claude-governance

Claude Code Governance Templates

Ready-to-use governance templates for Claude Code, organized by tech stack. Rules load automatically on every session: no prompting required.

If this saves you time, consider giving it a ⭐: it helps others find the project.

---

Why this exists

Without structure, Claude Code generates inconsistent code, ignores your conventions, and repeats the same mistakes across sessions. This project fixes that with a hierarchy of CLAUDE.md files that load automatically: no prompting required.

What you get:

• Consistent code that respects your architecture and naming conventions
• Security rules enforced by default (no IDOR, no raw SQL, no hardcoded secrets)
• Cost control: precise diffs instead of full rewrites, right model for the right task
• Behavior adapted to the developer's experience level (Junior → Tech Lead)

---

Installation

Via plugin marketplace (recommended):

/plugin marketplace add datallmhub/claude-governance
/plugin install claude-governance

Then run /setup in any project: select your stack, governance files are copied automatically, and rules inject at every session start.

Local / development:

git clone https://github.com/datallmhub/claude-governance.git
claude --plugin-dir /path/to/claude-governance

Manual (no plugin):

1. Copy the stack folder into your project root
2. Update CLAUDE.md with your project name and stack versions
3. Copy CLAUDE.local.md.example → CLAUDE.local.md (do not commit)
4. Set your experience level in dev-level.md

---

Available stacks

Java

Stack	Folder	Status
Java (Spring Boot) + React (TypeScript)	java-react/	✅ Ready
Java (Spring Boot) + Angular	java-angular/	🔜 Coming
Java (Spring Boot) + Vue.js	java-vue/	🔜 Coming
Java (Spring Boot) API only	java-only/	🔜 Coming

JavaScript / TypeScript

Stack	Folder	Status
React / TypeScript only	react-only/	✅ Ready
Angular only	angular-only/	✅ Ready
Vue.js only	vue-only/	✅ Ready
Next.js (full-stack)	nextjs/	✅ Ready
Node.js (Express) + React	node-express-react/	🔜 Coming
Node.js (NestJS) + React	nestjs-react/	🔜 Coming

Python

Stack	Folder	Status
Python (FastAPI) + React	python-fastapi-react/	✅ Ready
Python (Django) + React	python-django-react/	🔜 Coming
Python (FastAPI) API only	python-fastapi-only/	🔜 Coming

.NET / Go / PHP

Stack	Folder	Status
.NET (ASP.NET Core) + React	dotnet-react/	🔜 Coming
Go (Gin / Echo) + React	go-react/	🔜 Coming
Laravel + React	laravel-react/	🔜 Coming
Symfony + React	symfony-react/	🔜 Coming

---

What's inside each template

<stack>/
├── CLAUDE.md                    # Project context: always loaded
├── CLAUDE.local.md.example      # Personal overrides (copy locally, never commit)
├── .claude/
│   ├── settings.json            # SessionStart hook: injects rules at session start
│   ├── rules/
│   │   ├── backend.md           # Backend rules: scoped to backend files only
│   │   ├── frontend.md          # Frontend rules: scoped to frontend files only
│   │   ├── database.md          # DB / migration rules
│   │   ├── testing.md           # Testing standards
│   │   ├── security.md          # Security rules: loaded on every file
│   │   ├── governance.md        # Git, PR, versioning, release process
│   │   └── dev-level.md         # Behavior by experience level
│   └── architecture/
│       ├── overview.md          # System architecture + key decisions
│       ├── api.md               # REST API contract
│       └── data-model.md        # Database schema
└── samples/                     # Code examples applying all the rules

---

Load order

~/.claude/CLAUDE.md       ← personal preferences (your machine)
./CLAUDE.md               ← project rules (committed, shared)
./CLAUDE.local.md         ← personal overrides (gitignored)
.claude/rules/*.md        ← scoped rules (loaded per file path)

---

Security

security.md loads on every file automatically. It enforces:

• No IDOR: public_id UUID in all URLs, never internal sequential IDs
• No hardcoded secrets: all credentials via environment variables
• Safe tokens: JWT in memory, refresh token in HttpOnly; Secure cookie
• Injection prevention: parameterized queries, input validated at system boundary
• CORS locked down: explicit origin whitelist, never allowedOrigins("*")

---

Developer Experience Levels

One setting in dev-level.md: Claude adapts its verbosity automatically.