GouvernAI — Claude Code Plugin
gouvernail (n.) — French for helm, rudder. To steer, not to stop.
Install •
What you'll see •
How it works •
vs Auto mode •
Threat model
Auto-approve what's safe. Gate what's risky. Block what's dangerous.
The problem
Claude Code's default permission prompts ask you to approve everything: a harmless file read gets the same interruption as a bulk delete. --dangerously-skip-permissions removes all prompts, giving you speed but zero safety net. Anthropic's auto mode uses a classifier you can't inspect or edit, and it's limited to Team and Enterprise plans.
The answer shouldn't be all-or-nothing. The goal is not "prompt on everything" or "trust auto mode," but a middle path: keep flow for ordinary work, add friction where risk rises, and hard-block the small class of actions that should never pass silently.
GouvernAI
GouvernAI is a runtime guardrails plugin for Claude Code. ~60% of typical agent actions (reads, drafts, navigation) pass through with zero gate — no prompt, no overhead. File writes auto-approve with a brief notification. Network calls, config changes, and credential access pause for approval. Obfuscated commands, credential exfiltration, and catastrophic operations are hard-blocked deterministically — Claude cannot override this.
Dual enforcement: a skill layer handles nuanced risk classification (is this Tier 2 or Tier 3?), while PreToolUse hooks enforce non-negotiable rules every time, no exceptions. All policy files are plain Markdown you can read and edit.
| Risk | Actions | What happens |
|---|
| T1 | reads, drafts, git status | Auto-approved. Zero overhead, zero friction. |
| T2 | file writes, git commit | Auto-approved with brief notification. Keeps going unless you object. |
| T3 | npm install, curl, email, config | Requires approval — pauses only when consequences are real. |
| T4 | sudo, credential transmit, bulk delete | Requires approval after risk assessment — because it should. |
| BLOCKED | obfuscated commands, credential exfil | Hard block. No override. Even if Claude skips the skill. |
Install
Step 1 — Add the marketplace and install the plugin
Run these in your terminal (not inside a Claude Code session):
claude plugin marketplace add Myr-Aya/GouvernAI-claude-code-plugin
claude plugin install gouvernai@mindxo
Step 2 — Activate guardrails in each session
After launching Claude Code (terminal or desktop), type:
/gouvernai
This activates the skill layer (risk classification, escalation rules, audit logging) and the hook layer (deterministic blocking of obfuscated commands, credential exfiltration, and catastrophic operations) for the rest of the session.
Why is this step needed? Claude Code has a known issue where plugin hooks defined in hooks/hooks.json are not loaded automatically on some platforms. Running /gouvernai activates the hooks registered in the skill's frontmatter, ensuring both enforcement layers are active. We're tracking this upstream — once resolved, guardrails will activate automatically with no manual step.
Hook activation (known Claude Code issue)
There is a known Claude Code bug where plugin hooks defined in hooks/hooks.json are discovered and matched but never fire for local and marketplace installs (see anthropics/claude-code#14410, #18547, #27398). This affects all plugins that ship hooks, not just GouvernAI.
Default workaround: Run /gouvernai at the start of your session. This loads the plugin and activates the hooks for the remainder of the session. The skill layer works regardless.
Manual hook registration (recommended for stricter security): Copy the hook configuration into your ~/.claude/settings.json so hooks fire from session start without requiring any command:
Note: If you use manual registration, ${CLAUDE_PLUGIN_ROOT} may not resolve in settings.json. Replace it with the absolute path to your installed plugin, for example: