@axiorank/coding-guard
v0.1.2
Published
Govern AI coding agents (Claude Code, Cursor, Codex, GitHub Copilot CLI) from a hook. It blocks dangerous tool calls locally and offline (destructive commands, secret exfiltration, prompt-injected tool results), then optionally reports the session to Axio
Maintainers
Readme
@axiorank/coding-guard
Govern your AI coding agents the same way AxioRank governs production agents.
coding-guard is a hook for Claude Code, Cursor, OpenAI Codex CLI, and GitHub Copilot CLI. On every tool-call lifecycle event the agent hands the action to the guard, which scores it with the AxioRank detection engine and answers allow, deny, or ask in the agent's own response format. It blocks the things you do not want an autonomous agent doing on your machine:
- destructive commands (
rm -rf,git push --force,DROP TABLE,curl ... | sh) - secret exfiltration (a command or file write that ships an API key, token, or
.env) - prompt-injected tool results (a poisoned MCP reply or fetched page steering the agent, the "agentjacking" class of attack)
Local blocking runs fully offline with no API key and no signup. Add an API key and the guard also reports the session to AxioRank, applies your workspace's real policy, and mints a signed Coding Session Seal you can verify offline.
Install
# wire the guard into this repo's coding-agent configs (idempotent)
npx -y @axiorank/coding-guard initThat merges a hook entry into .claude/settings.json (Claude Code), .codex/hooks.json (Codex), .cursor/hooks.json (Cursor), and .github/hooks/copilot-cli-policy.json (Copilot CLI). Each command carries an explicit --agent so the session is labeled correctly (Codex and Claude Code share an event schema). Prefer to paste it yourself?
npx -y @axiorank/coding-guard printCursor users: instead of editing .cursor/hooks.json by hand, install the AxioRank
Cursor plugin (packages/cursor-plugin/), which ships these governance hooks plus a
governance rule, the AxioRank MCP server, and /verify-seal + /governance commands as a
first-class, one-click Cursor plugin.
How it decides
The guard reuses @axiorank/detectors, the exact engine AxioRank's hosted gateway runs, so a coding agent is held to the same default posture as a production agent: deny on a live secret, deny on a destructive operation, deny at risk >= 75, and ask for review in the 50 to 74 band. A deny blocks the call; an ask prompts you in the editor; everything else proceeds.
Central reporting + Coding Session Seal (optional)
Set an API key and the guard reports each governed call to your AxioRank workspace:
export AXIORANK_API_KEY="axr_live_..."Now the session shows up under Coding Sessions in the dashboard, raises alerts on high-risk activity, and applies your workspace policy (which can only tighten the local decision, never loosen a local block). When the agent finishes, the guard mints a Coding Session Seal: an Ed25519-signed, offline-verifiable attestation of how many tool calls were governed, how many were blocked, which detector categories fired, and a Merkle root over the session's audit log. It is written to <repo>/.axiorank/session-<id>.seal.json.
Verify it with no trust in AxioRank:
npx -y @axiorank/audit-verify coding-seal .axiorank/session-*.seal.jsonSession seals require a Team plan or higher. Local blocking is always free.
Configuration
| Env var | Default | Purpose |
| --- | --- | --- |
| AXIORANK_API_KEY | unset | Report sessions centrally and mint seals. Unset = local-only. |
| AXIORANK_BASE_URL | https://app.axiorank.com | Your AxioRank deployment. |
| AXIORANK_CODING_GUARD_TIMEOUT_MS | 2500 | Timeout for the central call (fails open on timeout). |
| AXIORANK_CODING_GUARD_DISABLE_REMOTE | unset | Force local-only mode even with a key set. |
Design notes
- Fail-open. A crash, a malformed payload, or an unreachable gateway never blocks the editor. Security tightening comes from explicit
denyverdicts, not from the guard failing closed. - No raw secrets leave your machine. The detectors redact in place; only the redacted payload is ever reported, exactly like the SDK.
- Local-first blocking. The local verdict is authoritative for blocking even when offline; the central call can only add stricter org rules.
MIT licensed. Part of AxioRank.
