authe.me — Trust Scoring for Claude Code

Trust scoring hook for Claude Code. Scores every session on reliability, scope adherence, and cost efficiency. Zero dependencies, fire and forget.

What it does

Every time Claude Code uses a tool, authe.me records it. When the session ends, you get a trust score:

[authe.me] Trust Score: 92  (reliability=100 | scope=85 | cost=90)
[authe.me] tools=14 violations=1 failed=0

It catches:

• Tools outside your allowlist (scope violations)
• Access to protected paths (.env, keys, secrets)
• High failure rates (reliability drops)
• Excessive tool usage (cost awareness)

Every event is hash-chained for tamper detection. Logs to ~/.authe/sessions.jsonl.

Install

curl -fsSL https://raw.githubusercontent.com/autheme/claude-code-hook/main/install.sh | bash

Then add the hooks config to your ~/.claude/settings.json (the installer prints the snippet).

Manual install

mkdir -p ~/.claude/hooks ~/.authe
cp authe-hook.py ~/.claude/hooks/
chmod +x ~/.claude/hooks/authe-hook.py

Add to ~/.claude/settings.json:

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "",
        "hooks": [
          {
            "type": "command",
            "command": "AUTHE_HOOK_EVENT=PreToolUse python3 ~/.claude/hooks/authe-hook.py"
          }
        ]
      }
    ],
    "PostToolUse": [
      {
        "matcher": "",
        "hooks": [
          {
            "type": "command",
            "command": "AUTHE_HOOK_EVENT=PostToolUse python3 ~/.claude/hooks/authe-hook.py"
          }
        ]
      }
    ],
    "Stop": [
      {
        "matcher": "",
        "hooks": [
          {
            "type": "command",
            "command": "AUTHE_HOOK_EVENT=Stop python3 ~/.claude/hooks/authe-hook.py"
          }
        ]
      }
    ]
  }
}

Configure

Create ~/.authe/config.json to customize:

{
  "allowed_tools": [
    "Read", "Write", "Edit", "MultiEdit",
    "Bash", "Grep", "Glob", "LS",
    "Task", "WebFetch", "TodoRead", "TodoWrite"
  ],
  "protected_paths": [
    ".env", ".git/config", "id_rsa", "id_ed25519"
  ],
  "verbose": false
}

Set "verbose": true to see scores after every tool call (printed to stderr).

Remote reporting

Set environment variables to send scores to your authe.me dashboard:

export AUTHE_API_URL=https://api.authe.me/v1/sessions
export AUTHE_API_KEY=your-key-here

Scoring

Dimension	What it measures	Scoring
Reliability	Tool success rate	100 - (failures / total * 100)
Scope	Allowlist and path policy compliance	100 - (violations * 25)
Cost	Tool call volume	100 if under 20, decreases with more calls
Overall	Weighted average	40% reliability + 35% scope + 25% cost

How it works

1. PostToolUse fires after every tool call. authe.me records tool name, checks allowlist, checks path policy, hash-chains the event.
2. PreToolUse fires before tool calls. If a protected path is accessed, the tool call is blocked and Claude gets a policy message.
3. Stop fires when Claude finishes. authe.me computes the final score, logs it to ~/.authe/sessions.jsonl, and optionally reports to the API.

Log format

Each line in ~/.authe/sessions.jsonl:

{
  "session_id": "abc123",
  "started_at": "2026-03-08T10:00:00Z",
  "ended_at": "2026-03-08T10:15:00Z",
  "scores": {
    "overall": 92,
    "reliability": 100,
    "scope": 85,
    "cost": 90,
    "total_tools": 14,
    "failed_tools": 0,
    "violations": 1
  },
  "violations": [
    {
      "type": "protected_path",
      "tool": "Read",
      "path": ".env",
      "time": "2026-03-08T10:05:00Z"
    }
  ],
  "last_hash": "a1b2c3d4e5f67890",
  "tool_calls": 14
}

Also available for

• OpenClaw plugin

License

MIT