https://github.com/dtmirizzi/pi-governance
Governance, RBAC, audit, DLP, and human-in-the-loop for Pi-based coding agents.
https://github.com/dtmirizzi/pi-governance
audit-log dlp governance openclaw openclaw-plugin pi pi-extension rbac
Last synced: 2 months ago
JSON representation
Governance, RBAC, audit, DLP, and human-in-the-loop for Pi-based coding agents.
- Host: GitHub
- URL: https://github.com/dtmirizzi/pi-governance
- Owner: dtmirizzi
- License: apache-2.0
- Created: 2026-03-01T16:52:22.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2026-03-31T16:53:40.000Z (3 months ago)
- Last Synced: 2026-03-31T18:42:01.157Z (3 months ago)
- Topics: audit-log, dlp, governance, openclaw, openclaw-plugin, pi, pi-extension, rbac
- Language: TypeScript
- Homepage: https://grwnd-ai.github.io/pi-governance/
- Size: 13.9 MB
- Stars: 9
- Watchers: 0
- Forks: 1
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
@grwnd/pi-governance
Governance, RBAC, DLP, and audit for Pi coding agents.
---
## The Problem
AI coding agents have full access to your terminal, filesystem, and secrets. Without governance, an agent can run `rm -rf`, read `.env` files, or exfiltrate API keys through tool calls — with no audit trail.
## The Solution
`pi-governance` intercepts every tool call and enforces policy before execution.
```bash
pi install npm:@grwnd/pi-governance
```
**What you get immediately:**
- **Bash blocking** — 60+ patterns classify commands as safe/dangerous/needs-review
- **DLP** — API keys blocked on input, PII masked on output
- **RBAC** — Role-based tool and path permissions
- **Audit** — Every decision logged as structured JSON
- **HITL** — Human approval for sensitive operations
- **Budgets** — Per-role tool invocation limits
- **Config self-protection** — Agents cannot modify their own governance files
## Customize
### Interactive wizard
```
/governance init
```
Opens a browser-based wizard to configure roles, DLP, audit, and HITL. Generates YAML config files.
### Manual YAML
Create `.pi/governance.yaml` and `governance-rules.yaml` — see the [Configuration Reference](https://dtmirizzi.github.io/pi-governance/reference/config).
### Set identity
```bash
export PI_GOV_ROLE=project_lead # analyst | project_lead | admin | auditor
pi
/governance status
```
## Documentation
Full docs at **[dtmirizzi.github.io/pi-governance](https://dtmirizzi.github.io/pi-governance/)**.
- [Why Governance?](https://dtmirizzi.github.io/pi-governance/guide/why) — What can go wrong without controls
- [Quick Start](https://dtmirizzi.github.io/pi-governance/guide/quickstart) — Install and configure
- [Common Scenarios](https://dtmirizzi.github.io/pi-governance/guide/scenarios) — Copy-paste configs
- [YAML Policies](https://dtmirizzi.github.io/pi-governance/guide/yaml-policies) — Full policy reference
- [DLP Guide](https://dtmirizzi.github.io/pi-governance/guide/dlp) — Data loss prevention
- [OpenClaw Integration](https://dtmirizzi.github.io/pi-governance/guide/openclaw) — MCP tool governance
## License
[Apache-2.0](LICENSE)