Edictum Gate

Enforce agency boundaries for coding assistants with the canonical Edictum CLI and Gate runtime.

Gate is the coding-assistant runtime for Edictum. It sits between the assistant and the real tool runner, evaluates each tool call against your rules, records the decision locally, and can optionally sync that audit stream to the hosted control plane.

Install

The canonical Edictum CLI ships from edictum-go:

go install github.com/edictum-ai/edictum-go/cmd/edictum@latest

Gate stores local state under ~/.edictum/:

config.json — Gate configuration
rules/ — copied ruleset YAML files
workflows/ — copied workflow YAML files
state/ — local workflow/session state
audit/ — local WAL audit files

Quick Start

1. Initialize Gate with real rules

edictum gate init --rules ./policy/rules

If you want workflow gates too:

edictum gate init \
  --rules ./policy/rules \
  --workflow ./policy/workflow.yaml

If the workflow uses trusted exec(...) conditions, opt in explicitly:

edictum gate init \
  --rules ./policy/rules \
  --workflow ./policy/workflow.yaml \
  --workflow-exec

gate init does not invent rules for you. Point --rules at a real ruleset file or directory.

2. Install the hook for your assistant

edictum gate install claude-code

Supported assistants:

Assistant	Hook location	Format
Claude Code	`~/.claude/settings.json`	PreToolUse
Cursor	`~/.cursor/hooks.json`	preToolUse
Copilot CLI	`.github/hooks/hooks.json`	preToolUse
Gemini CLI	`.gemini/settings.json`	BeforeTool
OpenCode	`~/.opencode/plugins/`	Plugin

3. Inspect local status

edictum gate status
edictum gate audit

gate status shows the configured rules, workflow path, pending audit events, installed assistants, and workflow-session state when applicable.

4. Run the full runtime

gate check is the hook-facing preflight path. gate run is the full execution path that evaluates rules, workflow state, approvals, and audit plumbing:

echo '{"tool_name":"Read","tool_input":{"path":"spec.md"}}' \
  | edictum gate run --format raw --session-id mimi-task-42 -- ./tool-runner

Reuse the same --session-id across one task so workflow state can advance.

Important Behavior

Gate uses whatever mode your rules specify. Start new rules in observe inside YAML before switching them to enforce.
edictum gate check evaluates tool calls from stdin and returns a preflight verdict. It is what assistant hooks call.
edictum gate run is the real runtime path. That is where workflow gates are enforced.
Local audit events are written to ~/.edictum/audit/.
edictum gate reset --stage <stage-id> resets the active workflow session to a named stage.

Control Plane Connection

Gate can push its audit stream to the hosted control plane:

edictum gate init \
  --rules ./policy/rules \
  --server https://api.edictum.ai \
  --api-key edk_your_key_here

Flush buffered events explicitly:

edictum gate sync

The current public path is manual sync. Do not assume a background auto-flush loop unless you have verified it in your installed CLI build.

Command Surface

Command	Purpose
`edictum gate init`	Set up Gate config, rules, and optional workflow
`edictum gate install <assistant>`	Register a hook with a coding assistant
`edictum gate uninstall <assistant>`	Remove a hook
`edictum gate status`	Show Gate config, workflow status, and pending events
`edictum gate audit`	Show recent local audit events
`edictum gate sync`	Flush buffered audit events to the control plane
`edictum gate check`	Preflight evaluation path used by hooks
`edictum gate run`	Full runtime path for real tool execution
`edictum gate reset --stage <id>`	Reset the active workflow session

On this page