Your assistant reads CLAUDE.md and ignores it when it matters. Arai turns the instruction files you already have — CLAUDE.md, AGENTS.md, .cursorrules — into enforcement: prohibitions block the tool call before it runs, and a tamper-evident audit trail proves, per rule, whether the model obeyed. Nothing to rewrite. No new format. One command. Local. Zero cost.
| An instruction file alone | With Arai |
|---|---|
| Advice the model can skip under pressure | Prohibitions deny the tool call at the hook |
| No record of what was ignored | Hash-chained audit log; arai audit --verify |
| You hope it listened | Per-rule obeyed / ignored / unclear verdicts |
| Rewrite your rules into a new policy format | Your existing files are the policy |
Enforcement strength depends on the assistant's integration surface:
Prohibitions deny the tool call at the hook — before the file is written or the command runs.
Rules with never/forbids/must_not can deny the tool call in Claude Code and Grok TUI (the two assistants with native hook support today). always and prefers still advise. Incremental rollout via ARAI_DENY_MODE=off. Cursor, Windsurf and others get advisory enforcement via MCP.
"Never hand-write migrations" fires on Write but not Edit. Editing existing migrations is fine.
tree-sitter scans your codebase. Writing to migrations/ triggers alembic rules even without "alembic" in the file.
"Never push without tests" silences after cargo test runs. Arai remembers what happened this session.
Edit CLAUDE.md and Arai re-scans in the background — the next tool call enforces the new wording, no manual rescan. cd into a monorepo subpackage and matching switches to that project’s rules.
Only fires domain-specific rules. Principles already in your instruction files stay silent.
A tamper-evident record of every firing, correlated with what the model actually did.
Every audit-log line carries prev_hash + hash (SHA-256 over canonical bytes); a per-day sidecar anchors the chain tip. arai audit --verify walks every day-bucket and exits non-zero on any tamper, reorder, or deletion. Owner-only on disk (0700/0600 on Unix; icacls-pinned on Windows). Retention is policy, not accident: arai audit --purge --older=90 sweeps whole day-buckets only, so retained days keep a valid chain.
Every PostToolUse is correlated against its PreToolUse firings. Each rule gets an obeyed, ignored, or unclear verdict. arai audit --outcome=ignored tells you which rules the model keeps flouting; filter to a specific rule with --rule.
arai stats rolls up the audit log into fires / obeyed / ignored / ratio per rule. Now you can answer "is this rule actually working?" — not "is it firing?" The ⚠ flag highlights low-ratio rules with enough volume to mean it.
Every firing carries source file, line, and parser layer. Hook output shows the origin (e.g. [CLAUDE.md:42 layer-1] or [AGENTS.md:42 layer-1]) — no more guessing why a rule fired.
Repeat firings of the same rule in a session emit a compact one-liner instead of re-injecting the full payload. arai stats surfaces a calibrated tokens saved estimate from suppressed repeats plus denied-and-honored mistakes — secondary signal, primary mission stays correctness.
Treat your rule set like code: preview, diff, test, roll out incrementally, let stale rules expire.
arai why "git push --force" replays a hypothetical tool call through the live match pipeline. Read-only. Ship new rules with confidence.
arai lint shows exactly which rules a file produces with their classified intent. Iterate on wording without touching the DB.
arai diff shows what an edit would change in the live rule set — added, removed, moved — before you commit it. Pre-commit-hook fodder via --json.
arai test replays synthetic hook payloads through the live match pipeline. Catch rule behaviour drift before a real session does. CI-friendly JSON output.
arai record turns real firings from the audit log into scenario fixtures. You don’t hand-write regression tests — you capture the ones that matter and pin them.
arai severity alembic block pins one rule to deny while the rest of the set stays in advise. Survives arai scan. Ship the set in advise mode, watch which rules earn the trust, then flip them one at a time.
Annotate a rule with (expires 2026-12-31) or (until 2027-06-30). Arai filters it out after the date automatically — perfect for incident-driven rules that have a shelf life.
arai canonicalize extracts your rules into arai.toml; arai sync writes per-tool instruction files from it — CLAUDE.md, AGENTS.md, .cursorrules stay in lockstep instead of drifting.
Org-wide policy and centralised evidence on your own infrastructure — opt-in, never by default.
Inherit org-wide rules with one directive: arai:extends https://.... Trusted per URL, HTTPS only, cached locally, with @sha256 content pinning and ed25519 signatures. Private policy endpoints work too: arai trust --add <url> --bearer-env VAR sends a bearer token to that exact URL and nowhere else. No policy service — just a markdown file upstream.
arai audit --ship sends day-buckets with their chain heads to your own HTTPS endpoint, so the hash chain verifies server-side too. Resume cursor, idempotent re-ship, bearer auth via env var. Explicit opt-in only — local-first stays the default.
Want the usage signal on your infrastructure? Point [telemetry] endpoint at your own collector — same anonymous events, your retention rules. Opt-outs (ARAI_TELEMETRY=off, DO_NOT_TRACK=1) win regardless. Payload schema documented.
Runs as an MCP server. The agent can register new rules mid-session and Arai enforces them on the next tool call (where supported). arai_recent_decisions lets the agent self-check recent decisions. MCP is the primary integration for Cursor, Windsurf and similar tools (advisory only). Native blocking hooks are currently available in Claude Code and Grok TUI.
The agent-facing MCP server supports an optional shared-secret via ARAI_MCP_AUTH_TOKEN. When set, initialize must present a matching token (constant-time compare) before any tool call succeeds. Open by default for backwards compatibility.
Local-first, fast, verifiable, and embeddable — nothing to monitor, nothing to vendor-onboard.
No network on the hook hot path. Enforcement, audit, compliance verdicts, and stats all run against the local SQLite + JSONL. Works offline, in restricted environments, and during outages — nothing to monitor, nothing to vendor-onboard.
End-to-end per tool call, dominated by binary launch. SQLite lookups on the hook path. No network calls. No LLM calls at runtime.
Downloads verified against SHA-256 checksums.txt on every install path (curl, npm, cargo). arai:extends upstream policy fetches refuse loopback, RFC1918, link-local, cloud metadata, and redirects — and cached upstream files carry a SHA-256 sidecar so an at-rest tamper is detected before the rules reach the parser. MCP-source rules capped per project to bound a malfunctioning agent.
Arai builds as a Rust library alongside the CLI: parser layers, rule store, guardrail matching, audit chain, and hook decisions as a crates.io dependency. Wrappers and IDE integrations consume enforcement directly instead of shelling out.
Classify rules via Claude, Ollama, or any LLM CLI. Or use the built-in sentence transformer.
Arai gives you the evidence trail and the controls your InfoSec / procurement team will ask for. Arai itself is not a certified product — the certification is yours to pursue. The controls are designed to align with the SOC 2 Trust Service Criteria:
icacls-pinned on Windows).arai:extends SSRF-hardened transport plus cache-at-rest signature.prev_hash + hash) so tampering is detected by arai audit --verify; arai audit --ship centralises the trail on your own collector with the chain heads attached, so integrity verifies server-side too.arai audit --purge gives age-based (--older=90) and project-scoped retention sweeps with --dry-run review; whole day-buckets only, so retained days keep a valid chain.arai diff, arai test, arai record, and the synthetic parser-coverage corpus turn rule edits into CI assertions.ARAI_MCP_AUTH_TOKEN); input caps bound a misbehaving agent.Full TSC-mapped feature inventory in the compliance procurement doc.
curl -sSf https://arai.taniwha.ai/install | sh
npm install -g @taniwhaai/arai
cargo install arai
brew install taniwhaai/tap/arai
cd your-project && arai init
Arai is the open-source guardrail core of Kete, Taniwha AI’s runtime reliability platform for AI coding agents. Arai handles per-developer enforcement and audit locally, and ships the self-hosting primitives — private rule sources via authenticated arai:extends, audit shipping to your own collector, a configurable telemetry endpoint — for teams that want to assemble centralisation themselves. Kete is the managed layer on top: rule distribution without running an endpoint, aggregated compliance dashboards across a fleet of developers, semantic enrichment, and impact analysis across callers and transitive dependents. The local audit and verdict pipeline doesn’t change either way. If your instruction files just need enforcing on one machine, Arai is all you need. For the full feature inventory mapped to procurement-review questions, see the compliance inventory.