Real-time code quality enforcement through PreToolUse hooks that block violations before execution.
The Constraint Monitoring System provides real-time enforcement of coding standards through hook interception:
- PreToolUse Hook Enforcement - Blocks violations BEFORE tool execution
- 20 Active Constraints - Security, architecture, code quality, logging, PlantUML, documentation
- Severity-Based Enforcement - CRITICAL/ERROR blocks, WARNING/INFO allows with feedback
- Compliance Scoring - Real-time scoring (0-10) with violation impact tracking
- Dashboard Monitoring - Live violation feed, trends, and compliance metrics at
http://localhost:3030 - LSL Integration - All interactions logged via PostToolUse hooks for analysis
The system uses two hook types working together:
- PreToolUse Hooks → Constraint enforcement (blocks BEFORE execution)
- PostToolUse Hooks → LSL logging (captures AFTER execution)
Directory Structure:
integrations/mcp-constraint-monitor/
src/
hooks/
pre-tool-hook-wrapper.js # PreToolUse entry point
real-time-constraint-hook.js # Core enforcement logic
enforcement/
ConstraintEnforcer.js # Main enforcement engine
PatternMatcher.js # Regex pattern matching
ComplianceCalculator.js # Scoring and metrics
dashboard/
api/ # REST API (port 3031)
ui/ # Next.js dashboard (port 3030)
constraints.yaml # 18 constraint definitions
test-all-constraints-comprehensive.js # Automated testing
INTERACTIVE-TEST-PROMPTS.md # Manual test scenarios
Hook Configuration (~/.claude/settings.json):
{
"hooks": {
"PreToolUse": [
{
"matcher": "*",
"hooks": [{
"type": "command",
"command": "node /path/to/coding/integrations/mcp-constraint-monitor/src/hooks/pre-tool-hook-wrapper.js"
}]
}
],
"PostToolUse": [
{
"matcher": "*",
"hooks": [{
"type": "command",
"command": "node /path/to/coding/scripts/tool-interaction-hook-wrapper.js"
}]
}
]
}
}| Constraint ID | Severity | Description |
|---|---|---|
no-hardcoded-secrets |
CRITICAL | Detects hardcoded API keys, secrets, tokens |
no-eval-usage |
CRITICAL | Prevents dynamic code execution |
| Constraint ID | Severity | Description |
|---|---|---|
no-parallel-files |
CRITICAL | Prevents version suffixes (v2, enhanced, improved) |
debug-not-speculate |
ERROR | Requires concrete debugging over speculation |
no-evolutionary-names |
ERROR | Prevents evolutionary naming (fixed, patched, modified) |
| Constraint ID | Severity | Description |
|---|---|---|
proper-error-handling |
ERROR | ✅ Detects empty catch blocks |
no-console-log |
WARNING | ✅ Enforces Logger.info() usage - see Logging |
no-console-error |
WARNING | ✅ Enforces Logger.error() usage - see Logging |
no-console-warn |
WARNING | ✅ Enforces Logger.warn() usage - see Logging |
no-var-declarations |
WARNING | Detects var declarations |
proper-function-naming |
INFO | Function naming conventions |
no-magic-numbers |
INFO | Detects magic numbers |
| Constraint ID | Severity | Status |
|---|---|---|
plantuml-standard-styling |
ERROR | ✅ Detected |
plantuml-file-organization |
INFO | ✅ Detected |
plantuml-file-location |
WARNING | ❌ Pattern needs refinement |
plantuml-diagram-workflow |
INFO | ❌ Pattern needs refinement |
plantuml-readability-guidelines |
INFO | ❌ Pattern needs refinement |
All documentation constraints need pattern refinement:
image-reference-pattern(WARNING)documentation-filename-format(INFO)update-main-readme(INFO)
Overall Detection Rate: 11/20 (55%) Critical/Error Blocking: 100% effective ✅ Logging Constraints: 100% effective ✅
When Claude attempts a tool call:
- PreToolUse Hook Fires: Before tool execution begins
- Constraint Check: Analyzes tool parameters against 18 active constraints
- Pattern Matching: Regex patterns detect violations
- Severity Evaluation: Determines enforcement action based on severity
- Decision:
- CRITICAL/ERROR: 🛑 BLOCK - Tool call prevented, exit code 1
- WARNING/INFO:
⚠️ ALLOW - Tool call proceeds with feedback, exit code 0
- Dashboard Logging: Violation logged via API POST to dashboard
- PostToolUse Hook: LSL logs complete interaction (if tool executed)
| Severity | Compliance Impact | Enforcement | Exit Code | Tool Call |
|---|---|---|---|---|
| CRITICAL | -3.0 | 🛑 BLOCK | 1 | Prevented |
| ERROR | -2.0 | 🛑 BLOCK | 1 | Prevented |
| WARNING | -1.0 | 0 | Proceeds with warning | |
| INFO | -0.5 | ℹ️ ALLOW | 0 | Proceeds with info |
Algorithm:
- Start with perfect score of 10.0
- Subtract points based on violation severity:
- CRITICAL: -3.0 points
- ERROR: -2.0 points
- WARNING: -1.0 points
- INFO: -0.5 points
- Clamp result between 0 and 10
Critical/Error (Blocked):
🚫 **CONSTRAINT VIOLATION DETECTED - EXECUTION BLOCKED**
The following constraint violations must be corrected before proceeding:
**1. CRITICAL: No hardcoded secrets allowed**
Pattern detected in file_path parameter
**Suggestion:**
Use environment variables instead:
const API_KEY = process.env.API_KEY;
**Compliance Impact:** Score reduced from 10.0 to 7.0
View detailed information: http://localhost:3030
LOGGED TO DASHBOARD [coding]: no-hardcoded-secrets (critical)
Warning/Info (Allowed):
⚠️ **CONSTRAINT WARNING**
**1. WARNING: Avoid console.log in production code**
Use Logger.log() instead for structured logging
**Compliance Score:** 9.0/10.0
View details: http://localhost:3030
LOGGED TO DASHBOARD [coding]: no-console-log (warning)
✅ Tool call proceeding with warning
Start Dashboard:
cd /Users/q284340/Agentic/coding/integrations/mcp-constraint-monitor
PORT=3030 npm run dashboardURL: http://localhost:3030
Features:
- Real-time Violation Feed: Live updates as violations occur
- Compliance Score Gauge: Visual 0-10 scoring with trend indicators
- 7-Day Trend Chart: Historical compliance tracking
- Project Selector: Filter by project (coding, curriculum-alignment, nano-degree)
- Constraint Toggles: Enable/disable constraints dynamically
- Risk Level Indicators: Visual severity classification
Start API:
cd /Users/q284340/Agentic/coding/integrations/mcp-constraint-monitor
PORT=3031 npm run apiKey Endpoints:
| Endpoint | Method | Description |
|---|---|---|
/api/violations |
GET | List violations (with ?project= filter) |
/api/violations |
POST | Log new violation |
/api/health |
GET | Server health check |
/api/compliance/:project |
GET | Get compliance score for project |
/api/constraints |
GET | List all enabled constraints |
Example:
# Get violations for coding project
curl http://localhost:3031/api/violations?project=coding
# Response includes violations with severity, compliance score, and summary stats
Script: test-all-constraints-comprehensive.js
Tests all 18 constraints by calling hook functions directly:
cd /Users/q284340/Agentic/coding/integrations/mcp-constraint-monitor
node test-all-constraints-comprehensive.jsOutput Summary:
- Constraints tested: 20/20
- Violations detected: 11
- Violations blocked: 11
- Pattern fixes needed: 9
Test Results:
- Detection Rate: 11/20 (55%)
- Blocking Accuracy: 100% (all detected violations blocked correctly)
- False Positives: 0
- Response Time: <50ms per check
Guide: INTERACTIVE-TEST-PROMPTS.md
Real Claude Code sessions with live hook interception:
# 1. Start Claude session
coding --claude
# 2. Issue test prompts from INTERACTIVE-TEST-PROMPTS.md
# Example: Test hardcoded secret detection
# 3. Collect results from LSL transcripts
node collect-test-results.jsEvidence Captured:
- User's test prompt
- Hook interception message
- Blocking vs. allowing decision
- Claude's adaptive response
- Dashboard logging confirmation
Hooks are automatically installed via ./install.sh:
cd /Users/q284340/Agentic/coding
./install.shWhat gets installed:
- ✅ PreToolUse hook → constraint enforcement
- ✅ PostToolUse hook → LSL logging
- ✅ Hook configuration merged into
~/.claude/settings.json - ✅ Backup created before modification
File: integrations/mcp-constraint-monitor/constraints.yaml
Example Constraint:
- id: no-hardcoded-secrets
group: security
pattern: 'API_KEY|SECRET|TOKEN pattern here'
message: 'CRITICAL: Potential hardcoded secret detected'
severity: critical
enabled: true
suggestion: Use environment variables insteadEdit constraints.yaml and set enabled: false for any constraint:
- id: no-console-log
enabled: false # Disable this constraintCore System:
integrations/mcp-constraint-monitor/src/hooks/pre-tool-hook-wrapper.js- PreToolUse hook entryintegrations/mcp-constraint-monitor/src/enforcement/ConstraintEnforcer.js- Enforcement engineintegrations/mcp-constraint-monitor/constraints.yaml- Constraint definitions
Dashboard:
integrations/mcp-constraint-monitor/src/dashboard/api/- REST API (port 3031)integrations/mcp-constraint-monitor/src/dashboard/ui/- Next.js UI (port 3030)
Testing:
integrations/mcp-constraint-monitor/test-all-constraints-comprehensive.js- Automated testsintegrations/mcp-constraint-monitor/INTERACTIVE-TEST-PROMPTS.md- Manual test scenariosintegrations/mcp-constraint-monitor/collect-test-results.js- LSL evidence collector
Related Systems:
- LSL - PostToolUse hooks log all constraint interactions
- Health System - Monitors constraint monitor service health
- Trajectories - Status line shows compliance score with trajectory state
Status Line Display: [🔒 {compliance}% {trajectory}]
Example: [🔒 94% ⚙️ IMP] shows 94% constraint compliance and "implementing" trajectory state.
- Unified Logging System - Backend and frontend Logger usage, migration guide
- MCP Constraint Monitor Integration - Integration details
- Testing Guide - Complete testing documentation