PocketTeam adds runtime hook guards for Claude Code tool calls

• PocketTeam's launch post says Claude Code safety checks now sit in runtime hooks, with nine layers intercepting tool calls before execution, including writes to .env, destructive shell commands, and SQL like DROP DATABASE.
• PocketTeam's author also describes an Observer agent that writes structured, agent-specific learnings after each task, plus 59 built-in skills and a headless browser that uses accessibility tree snapshots instead of screenshot-heavy context.
• a parallel AI_Agents post outlines a different control point, routing coding-agent inference calls through NVIDIA OpenShell's Privacy Router into local Ollama, with model rewriting, credential stripping, and zero-cloud-egress rules.
• DeepDebug's repo-scanning writeup adds the same design pattern in security review form, breaking large repos into staged passes, AST analysis, function-level context, caller tracing, and explicit coverage reporting instead of one giant prompt.
• a Cursor Marketplace thread shows the other side of wider tool access, with users asking where Atlassian OAuth tokens are stored locally and whether the MCP server is Cursor's or Atlassian's.

You can jump from PocketTeam's GitHub repo to the launch post's screenshot, then over to the local-inference thread for the inference.local routing model. DeepDebug's author is trying to tame large-repo scans with budgeted passes and coverage reports, while the Cursor discussion is still stuck on a basic but important detail, where OAuth tokens actually live.

PocketTeam's most concrete change is moving guardrails out of prompt text and into the execution path. According to the author, hook code sits in front of tool calls, so blocked actions stay blocked even if the model gets prompt-injected or loses context during compaction.

The same post lists the rest of the stack as a set of runtime components, not just extra prompts:

• An Observer agent that writes post-task learnings into agent-specific files
• GitHub Actions that start a Claude Code session after a failed build
• 59 packaged skills, including OWASP audits, TDD loops, codebase mapping, and fan-out execution with worktree isolation
• ptbrowse, a built-in Chromium flow that uses accessibility tree snapshots at roughly 100 to 300 tokens per call
• pt dashboard for live agent activity, plus Telegram approvals over a native Claude Code channel

The local-inference setup in the AI_Agents thread pushes control one layer lower. The agent still thinks it is calling a normal inference endpoint, but the Privacy Router intercepts the request, rewrites it toward local Ollama, strips credentials, and pairs that with YAML rules meant to block cloud egress.

DeepDebug's author is solving a different problem, but with the same instinct: break fragile, all-in-one agent behavior into bounded stages. The scan flow runs static checks, AST passes, function-level context, and caller tracing, then reports what coverage budget it actually used.

The Cursor thread is thin on answers, but it surfaces a real implementation gap. The original poster asks whether Atlassian OAuth tokens stay only on the local machine, whether the Marketplace plugin is using Atlassian's own MCP server implementation, and who actually maintains that server.

One included reply in the same thread guesses tokens are cached under ~/.cursor, but that remains a community guess, not a cited product document. In a feed full of bigger agent ambitions, this was the most grounded unresolved question: where the credentials end up after the happy-path SSO flow finishes.