Enforce AI coding assistant instruction files via Claude Code hooks — or advisory MCP for Cursor and Windsurf. Rules marked never deny the tool call in Claude Code. Every firing is audited and correlated with the action the model actually took. One command. Local. Zero cost.
"Never hand-write migrations" fires on Write but not Edit. Editing existing migrations is fine.
tree-sitter scans your codebase. Writing to migrations/ triggers alembic rules even without "alembic" in the file.
"Never push without tests" silences after cargo test runs. Arai remembers what happened this session.
Rules with never/forbids/must_not emit permissionDecision: "deny" in Claude Code. always and prefers still advise. Incremental rollout via ARAI_DENY_MODE=off. Cursor and Windsurf get advisory enforcement via MCP — no other assistant exposes a deny hook today.
arai severity alembic block pins one rule to deny while the rest of the set stays in advise. Survives arai scan. Ship the set in advise mode, watch which rules earn the trust, then flip them one at a time.
Every PostToolUse is correlated against its PreToolUse firings. Each rule gets an obeyed, ignored, or unclear verdict. arai audit --outcome=ignored tells you which rules the model keeps flouting; filter to a specific rule with --rule.
Every firing carries source file, line, and parser layer. Hook output shows [CLAUDE.md:42 layer-1] — no more guessing why a rule fired.
arai why "git push --force" replays a hypothetical tool call through the live match pipeline. Read-only. Ship new rules with confidence.
Annotate a rule with (expires 2026-12-31) or (until 2027-06-30). Arai filters it out after the date automatically — perfect for incident-driven rules that have a shelf life.
Every firing is appended to a local JSONL you can query. See which rules fire, on which tools, for which prompts. Nothing leaves your machine.
No network on the hook hot path. Enforcement, audit, compliance verdicts, and stats all run against the local SQLite + JSONL. Works offline, in restricted environments, and during outages — nothing to monitor, nothing to vendor-onboard.
Downloads verified against SHA-256 checksums.txt on every install path (curl, npm, cargo). arai:extends upstream policy fetches refuse loopback, RFC1918, link-local, cloud metadata, and redirects. MCP-source rules capped per project to bound a malfunctioning agent.
arai stats rolls up the audit log into fires / obeyed / ignored / ratio per rule. Now you can answer "is this rule actually working?" — not "is it firing?" The ⚠ flag highlights low-ratio rules with enough volume to mean it.
Repeat firings of the same rule in a session emit a compact one-liner instead of re-injecting the full payload. arai stats surfaces a calibrated tokens saved estimate from suppressed repeats plus denied-and-honored mistakes — secondary signal, primary mission stays correctness.
arai test replays synthetic hook payloads through the live match pipeline. Catch rule behaviour drift before a real session does. CI-friendly JSON output.
arai record turns real firings from the audit log into scenario fixtures. You don’t hand-write regression tests — you capture the ones that matter and pin them.
arai lint CLAUDE.md shows exactly which rules a file produces with their classified intent. Iterate on wording without touching the DB.
arai diff CLAUDE.md shows what an edit would change in the live rule set — added, removed, moved — before you commit it. Pre-commit-hook fodder via --json.
Inherit org-wide rules with one directive: arai:extends https://.... Trusted per URL, HTTPS only, cached locally. No policy service — just a markdown file upstream.
Runs as an MCP server. The agent can register new rules mid-session ("never touch /etc", "always run tests first") and Arai enforces them on the next tool call. arai_recent_decisions lets the agent self-check what it was just denied for — no more looping on the same refused action. MCP is also how Cursor and Windsurf integrate: same rule set, advisory only.
Only fires domain-specific rules. Principles already in CLAUDE.md stay silent.
Classify rules via Claude, Ollama, or any LLM CLI. Or use the built-in sentence transformer.
End-to-end per tool call, dominated by binary launch. SQLite lookups on the hook path. No network calls. No LLM calls at runtime.
curl -sSf https://arai.taniwha.ai/install | sh
npm install -g @taniwhaai/arai
cargo install arai
brew install taniwhaai/tap/arai
cd your-project && arai init
Arai is the open-source guardrail core of Kete, Taniwha AI’s runtime reliability platform for AI coding agents. Arai handles per-developer enforcement and audit locally; Kete adds the team layer on top — centralised rule distribution, aggregated compliance dashboards across a fleet of developers, semantic enrichment, and impact analysis across callers and transitive dependents. The local audit and verdict pipeline doesn’t change. If your instruction files just need enforcing on one machine, Arai is all you need. For the full feature inventory mapped to procurement-review questions, see the compliance inventory.