CRE
Claude Rule Enforcer

A PA for your AI. The guardrail layer OpenClaw forgot to build. It learns how you work and makes your coding assistant respect it.

For developers using OpenClaw, Claude Code, Cursor, Windsurf, or any AI coding assistant.

Claude Code OpenClaw Cursor Windsurf Cline Aider
View on GitHub Watch the Demo
See it in action

18 seconds. Two layers. Zero compromise.

The Problem

AI coding assistants ignore their instructions under context pressure

You wrote the rules. Your AI read them. Then it did whatever it wanted anyway.

"You say 'let's discuss this' and the AI starts building."

Intent misalignment. The AI treats every sentence as an instruction to act.

"You've corrected the same mistake 47 times and it still happens."

No persistent enforcement. Corrections vanish with the conversation window.

"Your instruction file says 'never force push'. The AI force pushes."

Static text has no authority. The AI weighs it against 200K tokens of context.

Instruction files are memos. CRE is a person in the room who never forgets and can't be talked past.

The OpenClaw Problem

60,000 developers gave an AI full system access. With no guardrails.

OpenClaw ships with a powerful execution engine and leaves safety as an afterthought. The results speak for themselves.

"Don't action until I tell you to."

Meta's AI Alignment Director told OpenClaw not to delete emails. It ignored her, wiped her inbox, and continued deleting through two stop commands. She had to physically kill the process.

"Agent deleted OAuth credentials trying to 'fix' an auth issue."

GitHub Issue #6823. A user's agent autonomously destroyed authentication tokens. No confirmation, no rollback.

"Dumped the contents of the home directory into a group chat."

Kaspersky found nearly 1,000 publicly accessible OpenClaw instances running without authentication. One bot leaked an entire home directory.

512
Vulnerabilities found by Kaspersky
230+
Malicious plugins published in 5 days
CVE-2026
One-click RCE (CVSS 8.8)
0
Built-in guardrails by default

"Security is an option, but it is not built in."

Cisco Security Research, January 2026

"The lethal trifecta: tool access, sensitive data, autonomous execution."

Simon Willison, AI security researcher

CRE solves this. Every tool call passes through a deterministic gate before execution. Not a system prompt. Not a polite request. A mechanical layer the AI cannot bypass, talk past, or compress away.

Works with OpenClaw, Claude Code, Cursor, Windsurf, or any AI coding tool that supports hooks.

Architecture

Two layers. Fast by default, smart when it matters.

L1 checks every tool call instantly. L2 reviews conversation context and sends tips back to Claude Code, guiding it to make better decisions.

Tool Call
->
L1: Fast Gate
->
L2: Context Review
->
ALLOW
/
ADVISE
Layer 1

Fast Gate

<10ms / regex pattern matching
  • always_block: rm -rf, force push, fork bombs
  • always_allow: ls, git status, grep
  • needs_review: escalate to Layer 2
# rules.json
"always_block": [
  "rm\\s+-rf\\s+/",
  "git\\s+push.*--force",
  ":(){ :|:& };:"
]
Layer 2

Context Review (Advisory)

2-5s / any OpenAI-compatible LLM
  • "Did the user actually ask for this?"
  • Intent alignment, not just danger detection
  • Reads conversation context + rules together
  • Sends tips and advice back to Claude Code
# L2 advisory output
advice: "User said 'let's discuss'
  but you're about to execute code.
  Consider confirming intent first."
action: Claude adjusts approach
Works with OpenAI, Anthropic, Ollama, OpenRouter, Z.AI, Kimi, Together, or any OpenAI-compatible API.
Self-Learning

Advise once with the LLM. It becomes a regex rule forever.

CRE promotes L2 observations into L1 rules automatically. The system gets faster and cheaper over time.

01

L2 advises on a pattern

The LLM catches an intent mismatch and sends advice to Claude Code. This costs 2-5 seconds and API tokens.

02

Pattern extracted

CRE extracts the command pattern that triggered the advisory and proposes a new L1 regex rule.

03

Human approves

The proposed rule is shown to the human for review. No rule activates without explicit approval.

04

Promoted to L1

The rule joins the fast gate. Next time, it resolves in under 10ms with zero API cost.

The system gets faster and cheaper over time. Every L2 call is a candidate for L1 promotion.
By the Numbers

Tested in production, not just in theory.

<10ms
L1 response time
84%
Intent misalignment caught (case study)
1000+
Test scenarios
112
Automated tests
14 days
Production case study
Any AI
Works with any coding assistant
Dashboard

Manage everything from the web UI

Run cre dashboard to launch locally on port 8766.

localhost:8766
Claude Rule Enforcer v0.3.0 ACTIVE
Gate ON LLM ON Learn ON
47 BLOCKED
1,284 ALLOWED
23 L2 REVIEWS
8 LEARNED
Test
rm -rf /var/backups/*
BLOCKED: L1 recursive delete
Rules Suggestions 3 Preferences Knowledge Base Import Logs Settings
always_block always_allow needs_llm_review learned
rm\s+-rf\s+/ | Recursive delete from root
git\s+push.*--force | Force push to any branch
:()\{.*\|.*&\s*\}; | Fork bomb pattern
DROP\s+TABLE|DROP\s+DATABASE | SQL destructive operations
ssh.*root@.*prod | Direct root access to production
Quick Start

Running in under a minute.

Installation
$ git clone https://github.com/tech-and-ai/claude-rule-enforcer.git
$ cd claude-rule-enforcer
$ pip install -e .
$ cp rules.example.json rules.json  # customise your rules
$ export CRE_LLM_API_KEY="your-key"  # for L2 reviews
$ cre status
CLI Reference
cre init Auto-configure hooks in ~/.claude/settings.json
cre status Show gate status, rule counts, env vars
cre enable Activate the enforcement gate
cre disable Temporarily pause enforcement
cre test "cmd" Test a command against your rules
cre scan Scan conversation history, suggest rules
cre import Import rules from CLAUDE.md or other files
cre rules List, add, and manage active rules
cre memory View enforcement memory and stats
cre dashboard Start web dashboard on :8766
OpenClaw Users

Using OpenClaw? Add CRE in 60 seconds.

Stop your agent from deleting credentials, wiping inboxes, or running destructive commands. CRE hooks directly into OpenClaw's tool execution pipeline.

$ pip install claude-rule-enforcer
$ cre init --adapter openclaw
$ cre enable

# That's it. Every tool call now passes through CRE.
# L1 blocks rm -rf, force push, fork bombs in <10ms.
# L2 checks intent: "Did the user actually ask for this?"

Also works with Claude Code, Cursor, Windsurf, Cline, and any tool that supports execution hooks.