAI_MCP_AUTH_TOKEN. When set, initialize must present a matching token (constant-time compare) before any tool call succeeds. Open by default for backwards compatibility.
arai stats rolls up the audit log into fires / obeyed / ignored / ratio per rule. Now you can answer "is this rule actually working?" — not "is it firing?" The ⚠ flag highlights low-ratio rules with enough volume to mean it.
Repeat firings of the same rule in a session emit a compact one-liner instead of re-injecting the full payload. arai stats surfaces a calibrated tokens saved estimate from suppressed repeats plus denied-and-honored mistakes — secondary signal, primary mission stays correctness.
arai test replays synthetic hook payloads through the live match pipeline. Catch rule behaviour drift before a real session does. CI-friendly JSON output.
arai record turns real firings from the audit log into scenario fixtures. You don’t hand-write regression tests — you capture the ones that matter and pin them.
arai lint shows exactly which rules a file produces with their classified intent. Iterate on wording without touching the DB.
arai diff shows what an edit would change in the live rule set — added, removed, moved — before you commit it. Pre-commit-hook fodder via --json.
Inherit org-wide rules with one directive: arai:extends https://.... Trusted per URL, HTTPS only, cached locally. No policy service — just a markdown file upstream.
Runs as an MCP server. The agent can register new rules mid-session and Arai enforces them on the next tool call (where supported). arai_recent_decisions lets the agent self-check recent decisions. MCP is the primary integration for Cursor, Windsurf and similar tools (advisory only). Native blocking hooks are currently available in Claude Code and Grok TUI.
Only fires domain-specific rules. Principles already in your instruction files stay silent.
Classify rules via Claude, Ollama, or any LLM CLI. Or use the built-in sentence transformer.
End-to-end per tool call, dominated by binary launch. SQLite lookups on the hook path. No network calls. No LLM calls at runtime.
Arai gives you the evidence trail and the controls your InfoSec / procurement team will ask for. Arai itself is not a certified product — the certification is yours to pursue. The controls are designed to align with the SOC 2 Trust Service Criteria:
icacls-pinned on Windows).arai:extends SSRF-hardened transport plus cache-at-rest signature.prev_hash + hash) so tampering is detected by arai audit --verify.arai diff, arai test, arai record, and the synthetic parser-coverage corpus turn rule edits into CI assertions.ARAI_MCP_AUTH_TOKEN); input caps bound a misbehaving agent.Full TSC-mapped feature inventory in the compliance procurement doc.
curl -sSf https://arai.taniwha.ai/install | sh
npm install -g @taniwhaai/arai
cargo install arai
brew install taniwhaai/tap/arai
cd your-project && arai init
Arai is the open-source guardrail core of Kete, Taniwha AI’s runtime reliability platform for AI coding agents. Arai handles per-developer enforcement and audit locally; Kete adds the team layer on top — centralised rule distribution, aggregated compliance dashboards across a fleet of developers, semantic enrichment, and impact analysis across callers and transitive dependents. The local audit and verdict pipeline doesn’t change. If your instruction files just need enforcing on one machine, Arai is all you need. For the full feature inventory mapped to procurement-review questions, see the compliance inventory.