by eqtylab
A native policy enforcement layer for AI coding agents. Built on OPA/Rego.
# Add to your Claude Code skills
git clone https://github.com/eqtylab/cupcakeLast scanned: 5/30/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-30T15:14:59.692Z",
"npmAuditRan": true,
"pipAuditRan": true
}cupcake is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by eqtylab. A native policy enforcement layer for AI coding agents. Built on OPA/Rego. It has 277 GitHub stars.
Yes. cupcake passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/eqtylab/cupcake" and add it to your Claude Code skills directory (see the Installation section above).
cupcake is primarily written in Rust. It is open-source under eqtylab on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh cupcake against similar tools.
No comments yet. Be the first to share your thoughts!
Make AI agents follow the rules.
Policy enforcement layer for AI agents; yielding better performance and security without consuming model context.
Cupcake intercepts agent events and evaluates them against user-defined rules written in Open Policy Agent (OPA) Rego. Agent actions can be blocked, modified, and auto-corrected by providing the agent helpful feedback. Additional benefits include reactive automation for tasks you dont need to rely on the agent to conduct (like linting after a file edit).
2025-12-10: Official open source release. Roadmap will be produced in Q1 2026.
2025-04-04: We produce the feature request for Claude Code Hooks. Runtime alignment requires integration into the agent harnesses, and we pivot away from filesystem and os-level monitoring of agent behavior (early cupcake PoC).
Cupcake provides lightweight native integrations for multiple AI coding agents:
| Harness | Status | Integration Guide |
|---|---|---|
| Claude Code | ✅ Fully Supported | Setup Guide |
| Cursor | ✅ Fully Supported | Setup Guide |
| Factory AI | ✅ Fully Supported | Setup Guide |
| OpenCode | ✅ Fully Supported | Setup Guide |
| AMP | Coming soon | Awaiting release |
| Gemini CLI | Coming soon | Awaiting release |
Each harness uses native event formats. Similar to terraform, policies are separated by harness (policies/claude/, policies/cursor/, policies/factory/, policies/opencode/) to ensure clarity and full access to harness-specific capabilities. If a particular harness is not supported, it is because it has no means for runtime integration.
Cupcake can be embedded in JavaScript agent applications through native bindings. This enables integration with web-based agent frameworks like LangChain, Google ADK, NVIDIA NIM, Vercel AI SDK, and more.
| Language | Binding |
|---|---|
| TypeScript | ./cupcake-ts |
Cupcake acts as an enforcement layer between your coding agents and their runtime environment via hooks directly in the agent action path.
Agent → (proposed action) → Cupcake → (policy decision) → Agent runtime
git push, fs_write).Cupcake supports two evaluation models:
Based on the evaluation, Cupcake returns one of five decisions to the agent runtime, along with a human-readable message:
Modern agents are powerful but inconsistent at following operational and security rules, especially as context grows. Cupcake turns the rules you already maintain (e.g., CLAUDE.md, AGENT.md, .cursor/rules) into enforceable guardrails that run before actions execute.
rm -rf /).mcp__memory__*, mcp__github__*).NeMo and Invariant for content and safety checks.If you're using nix, you can install and run Cupcake using the provided flake:
# Install directly from GitHub
nix profile install github:eqtylab/cupcake#cupcake-cli
# Or run without installing
nix run github:eqtylab/cupcake#cupcake-cli -- --help
Add the following to your flake.nix:
inputs.cupcake.url = "github:eqtylab/cupcake";
And then the following package to your environment.systemPackages or home.packages:
inputs.cupcake.packages.${system}.cupcake-cli
For development, you can also use the provided dev shell that includes Rust toolchain, just, and other dependencies:
# Enter the development shell
nix develop
Does Cupcake consume prompt/context tokens? No. Policies run outside the model and return structured decisions.
Is Cupcake tied to a specific model? No. Cupcake supports multiple AI coding agents with harness-specific integrations.
How fast is evaluation? Sub‑millisecond for cached policies in typical setups.
We welcome contributions! See CONTRIBUTING.md for guidelines.
Cupcake is developed by EQTYLab, with agentic safety research support by Trail of Bits.
Follow on X for a regular updates.