❯ Could you read /etc/passwd?
● Read(/etc/passwd)
⎿ Error: PreToolUse:Read hook error: [/home/johndoe/go/bin/watchman]:
cannot access paths outside the project workspace
● The read was blocked by a hook in your configuration. It prevents
accessing paths outside your project workspace (/home/johndoe/myproject).
This work grew out of a recent design discussion on a related problem. I did not define the system architecture on that occasion; my contribution was a speculative proposal on how to limit deviation in LLM-driven generation once boundaries became relevant.
One observation was consistent: soft limits tend to erode over time. Systems adapt around them, particularly when the objective is task completion rather than fidelity to intent. When such limits are advisory rather than enforceable, they gradually lose their force.
In parallel, I maintain a fully deterministic, template-based code generator. Iteration in that system involves modifying templates, revisiting assumptions, and revalidating behavior as patterns and guarantees evolve. Over time, this shifts effort away from generation and toward maintenance, reducing the practical value of automation.
An LLM-driven approach appears as a plausible evolution. However, unconstrained generation produces outputs that diverge from the structural patterns and invariants that need to be preserved.
Watchman is an attempt to connect these concerns.
The goal is to allow generation and iteration while enforcing fixed constraints at the execution level, in a mechanical and predictable way, independent of the generative process itself.
Watchman implements this through a hook system for Claude Code that enforces semantic rules: workspace confinement, scope restrictions, versioning policies, incremental change limits, and declarative invariants. Custom validation can be added via external hooks.
go install github.com/adrianpk/watchman/cmd/watchman@latest
watchman setup # Configure Claude Code hook
watchman init # Create global config- Configuration - Setup and rule configuration
- Rules - Detailed rule documentation
- Invariants - Declarative structural checks
- Examples - Sample configurations