@hiro-c/agent-gate 1.0.0

package/AGENTS.md

@@ -0,0 +1,76 @@
+# AGENTS.md for agent-gate
+
+This file is read by any AI coding agent working on this repo, including
+Claude Code, Cursor, Cline, and Aider. It is the project's vendor-neutral
+instruction file, complementing the existing `CLAUDE.md`.
+
+## What this project is
+
+agent-gate is a runtime enforcer for AI coding agent rules. It reads
+natural-language instruction files (CLAUDE.md, AGENTS.md, .cursorrules,
+.cursor/rules/*.mdc, .clinerules, .windsurf/rules, .github/copilot-instructions.md,
+CONVENTIONS.md) as one combined rule set and enforces them at hook time
+in Claude Code and Cursor. A deterministic safety baseline catches
+catastrophic operations before any AI call.
+
+## Hard rules
+
+These are non-negotiable while modifying this codebase.
+
+- Never weaken the deterministic safety rules to make a test pass. If a
+  rule blocks something it should not, narrow the rule by adding an
+  explicit allow-case, never by deleting the protection.
+- Never commit any file matching `.env`, `.env.*` (other than
+  `.env.example`), `*.pem`, `*.key`, or files inside `.ssh/`.
+- Never run `npm publish` from a local checkout. Publishing is performed
+  exclusively by the GitHub Actions release workflow on a signed `v*`
+  tag push (using OIDC + npm provenance). This keeps releases
+  reproducible and supply-chain auditable.
+
+## Soft rules (style and approach)
+
+- Strict TDD for every new rule: write a failing test, make it pass with
+  the smallest possible change, refactor, commit.
+- One logical change per commit. Use Conventional Commits prefixes
+  (`feat`, `fix`, `refactor`, `chore`, `docs`, `test`).
+- Prefer adding a new deterministic rule over expanding an existing one
+  when the concept is distinct; small, single-purpose rules are easier
+  to disable per project.
+- Keep block reasons guidance-shaped: name the violated rule and the
+  next correct step the agent should take. No bare denials.
+- Tests live alongside the file they cover: `test/<mirror of src path>`.
+
+## Development workflow
+
+```bash
+npm install
+npm run checks     # typecheck + vitest
+npm run build      # tsc to dist/
+npm test           # vitest run
+npm run typecheck  # tsc --noEmit
+```
+
+Every change should keep `npm run checks` green before being committed.
+
+## Project structure
+
+- `src/adapters/` — vendor-specific hook payload parsing and response
+  formatting (Claude Code, Cursor).
+- `src/collector/` — multi-source instruction-file aggregator.
+- `src/config/` — `Config` (env vars) and `AgentGateConfig`
+  (`.agent-gate.json`).
+- `src/contracts/` — shared types (`Action`, `RuleSource`,
+  `ValidationResult`) and Zod schemas.
+- `src/deterministic/` — the safety baseline. `engine.ts` runs rules
+  in order, `rules/*` are individual rules, `defaultRules.ts` exports
+  the curated default list.
+- `src/hooks/processHookData.ts` — pipeline orchestrator.
+- `src/observability/` — decision logger and stats aggregator.
+- `src/validation/` — AI client interface, model implementations
+  (`ClaudeCli`, `AnthropicApi`), prompt templates.
+
+## When in doubt
+
+Read `docs/architecture.md` (kept locally, gitignored) for the v1
+roadmap and design rationale. Otherwise, prefer the smallest change
+that keeps `npm run checks` green and ship it.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Hiro-Chiba
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,205 @@
+# agent-gate
+
+[![CI](https://github.com/Hiro-Chiba/agent-gate/actions/workflows/ci.yml/badge.svg)](https://github.com/Hiro-Chiba/agent-gate/actions/workflows/ci.yml)
+
+One natural-language rule source, enforced at runtime across multiple AI coding tools.
+
+agent-gate reads the instruction files you already have (`CLAUDE.md`, `AGENTS.md`, `.cursorrules`, `.cursor/rules/*.mdc`, `.clinerules`, `.windsurf/rules`, `.github/copilot-instructions.md`, `CONVENTIONS.md`) as a single combined rule set, then enforces them at hook time in Claude Code and Cursor. A deterministic safety baseline catches catastrophic operations before any AI call.
+
+## Why
+
+The AI coding tool landscape in 2026 has fragmented into many tools, each with its own instruction file format. Existing tooling either syncs rule files across tools (rulesync, symlinks) or enforces a single rule format at runtime (probity, tdd-guard), but not both. agent-gate sits in the gap: it accepts whatever natural-language instruction files you already maintain and enforces them across multiple AI tools through a single hook.
+
+Two pain points the project is built to address:
+
+- **Rule forgetting** in long agent sessions, where context compression drops the rules from the prompt and the agent quietly drifts off-spec.
+- **Destructive operations** like `rm -rf $HOME` or force-pushing main, which AI judgment is too unreliable to catch consistently.
+
+## Features
+
+- Multi-source rule collection across 8 instruction file formats, surfaced to AI with per-source attribution.
+- Adapter pattern: same binary works in Claude Code (`--agent claude-code`, default) and Cursor 1.7 (`--agent cursor`).
+- Deterministic safety baseline with five built-in rules that fire before any AI call.
+- AI validation against the combined rule set when the safety baseline passes.
+- Per-rule disable and per-project customization via `.agent-gate.json` and `AGENT_GATE_DISABLED_RULES`.
+- Optional decision log (`AGENT_GATE_LOG=1`) and `agent-gate stats` for auditing.
+- Block reasons are guidance, not denials: the AI is instructed to describe the next correct step alongside the violated rule.
+
+## Requirements
+
+- Node.js >= 22.0.0
+- Claude Code or Cursor 1.7
+
+## Installation
+
+```bash
+git clone https://github.com/Hiro-Chiba/agent-gate.git
+cd agent-gate
+./install.sh
+```
+
+The install script handles dependency install, build, and Claude Code hook registration. Restart Claude Code to activate.
+
+To register against Cursor instead of Claude Code, run the binary with `--agent cursor` from your Cursor hook config. To remove the Claude Code hook, run `./uninstall.sh`.
+
+## Configuration
+
+### Environment variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `AGENT_GATE_MODEL` | `claude-sonnet-4-6` | Model used for AI validation |
+| `AGENT_GATE_API_KEY` | (none) | Anthropic API key. Uses the API directly when set; otherwise spawns the Claude CLI |
+| `AGENT_GATE_COOLDOWN` | `0` | Cooldown in seconds between AI validations (deterministic rules always fire) |
+| `AGENT_GATE_DISABLED` | `false` | Set to `true` to disable the whole tool |
+| `AGENT_GATE_DISABLED_RULES` | (none) | Comma-separated rule ids to disable, merged with the config file |
+| `AGENT_GATE_LOG` | (none) | Set to `1` to append decisions to `~/.agent-gate/log.jsonl` |
+| `AGENT_GATE_REASON_LANG` | `auto` | Language for AI-generated `reason` text. `auto` matches the instruction files (English fallback when mixed). Pass `en`, `ja`, `zh`, `ko`, etc. to force a specific language |
+| `USE_SYSTEM_CLAUDE` | `false` | `true` forces PATH `claude` (default: `~/.claude/local/claude` with PATH fallback) |
+
+### Project config file
+
+agent-gate looks for either a TypeScript / JavaScript config or a legacy JSON config, walking upward from the cwd until it finds one. Precedence (highest wins): `.agent-gate.config.ts` > `.mts` > `.mjs` > `.cjs` > `.js` > `.agent-gate.json`.
+
+#### TypeScript / JavaScript config
+
+The full API including custom rules:
+
+```ts
+// .agent-gate.config.ts
+import { defineConfig, forbidCommandPattern, forbidFilePathPattern } from 'agent-gate'
+
+export default defineConfig({
+  disabledRules: ['prevent-force-push-main'],
+  protectedBranches: ['main', 'release'],
+  extraSecretPathPrefixes: ['vault/', 'secrets/'],
+  customRules: [
+    forbidCommandPattern({
+      id: 'no-drop-table',
+      match: /drop\s+table/i,
+      reason: 'DROP TABLE is forbidden. Use a migration instead.',
+    }),
+    forbidFilePathPattern({
+      id: 'no-prod-config',
+      match: /production\.ya?ml$/,
+      reason: 'Production config edits go through ops review.',
+    }),
+  ],
+})
+```
+
+| Field | Effect |
+|---|---|
+| `disabledRules` | List of rule ids that will not run. Merged with `AGENT_GATE_DISABLED_RULES`. |
+| `protectedBranches` | Overrides the default list used by `prevent-force-push-main`. |
+| `extraSecretPathPrefixes` | Additional path substrings treated as secret targets by `prevent-secret-file-write`. |
+| `customRules` | User-defined `DeterministicRule[]` appended after the built-ins. Use the `forbidCommandPattern` / `forbidContentPattern` / `forbidFilePathPattern` factories or hand-write your own. |
+
+#### Legacy JSON config
+
+Still works for simple cases:
+
+```json
+{
+  "disabled_rules": ["prevent-force-push-main"],
+  "protected_branches": ["main", "release"],
+  "extra_secret_paths": ["vault/", "secrets/"]
+}
+```
+
+JSON cannot express custom rules. Migrate to the TS/JS form when you need them.
+
+## How It Works
+
+1. The AI coding tool fires a pre-tool-use hook with its vendor-specific JSON payload.
+2. The selected adapter parses that payload into a normalized `Action`.
+3. Deterministic safety rules run first. Catastrophic patterns are blocked here without calling AI.
+4. If the safety baseline passes, agent-gate collects all 8 instruction file formats present in the project tree.
+5. The AI validates the operation against the combined rule set, with each source attributed by kind.
+6. The verdict (block + guidance, or allow) is returned through the adapter's response formatter.
+
+## Built-in Safety Rules
+
+| Rule | Blocks |
+|---|---|
+| `prevent-rm-rf-root` | Recursive `rm` on `/`, `$HOME`, `~`, `/etc`, `/usr`, `/var`, and other catastrophic paths. Handles `sudo` prefix and flag variants (`-rf`, `-fr`, `-Rf`). |
+| `prevent-secret-file-write` | `Edit`/`Write` on `.env*` (non-template), `.ssh/*`, `.aws/credentials`, `*.pem`, `*.key`, `id_rsa`, `.netrc`. |
+| `prevent-bash-secret-write` | Shell redirects to the same secret paths via `>`, `>>`, or `tee`. |
+| `prevent-force-push-main` | `git push --force` or `-f` to `main`, `master`, `develop`, `production`, `release`, `stable`. Allows `--force-with-lease`. |
+| `prevent-system-path-write` | `Edit`/`Write` to `/etc`, `/usr`, `/var`, `/System`, `/Library`, `/opt`, and other system-owned paths. |
+
+Each rule can be disabled individually through `.agent-gate.json` or the env var.
+
+## Supported Instruction File Formats
+
+agent-gate aggregates rules from any combination of:
+
+- `CLAUDE.md` (Claude Code)
+- `AGENTS.md` (cross-tool spec backed by the Linux Foundation Agentic AI Foundation)
+- `.cursorrules` (Cursor legacy)
+- `.cursor/rules/*.mdc` (Cursor current)
+- `.clinerules/*.md` (Cline)
+- `.windsurf/rules/*.md` (Windsurf)
+- `.github/copilot-instructions.md` (GitHub Copilot)
+- `CONVENTIONS.md` (Aider)
+
+You do not need to choose. Maintain whichever file your team already uses; agent-gate reads them all.
+
+## Supported AI Coding Tools
+
+agent-gate enforces in any tool that exposes a pre-tool-use hook. As of v1:
+
+- Claude Code (mature). `agent-gate --agent claude-code`, the default.
+- Cursor 1.7 (beta). `agent-gate --agent cursor`. Payload mapping is best-effort against public docs.
+
+Tools without a hook surface (Copilot, Cline, Aider, Codex web, Replit, Devin) can still benefit from agent-gate as a rule source linter or via downstream sync (rulesync, symlinks), but cannot be enforced at runtime.
+
+## CLAUDE.md Doctor
+
+Run `agent-gate lint` from a project root to audit your instruction files for AI-friendliness. The doctor walks the same 8 file formats the runtime reads, then surfaces:
+
+- **Empty files** that would make the AI think no rules exist.
+- **Files with no concrete rules** (no imperatives, no bullets, no numbered items).
+- **Ambiguous modifiers** like "where possible", "as needed", "適切に", "なるべく", "可能な限り", "必要に応じて". AI judgment cannot enforce these reliably; the doctor suggests replacing them with a concrete condition or threshold.
+
+```text
+$ agent-gate lint
+/p/CLAUDE.md
+  [warning] no-concrete-rules: No imperatives ...
+  [info] ambiguous-modifier (line 5): Ambiguous modifier "適切に" ...
+      > - エラーは適切に扱う
+
+1 finding.
+```
+
+Exit code is 1 if any finding has severity `error`, otherwise 0, so the command can run in CI.
+
+## Daemon mode
+
+Each hook invocation normally spawns a fresh Node process (cold start ~300ms). For users that fire hooks at high frequency, agent-gate can run as a long-lived daemon on a Unix socket and let hook invocations reuse the warm process.
+
+```bash
+# Terminal 1: start the daemon (foreground; manage with systemd / launchctl / tmux in production).
+agent-gate daemon
+
+# Terminal 2 (or in your hook config):
+AGENT_GATE_DAEMON=1 agent-gate
+```
+
+When `AGENT_GATE_DAEMON=1`, the hook tries the socket first and transparently falls back to direct mode if the daemon is unreachable. Set `AGENT_GATE_SOCKET_PATH` to override the default `$TMPDIR/agent-gate.sock`.
+
+The daemon is opt-in. Users not setting `AGENT_GATE_DAEMON=1` keep the existing one-shot behavior.
+
+## Observability
+
+Set `AGENT_GATE_LOG=1` to append every decision to `~/.agent-gate/log.jsonl`. Each line is a JSON object with timestamp, adapter, tool, decision, reason, source (`deterministic` / `ai`), and `ruleId` when a deterministic rule fired.
+
+Run `agent-gate stats` for a summary: total decisions, block percentage, breakdown by source, adapter, tool, and rule id.
+
+## Network Access
+
+agent-gate only communicates with Anthropic endpoints, either directly via the Anthropic API (when `AGENT_GATE_API_KEY` is set) or indirectly through the Claude CLI subprocess. It does not contact any other external services and does not send telemetry. Deterministic rules run entirely locally.
+
+## License
+
+[MIT](LICENSE)

package/dist/adapters/Adapter.d.ts

@@ -0,0 +1,32 @@
+import { ParsedHook } from '../contracts/types/Action';
+import { ValidationResult } from '../contracts/types/ValidationResult';
+import { SessionEvent } from '../contracts/types/SessionContext';
+export interface ReadHistoryOptions {
+    cwd: string;
+    /** Max events to return. Adapters should honor this; default is impl-defined. */
+    limit?: number;
+}
+/**
+ * An Adapter bridges a specific AI coding tool's hook API to agent-gate's
+ * normalized pipeline. Each adapter:
+ *   1. parses the vendor's stdin JSON into a ParsedHook,
+ *   2. formats agent-gate's ValidationResult into the vendor's expected
+ *      stdout JSON,
+ *   3. optionally reads the vendor's transcript file to provide
+ *      SessionContext.history to rules and the AI prompt.
+ */
+export interface Adapter {
+    /** Identifier used for CLI dispatch and logging. */
+    readonly id: string;
+    /** Parse stdin JSON into a normalized ParsedHook. */
+    parseHook(stdinJson: string): ParsedHook;
+    /** Format a ValidationResult into the vendor-specific stdout JSON. */
+    formatResponse(result: ValidationResult): string;
+    /**
+     * Read recent session events from the vendor's transcript. Optional;
+     * an adapter that cannot read history should omit this method or
+     * return an empty array.
+     */
+    readHistory?(opts: ReadHistoryOptions): Promise<SessionEvent[]>;
+}
+//# sourceMappingURL=Adapter.d.ts.map

package/dist/adapters/Adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Adapter.d.ts","sourceRoot":"","sources":["../../src/adapters/Adapter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAA;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAA;AAEhE,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAA;IACX,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,OAAO;IACtB,oDAAoD;IACpD,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IAEnB,qDAAqD;IACrD,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,UAAU,CAAA;IAExC,sEAAsE;IACtE,cAAc,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAAA;IAEhD;;;;OAIG;IACH,WAAW,CAAC,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAAA;CAChE"}

package/dist/adapters/Adapter.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/adapters/claude-code/adapter.d.ts

@@ -0,0 +1,3 @@
+import { Adapter } from '../Adapter';
+export declare const claudeCodeAdapter: Adapter;
+//# sourceMappingURL=adapter.d.ts.map

package/dist/adapters/claude-code/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../../../src/adapters/claude-code/adapter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAsB,MAAM,YAAY,CAAA;AASxD,eAAO,MAAM,iBAAiB,EAAE,OA4C/B,CAAA"}

package/dist/adapters/claude-code/adapter.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.claudeCodeAdapter = void 0;
+const hookDataSchema_1 = require("../../contracts/schemas/hookDataSchema");
+const transcript_1 = require("./transcript");
+const HOOK_EVENT_PRE_TOOL_USE = 'PreToolUse';
+exports.claudeCodeAdapter = {
+    id: 'claude-code',
+    parseHook(stdinJson) {
+        let raw;
+        try {
+            raw = JSON.parse(stdinJson);
+        }
+        catch {
+            return { kind: 'skip', reason: 'invalid JSON' };
+        }
+        const parsed = hookDataSchema_1.HookDataSchema.safeParse(raw);
+        if (!parsed.success) {
+            return { kind: 'skip', reason: 'unrecognized hook payload' };
+        }
+        const data = parsed.data;
+        if (data.hook_event_name !== HOOK_EVENT_PRE_TOOL_USE) {
+            return { kind: 'skip', reason: `not a PreToolUse event: ${data.hook_event_name}` };
+        }
+        const toolName = data.tool_name;
+        const toolInput = data.tool_input;
+        if (!toolName || !toolInput) {
+            return { kind: 'skip', reason: 'missing tool_name or tool_input' };
+        }
+        return {
+            kind: 'action',
+            action: { toolName, toolInput },
+        };
+    },
+    formatResponse(result) {
+        if (result.decision === 'block') {
+            return JSON.stringify({ decision: 'block', reason: result.reason });
+        }
+        // Allow case: Claude Code expects no `decision` key (or null) for allow.
+        return JSON.stringify({ reason: result.reason });
+    },
+    async readHistory(opts) {
+        return (0, transcript_1.readClaudeCodeTranscript)({ cwd: opts.cwd, limit: opts.limit });
+    },
+};

package/dist/adapters/claude-code/transcript.d.ts

@@ -0,0 +1,16 @@
+import { SessionEvent } from '../../contracts/types/SessionContext';
+/**
+ * Encode a project path into the directory name Claude Code uses under
+ * `~/.claude/projects/`. The convention: replace `/` with `-`, drop
+ * trailing slash. e.g. `/Users/me/proj` -> `-Users-me-proj`.
+ */
+export declare function encodeProjectsPath(cwd: string): string;
+export interface ReadClaudeCodeTranscriptOptions {
+    cwd: string;
+    /** Override $HOME for testing. Defaults to os.homedir(). */
+    home?: string;
+    /** Max events to return. Returns the last `limit` events. */
+    limit?: number;
+}
+export declare function readClaudeCodeTranscript(opts: ReadClaudeCodeTranscriptOptions): Promise<SessionEvent[]>;
+//# sourceMappingURL=transcript.d.ts.map

package/dist/adapters/claude-code/transcript.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transcript.d.ts","sourceRoot":"","sources":["../../../src/adapters/claude-code/transcript.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,YAAY,EAAE,MAAM,sCAAsC,CAAA;AAEnE;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAMtD;AAED,MAAM,WAAW,+BAA+B;IAC9C,GAAG,EAAE,MAAM,CAAA;IACX,4DAA4D;IAC5D,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AA6DD,wBAAsB,wBAAwB,CAC5C,IAAI,EAAE,+BAA+B,GACpC,OAAO,CAAC,YAAY,EAAE,CAAC,CA+BzB"}

package/dist/adapters/claude-code/transcript.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encodeProjectsPath = encodeProjectsPath;
+exports.readClaudeCodeTranscript = readClaudeCodeTranscript;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+/**
+ * Encode a project path into the directory name Claude Code uses under
+ * `~/.claude/projects/`. The convention: replace `/` with `-`, drop
+ * trailing slash. e.g. `/Users/me/proj` -> `-Users-me-proj`.
+ */
+function encodeProjectsPath(cwd) {
+    let trimmed = cwd;
+    if (trimmed.length > 1 && trimmed.endsWith('/')) {
+        trimmed = trimmed.slice(0, -1);
+    }
+    return trimmed.replace(/\//g, '-');
+}
+function classify(raw) {
+    const t = raw.type;
+    if (t === 'tool_use') {
+        return {
+            kind: 'tool-call',
+            toolName: typeof raw.name === 'string' ? raw.name : undefined,
+            toolInput: raw.input && typeof raw.input === 'object'
+                ? raw.input
+                : undefined,
+            timestamp: raw.timestamp,
+            raw,
+        };
+    }
+    if (t === 'tool_result') {
+        return {
+            kind: 'tool-result',
+            timestamp: raw.timestamp,
+            raw,
+        };
+    }
+    if (t === 'user') {
+        return { kind: 'user-message', timestamp: raw.timestamp, raw };
+    }
+    if (t === 'assistant') {
+        return { kind: 'assistant-message', timestamp: raw.timestamp, raw };
+    }
+    return null;
+}
+function pickMostRecentJsonl(dir) {
+    let entries;
+    try {
+        entries = (0, fs_1.readdirSync)(dir).filter((name) => name.endsWith('.jsonl'));
+    }
+    catch {
+        return null;
+    }
+    if (entries.length === 0)
+        return null;
+    let best = null;
+    for (const name of entries) {
+        try {
+            const m = (0, fs_1.statSync)((0, path_1.join)(dir, name)).mtimeMs;
+            if (!best || m > best.mtime)
+                best = { name, mtime: m };
+        }
+        catch {
+            // skip
+        }
+    }
+    return best ? (0, path_1.join)(dir, best.name) : null;
+}
+async function readClaudeCodeTranscript(opts) {
+    const home = opts.home ?? (0, os_1.homedir)();
+    const dir = (0, path_1.join)(home, '.claude', 'projects', encodeProjectsPath(opts.cwd));
+    if (!(0, fs_1.existsSync)(dir))
+        return [];
+    const file = pickMostRecentJsonl(dir);
+    if (!file)
+        return [];
+    let content;
+    try {
+        content = (0, fs_1.readFileSync)(file, 'utf-8');
+    }
+    catch {
+        return [];
+    }
+    const events = [];
+    for (const line of content.split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        let raw;
+        try {
+            raw = JSON.parse(trimmed);
+        }
+        catch {
+            continue;
+        }
+        const evt = classify(raw);
+        if (evt)
+            events.push(evt);
+    }
+    const limit = opts.limit ?? events.length;
+    return events.slice(-limit);
+}

package/dist/adapters/cursor/adapter.d.ts

@@ -0,0 +1,3 @@
+import { Adapter } from '../Adapter';
+export declare const cursorAdapter: Adapter;
+//# sourceMappingURL=adapter.d.ts.map

package/dist/adapters/cursor/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../../../src/adapters/cursor/adapter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,YAAY,CAAA;AA2BpC,eAAO,MAAM,aAAa,EAAE,OAoE3B,CAAA"}

package/dist/adapters/cursor/adapter.js

@@ -0,0 +1,89 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cursorAdapter = void 0;
+/**
+ * Cursor 1.7 hook adapter.
+ *
+ * Cursor exposes pre-execution hooks (beforeShellExecution, beforeReadFile,
+ * beforeFileEdit) and post-event hooks (afterFileEdit). agent-gate is a
+ * prevention tool, so it only handles the "before" hooks; "after" payloads
+ * are skipped because the operation already happened.
+ *
+ * The payload schema below is the best-effort shape based on Cursor's
+ * public docs as of early 2026. Field names may need adjustment as
+ * Cursor's hook API matures.
+ */
+const PRE_HOOK_EVENTS = new Set([
+    'beforeShellExecution',
+    'beforeReadFile',
+    'beforeFileEdit',
+]);
+function isObject(v) {
+    return typeof v === 'object' && v !== null;
+}
+exports.cursorAdapter = {
+    id: 'cursor',
+    parseHook(stdinJson) {
+        let raw;
+        try {
+            raw = JSON.parse(stdinJson);
+        }
+        catch {
+            return { kind: 'skip', reason: 'invalid JSON' };
+        }
+        if (!isObject(raw)) {
+            return { kind: 'skip', reason: 'payload is not an object' };
+        }
+        const event = raw['hook_event_name'];
+        if (typeof event !== 'string' || !PRE_HOOK_EVENTS.has(event)) {
+            return { kind: 'skip', reason: `not a pre-hook event: ${String(event)}` };
+        }
+        switch (event) {
+            case 'beforeShellExecution': {
+                const command = raw['command'];
+                if (typeof command !== 'string') {
+                    return { kind: 'skip', reason: 'missing command' };
+                }
+                return {
+                    kind: 'action',
+                    action: { toolName: 'Bash', toolInput: { command } },
+                };
+            }
+            case 'beforeReadFile': {
+                const filePath = raw['file_path'];
+                if (typeof filePath !== 'string') {
+                    return { kind: 'skip', reason: 'missing file_path' };
+                }
+                return {
+                    kind: 'action',
+                    action: { toolName: 'Read', toolInput: { file_path: filePath } },
+                };
+            }
+            case 'beforeFileEdit': {
+                const filePath = raw['file_path'];
+                if (typeof filePath !== 'string') {
+                    return { kind: 'skip', reason: 'missing file_path' };
+                }
+                const toolInput = { file_path: filePath };
+                if (typeof raw['new_content'] === 'string') {
+                    toolInput.new_content = raw['new_content'];
+                }
+                return {
+                    kind: 'action',
+                    action: { toolName: 'Edit', toolInput },
+                };
+            }
+            default:
+                return { kind: 'skip', reason: 'unrecognized event' };
+        }
+    },
+    formatResponse(result) {
+        if (result.decision === 'block') {
+            return JSON.stringify({
+                permission: 'deny',
+                userMessage: result.reason,
+            });
+        }
+        return JSON.stringify({ permission: 'allow' });
+    },
+};

package/dist/adapters/index.d.ts

@@ -0,0 +1,8 @@
+import { Adapter } from './Adapter';
+import { claudeCodeAdapter } from './claude-code/adapter';
+import { cursorAdapter } from './cursor/adapter';
+export declare const DEFAULT_ADAPTER_ID = "claude-code";
+export declare function getAdapter(id: string): Adapter | undefined;
+export declare function availableAdapterIds(): string[];
+export { Adapter, claudeCodeAdapter, cursorAdapter };
+//# sourceMappingURL=index.d.ts.map

package/dist/adapters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAA;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA;AAEhD,eAAO,MAAM,kBAAkB,gBAAgB,CAAA;AAO/C,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAE1D;AAED,wBAAgB,mBAAmB,IAAI,MAAM,EAAE,CAE9C;AAED,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,CAAA"}

package/dist/adapters/index.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cursorAdapter = exports.claudeCodeAdapter = exports.DEFAULT_ADAPTER_ID = void 0;
+exports.getAdapter = getAdapter;
+exports.availableAdapterIds = availableAdapterIds;
+const adapter_1 = require("./claude-code/adapter");
+Object.defineProperty(exports, "claudeCodeAdapter", { enumerable: true, get: function () { return adapter_1.claudeCodeAdapter; } });
+const adapter_2 = require("./cursor/adapter");
+Object.defineProperty(exports, "cursorAdapter", { enumerable: true, get: function () { return adapter_2.cursorAdapter; } });
+exports.DEFAULT_ADAPTER_ID = 'claude-code';
+const ADAPTER_REGISTRY = {
+    'claude-code': adapter_1.claudeCodeAdapter,
+    cursor: adapter_2.cursorAdapter,
+};
+function getAdapter(id) {
+    return ADAPTER_REGISTRY[id];
+}
+function availableAdapterIds() {
+    return Object.keys(ADAPTER_REGISTRY).sort();
+}