Governance configuration: organizational policies for command, file, and content restrictions

Resolved 💬 5 comments Opened Feb 18, 2026 by imran-siddique Closed Mar 8, 2026

Proposal: Governance Configuration for Claude Code

Summary

Add support for a .claude/governance.yaml configuration file that allows organizations to define policies for what Claude Code can do in a repository — command restrictions, file path protections, content filters, and audit logging.

Motivation

Claude Code is increasingly used in enterprise environments where organizations need governance controls:

  1. Command restrictions — Block dangerous commands (rm -rf /, curl | bash), require approval for others (sudo, docker)
  2. File protections — Prevent modifications to .env, *.key, .git/config, production configs
  3. Content policies — Ensure generated code doesn't contain hardcoded secrets, bypass security checks, or introduce known vulnerable patterns
  4. Audit logging — Log all commands executed and files modified for compliance (SOX, SOC2, HIPAA)

Proposed Configuration

# .claude/governance.yaml
governance:
  level: moderate  # permissive | moderate | strict
  
  commands:
    blocked_patterns: ["rm -rf /", "curl * | bash", "eval("]
    require_approval: ["sudo", "docker", "kubectl"]
    
  files:
    protected: [".env*", "*.key", "*.pem", "secrets/"]
    read_only: ["LICENSE", "CODEOWNERS"]
    
  content:
    block_patterns: ["password=", "api_key=", "AWS_SECRET"]
    require_review: ["eval(", "exec(", "subprocess.call"]
    
  audit:
    enabled: true
    log_path: ".claude/audit.jsonl"

Integration with Existing Features

This would complement:

  • CLAUDE.md — Project instructions (what to do) vs governance (what NOT to do)
  • Permissions system — Current permission model controls tool access; governance adds organizational policy layer
  • Security review actionclaude-code-security-review scans PRs; governance prevents issues before they're created

Context

We maintain Agent-OS governance framework. Filed governance proposals across the ecosystem:

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗