Search everything...

Stats

Actions

Available In

axonflow

Name: axonflow
Author: getaxonflow

By getaxonflow

Policy enforcement, PII detection, and audit trails for Claude Code. Govern tool execution, scan outputs for sensitive data, and maintain compliance-grade records of every action.

npx claudepluginhub getaxonflow/axonflow-claude-plugin --plugin axonflow

Popularity

Stars

Above avg

Med: 0·Avg: 285

Installs

Med: 0·Avg: 1

What's Inside

Slash Commands10

Axonflow Audit Search

/axonflow-audit-search

Search AxonFlow's audit trail for recent tool executions and policy decisions

Axonflow Create Override

/axonflow-create-override

Create a governed AxonFlow session override with mandatory justification (TTL clamped server-side; critical-risk policies blocked)

Axonflow Explain Decision

/axonflow-explain-decision

Fetch the full reasoning behind an AxonFlow policy decision (matched policies, risk level, override availability)

Axonflow List Overrides

/axonflow-list-overrides

List active AxonFlow session overrides scoped to your tenant

Axonflow List Recent Decisions

/axonflow-list-recent-decisions

List recent AxonFlow governance decisions for the current user/tenant — surface "what just got blocked", trace decision history, or drive an appeal flow

Skills7

explain-decision

/explain-decision

Fetch the full reasoning behind an AxonFlow policy decision — matched policies, risk level, override availability, recent hit count

list-overrides

/list-overrides

List active session overrides scoped to the caller's tenant — useful for auditing dangling overrides or confirming an override is in effect before retrying

list-recent-decisions

/list-recent-decisions

Surface the user's recent AxonFlow governance decisions — answers "what just got blocked", "show me my recent denials", or feeds a decision-history forensic flow

revoke-override

/revoke-override

Revoke a previously-created AxonFlow session override — emits an audit event and ensures subsequent policy evaluations no longer consult it

audit-search

/audit-search

Search the AxonFlow audit trail for recent tool executions, policy decisions, and PII detections — use to answer "what happened recently?" or to gather compliance evidence

Hooks1

Event Hooks

Bash

File writes

2 hooks across 2 events

MCP Servers1

axonflow

Stats

Version1.6.0

ReleasedJun 9, 2026

LanguageShell

Stars3

Forks1

MaintenanceExcellent

LicenseMIT

Last CommitJun 9, 2026

AddedApr 4, 2026

Actions

View on GitHub View README Plugin Marketplace JSON Homepage

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).

Available In

axonflow3

Safety Signals

Caution

Executes bash commands

Hook triggers when Bash tool is used

Modifies files

Hook triggers on file write and edit operations

README

AxonFlow Plugin for Claude Code

Runtime governance for Claude Code: block dangerous commands before they run, scan every tool output for PII and secrets, and keep a compliance-grade audit trail — without leaving your terminal.

→ Full integration walkthrough: docs.getaxonflow.com/docs/integration/claude-code — architecture, policy examples, latency numbers, troubleshooting, and the 10 MCP tools the platform exposes.

Upgrade strongly recommended. AxonFlow ships substantial monthly security and quality hardening; staying on the latest major is the security-supported release line. Latest release · Security advisories

Why you'd add this

Claude Code is Anthropic's official CLI — a fast, agentic coding assistant that edits files, runs shell commands, and calls MCP servers. It's excellent at developer productivity. It was never designed to be the layer where your security and compliance team lives.

The gaps start surfacing the moment Claude Code moves from one developer's laptop to a team or production setting:

Production requirement	Claude Code alone	With this plugin
Policy enforcement before tool execution	Hooks available, no governance logic	80+ built-in policies evaluated on every governed tool call
Dangerous command blocking (`rm -rf /`, reverse shells, `curl \| bash`)	Not addressed	Blocked before execution with decision context
PII / secrets detection in tool outputs	Developer responsibility	Auto-scan; Claude is instructed to use redacted version
SQL-injection detection on MCP queries	MCP server's problem	30+ patterns evaluated on every MCP tool call
Compliance-grade audit trail	Session logs, not compliance-formatted	Every governed call recorded with policies, decision, duration
Decision explainability after a block	Generic hook failure message	`decision_id` surfaced in deny reason; `explain_decision` MCP tool returns the full record
Self-service, time-bounded exceptions	Not available	`create_override` with mandatory justification, fully audited
Cloud metadata / SSRF / path traversal blocking	Not addressed	Built in

You get all of that with zero change to how developers use Claude Code. Hooks fire automatically, the deny message tells you why, MCP tools are there when you want to investigate or unblock yourself.

How it works

Claude selects a tool (Bash, Write, Edit, NotebookEdit, mcp__*)
    │
    ▼
PreToolUse hook fires automatically
    │ → check_policy("claude_code.Bash", "rm -rf /")
    │
    ├─ BLOCKED → Claude receives denial reason with decision_id + risk_level,
    │            can call explain_decision / create_override to unblock
    │
    └─ ALLOWED → Tool executes normally
                      │
                      ▼
                 PostToolUse hook fires automatically
                      │ → audit_tool_call(tool, input, output)  [non-blocking]
                      │ → check_output(tool result for PII/secrets)
                      │
                      ├─ Sensitive data found → Claude instructed to use
                      │                          redacted version in its reply
                      └─ Clean → Silent

Governed tools: Bash, Write, Edit, NotebookEdit, and all MCP server tools (mcp__*). Read-only tools (Read, Glob, Grep) are not governed by default — they don't modify state or send data externally.

Fail behavior:

AxonFlow unreachable (network) → fail-open, tool execution continues
AxonFlow auth/config error → fail-closed, tool call denied until config is fixed
PostToolUse failures → never block (audit and PII scan are best-effort)

Where this kicks in during real coding

1. The MCP data-exposure problem

A developer connects an MCP server to a production database for debugging. Claude Code queries customer records. Results flow through the conversation with PII intact. Session logs exist but they aren't structured for compliance queries.

With the plugin: check_policy fires before the MCP query runs (SQL injection scan, policy scan), check_output scans the result for SSN / credit card / email / phone / API keys, and audit_tool_call records the full interaction with matched policies and decision ID.

2. The accidental production change

A developer types "fix the database issue." Claude Code picks a Bash tool and runs a migration against prod. The command ran because nothing stopped it.

View full README on GitHub

axonflow

Popularity

What's Inside

Confidence

README

AxonFlow Plugin for Claude Code

Why you'd add this

How it works

Where this kicks in during real coding

1. The MCP data-exposure problem

2. The accidental production change

Similar Plugins

gouvernai

railguard

agt-governance

aport-guardrails

clash

reins

AxonFlow Plugin for Claude Code

Why you'd add this

How it works

Where this kicks in during real coding

1. The MCP data-exposure problem

2. The accidental production change

Popularity

Health & Quality

Similar Plugins

gouvernai

railguard

agt-governance

aport-guardrails

clash

reins