GouvernAI is an open-source runtime guardrails plugin for Claude Code that helps you achieve flow state safely. It stays invisible for routine work (~60% of agent actions), steps in proportionally when risk is real, and hard-blocks dangerous operations. Dual enforcement: probabilistic skill layer + deterministic hook layer. Also includes token cap for cost governance.

What is the token cap feature?

The token cap is an optional cost governance feature. Set a threshold with /guardrails tokencap and GouvernAI pauses for approval before executing any action whose payload exceeds it. The hook checks payload size deterministically, and the skill layer estimates multi-step plan costs.

Does GouvernAI work with OpenAI Codex?

Not yet. GouvernAI currently ships as a Claude Code plugin with full dual enforcement. OpenAI Codex and OpenClaw integrations are on the roadmap. The architecture is designed to be framework-agnostic.

Is GouvernAI a security boundary?

No. GouvernAI is an operational safety and governance layer — one layer in a defense-in-depth stack. It catches accidental destructive actions, enforces consistent approval workflows, and creates accountability through audit logging. For production environments, complement it with network egress policies, secret vaults, sandboxed execution, and DLP monitoring.

Open source · v0.2.0 · Claude Code plugin

Achieve flow state safely.

Name: GouvernAI
Author: Myr-Aya

GouvernAI for your AI agent — start with Claude Code today. ~60% of actions are auto-approved with zero friction. The rest get the right level of control: a brief notice for file writes, an approval gate for network calls, a full stop for destructive operations.

1Reads, drafts, and navigation are auto-approved — zero friction, zero overhead.

2File writes auto-approve with a brief notice. Network calls, config changes, and large payloads pause for your OK.

3Known dangerous patterns are still blocked deterministically by hooks.

Install Plugin See Real Screenshots

~60%of actions auto-approved — reads, drafts, navigation. Zero friction.

4-tierAuto-approve → notify → approve → full stop. Proportional to risk.

127Hook tests passing. Deterministic blocking for known dangerous patterns.

Token capOptional cost gate — auto-approve under threshold, pause above it.

OpenReadable policies, auditable hooks, explicit threat model. MIT licensed.

How it works

Invisible when safe,
proportional when it matters

GouvernAI classifies every agent action by risk, applies the right level of friction, and logs everything. Two enforcement layers work together so nothing slips through the cracks.

Routine stays fast

~60% of actions are auto-approved

Reads, drafts, git status, directory listings — all auto-approved with no gate, no classification, no logging, no token overhead. Your flow state is the default, not a special mode.

Risk scales up

Proportional controls

Low-risk actions move quickly. Riskier actions pause for approval. Hard constraints block. Token cap adds cost governance without pretending to be a security boundary.

Trust is explicit

Deterministic where it matters

Obfuscated commands, credential exfiltration, catastrophic operations, and self-modification attempts are blocked by PreToolUse hooks — the agent cannot override them. Nuanced risk decisions stay in the skill layer where judgment is needed.

See it in practice

See it in action

Real screenshots from Claude Code sessions. A brief notification, an approval gate, a hard block, and the audit trail running silently in the background.

Routine file write, brief notice

The common path stays light so users preserve context and momentum.

Higher-risk action, explicit approval

Network and system-impacting actions get a pause only when consequences are real.

Hard block for known dangerous patterns

This is the trust anchor: deterministic blocking for obfuscated commands and other hard constraints.

Audit trail without ceremony

The log is not the hero message, but it is one of the strongest reasons teams can adopt the plugin confidently.

Where it fits

Flow-friendly runtime safety,
not a full security stack

GouvernAI sits between binary built-in safety and infrastructure-level controls — the developer-friendly runtime layer that's easy to adopt and easy to understand.

Approach	What it feels like	Tradeoff
Auto-approval by default	GouvernAI auto-approves ~60% of actions (T1/T2).	Most governance tools gate everything or nothing. GouvernAI starts from "yes" and adds friction only where risk justifies it.
Alignment-only safety	Smooth and mostly invisible.	Powerful, but opaque and hard to tune.
Approval-heavy governance	Safe, but often disruptive to momentum.	Users get tired of friction quickly.
Infrastructure-only controls	Strong blast-radius reduction.	Effective, but not very agent-aware in the moment.
GouvernAI	Flow-friendly runtime safety for Claude Code.	Not a full security boundary, but highly legible and easier to adopt.

Honest assessment

What it does well —
and what still needs other layers

GouvernAI publishes its threat model openly. No security theater — just clear boundaries between what the plugin handles and what belongs to infrastructure.

What it does well

+Auto-approves ~60% of actions (reads, drafts, navigation) with zero gate, zero overhead. File writes auto-approve with a brief notification.
+Blocks known dangerous patterns deterministically through hooks.
+Adds policy files and an audit trail teams can actually inspect.
+Introduces token-cap cost governance without changing the core risk model.
+Stays lightweight enough for solo users while still being team-friendly.

What still needs other layers

-It is not a security boundary against determined adversaries.
-MCP actions bypass the hook layer and rely on skill-layer behavior.
-Pattern matching will never catch every novel exfiltration technique.
-Token cap is a governance heuristic, not a billing-accurate calculator.
-Production environments still need vaulting, egress controls, and sandboxing.

Install

Get started in 30 seconds

Install the Claude Code plugin today. OpenAI Codex and OpenClaw integrations are coming — same guardrails architecture, adapted to each platform's extension points.

Recommended · Dual enforcement

Claude Code plugin

Auto-approves routine work, gates risky actions, hard-blocks dangerous patterns. Skill layer + deterministic hooks — the full product, ready today.

claude plugin marketplace add Myr-Aya/GouvernAI-claude-code-plugin claude plugin install gouvernai@mindxo

Coming soon · More agents

OpenAI Codex and OpenClaw

The same dual-enforcement architecture — probabilistic classification + deterministic blocking — adapted to each platform's native hooks and extension points.

OpenAI Codex · Coming soon 🦞 OpenClaw · Coming soon

Open source

Transparent policy files.
Auditable hooks. Full source on GitHub.

Auto-approve what's safe. Gate what's risky. Block what's dangerous. Every rule is readable, every decision is logged, every policy is a file you can edit.

View GitHub