AxonFlow Plugin for Claude Code
Runtime governance for Claude Code: block dangerous commands before they run, scan every tool output for PII and secrets, and keep a compliance-grade audit trail — without leaving your terminal.
→ Full integration walkthrough: docs.getaxonflow.com/docs/integration/claude-code — architecture, policy examples, latency numbers, troubleshooting, and the 10 MCP tools the platform exposes.
Upgrade strongly recommended. AxonFlow ships substantial monthly security and quality hardening; staying on the latest major is the security-supported release line. Latest release · Security advisories
Why you'd add this
Claude Code is Anthropic's official CLI — a fast, agentic coding assistant that edits files, runs shell commands, and calls MCP servers. It's excellent at developer productivity. It was never designed to be the layer where your security and compliance team lives.
The gaps start surfacing the moment Claude Code moves from one developer's laptop to a team or production setting:
| Production requirement | Claude Code alone | With this plugin |
|---|
| Policy enforcement before tool execution | Hooks available, no governance logic | 80+ built-in policies evaluated on every governed tool call |
Dangerous command blocking (rm -rf /, reverse shells, curl | bash) | Not addressed | Blocked before execution with decision context |
| PII / secrets detection in tool outputs | Developer responsibility | Auto-scan; Claude is instructed to use redacted version |
| SQL-injection detection on MCP queries | MCP server's problem | 30+ patterns evaluated on every MCP tool call |
| Compliance-grade audit trail | Session logs, not compliance-formatted | Every governed call recorded with policies, decision, duration |
| Decision explainability after a block | Generic hook failure message | decision_id surfaced in deny reason; explain_decision MCP tool returns the full record |
| Self-service, time-bounded exceptions | Not available | create_override with mandatory justification, fully audited |
| Cloud metadata / SSRF / path traversal blocking | Not addressed | Built in |
You get all of that with zero change to how developers use Claude Code. Hooks fire automatically, the deny message tells you why, MCP tools are there when you want to investigate or unblock yourself.
How it works
Claude selects a tool (Bash, Write, Edit, NotebookEdit, mcp__*)
│
▼
PreToolUse hook fires automatically
│ → check_policy("claude_code.Bash", "rm -rf /")
│
├─ BLOCKED → Claude receives denial reason with decision_id + risk_level,
│ can call explain_decision / create_override to unblock
│
└─ ALLOWED → Tool executes normally
│
▼
PostToolUse hook fires automatically
│ → audit_tool_call(tool, input, output) [non-blocking]
│ → check_output(tool result for PII/secrets)
│
├─ Sensitive data found → Claude instructed to use
│ redacted version in its reply
└─ Clean → Silent
Governed tools: Bash, Write, Edit, NotebookEdit, and all MCP server tools (mcp__*). Read-only tools (Read, Glob, Grep) are not governed by default — they don't modify state or send data externally.
Fail behavior:
- AxonFlow unreachable (network) → fail-open, tool execution continues
- AxonFlow auth/config error → fail-closed, tool call denied until config is fixed
- PostToolUse failures → never block (audit and PII scan are best-effort)
Where this kicks in during real coding
1. The MCP data-exposure problem
A developer connects an MCP server to a production database for debugging. Claude Code queries customer records. Results flow through the conversation with PII intact. Session logs exist but they aren't structured for compliance queries.
With the plugin: check_policy fires before the MCP query runs (SQL injection scan, policy scan), check_output scans the result for SSN / credit card / email / phone / API keys, and audit_tool_call records the full interaction with matched policies and decision ID.
2. The accidental production change
A developer types "fix the database issue." Claude Code picks a Bash tool and runs a migration against prod. The command ran because nothing stopped it.