Governance, RBAC, DLP, and audit for Pi coding agents.
AI coding agents have full access to your terminal, filesystem, and secrets. Without governance, an agent can run rm -rf, read .env files, or exfiltrate API keys through tool calls — with no audit trail.
pi-governance intercepts every tool call and enforces policy before execution.
pi install npm:@grwnd/pi-governanceWhat you get immediately:
- Bash blocking — 60+ patterns classify commands as safe/dangerous/needs-review
- DLP — API keys blocked on input, PII masked on output
- RBAC — Role-based tool and path permissions
- Audit — Every decision logged as structured JSON
- HITL — Human approval for sensitive operations
- Budgets — Per-role tool invocation limits
- Config self-protection — Agents cannot modify their own governance files
/governance init
Opens a browser-based wizard to configure roles, DLP, audit, and HITL. Generates YAML config files.
Create .pi/governance.yaml and governance-rules.yaml — see the Configuration Reference.
export PI_GOV_ROLE=project_lead # analyst | project_lead | admin | auditor
pi
/governance statusFull docs at grwnd-ai.github.io/pi-governance.
- Why Governance? — What can go wrong without controls
- Quick Start — Install and configure
- Common Scenarios — Copy-paste configs
- YAML Policies — Full policy reference
- DLP Guide — Data loss prevention
- OpenClaw Integration — MCP tool governance