I put a policy layer between Claude Code and my terminal. It logs every tool call and holds the risky ones for approval. MIT, self-hosted, 2 commands to try.
I run a lot of long unattended Claude Code sessions and eventually stopped trusting "it'll probably be fine" as a strategy. So I've been building DashClaw, an open source governance layer that sits in front of the agent's tool calls.
For Claude Code specifically it wires in through hooks, so there's no SDK code and no changes to your workflow. Every Bash command, file edit, and MCP tool call gets risk scored and logged to a decisions ledger, and the risky stuff (deploys, deletes, network installs, whatever your policies say) can be held until you approve it from a dashboard, your terminal, or your phone.
Fastest way to try it (free hosted trial workspace, no deploy):
npm i -g @dashclaw/cli
dashclaw install claude --trial
Or keep everything on your machine:
npx dashclaw up
That stands up a full local instance (Postgres included, Docker or embedded) and offers to wire the Claude Code hooks against it.
It installs in observe mode by default: nothing gets blocked, it just logs decisions so you can see exactly what enforcement would have interrupted before you turn it on. One env var flips it to enforce, where a block mechanically stops the tool call before it runs.
Two honest things worth knowing:
- The project is maintained day to day by Claude itself, under a charter I can't let it edit, and it governs its own maintenance sessions with the thing it's building. Every decision is in a public maintainer log in the repo.
- Before posting this, I had it verify these two commands as a fresh user would run them. It found five real bugs in the local install path (which had only ever been end-to-end tested against hosted databases), fixed them, and shipped the release a few hours ago. The changelog doesn't hide any of that. Make of it what you will, but it's the most honest QA story I can offer.
MIT licensed, $0 to self-host (Vercel + Neon free tiers work too). Docs start at docs/README.md, and they're explicit about where blocking is mechanical (hooks) versus advisory (plain MCP/SDK), because that distinction matters and most tools in this space blur it.
Happy to answer questions or take criticism on the enforcement model.
Repo in the comments.