GitHub - eqtylab/cupcake: A native policy-layer for AI coding agents. Built on OPA/Rego.

4 min read Original article ↗

Cupcake

Fallback image description

Make AI agents follow the rules.

Docs License Tests SLSA 3

Policy enforcement layer for AI agents; yielding better performance and security without consuming model context.

  • Deterministic rule-following for your agents. Interactive Examples
  • Better performance by moving rules out of context and into policy-as-code.
  • Trigger alerts and put bad agents in timeout when they repeatedly violate rules.

Cupcake intercepts agent events and evaluates them against user-defined rules written in Open Policy Agent (OPA) Rego. Agent actions can be blocked, modified, and auto-corrected by providing the agent helpful feedback. Additional benefits include reactive automation for tasks you dont need to rely on the agent to conduct (like linting after a file edit).

Updates

2025-12-10: Official open source release. Roadmap will be produced in Q1 2026.

2025-04-04: We produce the feature request for Claude Code Hooks. Runtime alignment requires integration into the agent harnesses, and we pivot away from filesystem and os-level monitoring of agent behavior (early cupcake PoC).

Supported Agent Harnesses

Cupcake provides lightweight native integrations for multiple AI coding agents:

Harness Status Integration Guide
Claude Code ✅ Fully Supported Setup Guide
Cursor ✅ Fully Supported Setup Guide
Factory AI ✅ Fully Supported Setup Guide
OpenCode ✅ Fully Supported Setup Guide
AMP Coming soon Awaiting release
Gemini CLI Coming soon Awaiting release

Each harness uses native event formats. Similar to terraform, policies are separated by harness (policies/claude/, policies/cursor/, policies/factory/, policies/opencode/) to ensure clarity and full access to harness-specific capabilities. If a particular harness is not supported, it is because it has no means for runtime integration.

Language Bindings

Cupcake can be embedded in Python or JavaScript agent applications through native bindings. This enables integration with web-based agent frameworks like LangChain, Google ADK, NVIDIA NIM, Vercel AI SDK, and more.

Language Binding
Python ./cupcake-py
TypeScript ./cupcake-ts

Why Cupcake?

Modern agents are powerful but inconsistent at following operational and security rules, especially as context grows. Cupcake turns the rules you already maintain (e.g., CLAUDE.md, AGENT.md, .cursor/rules) into enforceable guardrails that run before actions execute.

  • Multi-harness support with first‑class integrations for Claude Code, Cursor, Factory AI, and OpenCode.
  • Governance‑as‑code using OPA/Rego compiled to WebAssembly for fast, sandboxed evaluation.
  • Enterprise‑ready controls: allow/deny/review, enriched audit trails for AI SOCs, and proactive warnings.

Core Capabilities

  • Granular Tool Control: Prevent specific tools or arguments (e.g., blocking rm -rf /).
  • MCP Support: Native governance for Model Context Protocol tools (e.g., mcp__memory__*, mcp__github__*).
  • LLM‑as‑Judge: Use a secondary LLM or agent to evaluate actions for more dynamic oversight.
  • Guardrail Libraries: First‑class integrations with NeMo and Invariant for content and safety checks.
  • Observability: All inputs, signals, and decisions generate structured logs and evaluation traces for debugging.

How it Works

Cupcake acts as an enforcement layer between your coding agents and their runtime environment via hooks directly in the agent action path.

Cupcake agent hooks security architecture

Agent → (proposed action) → Cupcake → (policy decision) → Agent runtime

  1. Interception: The agent prepares to execute an action/tool-call (e.g., git push, fs_write).
  2. Enrichment: Cupcake gathers real-time Signals—facts from the environment such as the current Git branch, CI status, or database metadata.
  3. Evaluation: The action and signals are packaged into a JSON input and evaluated against your Wasm policies in milliseconds.

Deterministic and Non-Deterministic Evaluation

Cupcake supports two evaluation models:

  1. Deterministic Policies: Policies are written in OPA/Rego and compiled to WebAssembly (Wasm) for fast, sandboxed evaluation. Writing Policies guide for implementation details.
  2. LLM‑as‑Judge: For simpler, yet more advanced, oversight of your rules, Cucpake can interject via a secondary LLM or agent to evaluate how an action should proceed. Cupcake Watchdog guide for implementation details.

Decisions & Feedback

Based on the evaluation, Cupcake returns one of five decisions to the agent runtime, along with a human-readable message:

  • Allow: The action proceeds. Optionally, Cupcake can inject Context (e.g., "Remember: you're on the main branch") to guide subsequent behavior without blocking. Note: Context injection is supported in Claude Code and Factory AI, but not Cursor.
  • Modify: The action proceeds with transformed input. Policies can sanitize commands, add safety flags, or enforce conventions before execution. Note: Supported in Claude Code and Factory AI only.
  • Block: The action is stopped. Cupcake sends Feedback explaining why it was blocked (e.g., "Tests must pass before pushing"), allowing the agent to self-correct.
  • Warn: The action proceeds, but a warning is logged or displayed.
  • Require Review: The action pauses until a human approves it.

FAQ

Does Cupcake consume prompt/context tokens? No. Policies run outside the model and return structured decisions.

Is Cupcake tied to a specific model? No. Cupcake supports multiple AI coding agents with harness-specific integrations.

How fast is evaluation? Sub‑millisecond for cached policies in typical setups.

Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

License

Apache 2.0

Cupcake is developed by EQTYLab, with agentic safety research support by Trail of Bits.

Follow on X for a regular updates.