Govern Claude Code end-to-end

Three Guardians, one ledger.

Coding agents like Claude Code, Cursor agents, and Devin are the highest-leverage AI in your organization — they ship code. They're also the highest-risk: they have shells, they call MCP tools, and they touch real infrastructure. This recipe wires three Guardians around them.

Prerequisites

export TRINITITE_API_KEY="tk_test_••••••"
export TRINITITE_BASE="https://api.trinitite.ai"

1 — CLI Firewall on the shell

Claude Code (and friends) shell out for almost everything: git, pnpm, terraform, kubectl. The CLI Firewall evaluates every command before it runs.

# In your agent runner — wrap each shell exec
trinitite-cli-firewall exec --agent-platform claude_code -- "$@"

Or, if you control the agent process, send the candidate command via the API:

curl "$TRINITITE_BASE/v1/cli/evaluate" \
  -H "Authorization: Bearer $TRINITITE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_platform": "claude_code",
    "command": "rm -rf /var/lib/postgres",
    "cwd": "/repo"
  }'

Outcome blocked: the destructive command never reaches exec. Outcome corrected: a JSON Patch rewrites it to a safe equivalent (e.g. rm -rf → trash-put). See CLI Firewall.

2 — MCP Gateway on the tool calls

Claude Code's MCP servers (filesystem, GitHub, Postgres, …) are governed too. Configure the agent to point its MCP client at the Trinitite MCP Gateway:

// .claude/mcp_settings.json
{
  "servers": {
    "trinitite": {
      "url": "https://mcp.trinitite.ai/v1",
      "auth": { "type": "bearer", "token": "${TRINITITE_API_KEY}" }
    }
  }
}

Each tools/call now passes through a per-tool specialist Guardian — see MCP Gateway.

3 — Glass Box Ledger on every decision

Both the CLI evaluation and every MCP tool call write a receipt to the Glass Box Ledger. Tail it for a single agent session:

curl "$TRINITITE_BASE/v1/logs?nhi=nhi_claude_code_dev_alex&since=1h" \
  -H "Authorization: Bearer $TRINITITE_API_KEY"

You see every decision the agent attempted, every patch the Guardian applied, and every block — with a Merkle proof you can verify.

What you get

Hard stop on destructive shell commands (CLI Firewall).
Per-tool semantic governance on every MCP call (MCP Gateway).
Forensic record of everything the agent attempted (Glass Box Ledger).
Policy continuity — change a rubric once, every agent in your fleet picks it up via LoRA hot-swap.

What's next

→ CLI Firewall — the per-command rule model.

→ MCP Gateway — per-tool Guardian architecture.

→ Threat Library — known attacks against coding agents.

Prerequisites​

1 — CLI Firewall on the shell​

2 — MCP Gateway on the tool calls​

3 — Glass Box Ledger on every decision​

What you get​

What's next​