Governed Workflow: A Zero-Trust Governance Framework for Claude Code

Governed Workflow is a zero-trust orchestration layer designed for Claude Code. It addresses issues such as lack of structured processes, scope creep, self-certification, and context loss in traditional AI coding assistants for complex projects through phase gating, scope locking, and manual approval mechanisms, ensuring the controllability and security of AI-assisted coding sessions. The framework introduces software engineering best practices into the field of AI-assisted coding and is suitable for scenarios like enterprise-level AI programming and critical system development.

Traditional AI coding assistants use a 'request-response' model, which has the following flaws in complex projects:

1. Lack of structured processes: AI may code directly without sufficient research, leading to unreasonable solution design;
2. Scope creep risk: Modifying files beyond expectations in a single session, introducing side effects;
3. Self-certification issue: AI tends to believe its own code is correct, lacking external validation;
4. Context loss: Compression of long session context leads to loss of important information, and AI "forgets" previous decisions. Governed Workflow aims to address these issues.

Zero Trust Principles

Adopting the 'never trust, always verify' concept: AI agents cannot self-certify their results; each phase transition requires server verification; research must be well-documented; file modifications are limited to authorized scopes; and key checkpoints require manual approval.

Phased Workflow

Divided into six phases: Evaluation, Research, Planning, Execution, Review, and Delivery. Each phase has clear entry conditions and exit criteria.

Manual Gating Mechanism

Manual gates are set at four key transition points: Preparation Review (1.4), Plan Review (2.1), Code Review (3.N.3), and Final Approval (4.2). Continuation requires manual approval via the management panel to prevent AI from self-approving critical decisions.

Phase 1: Evaluation and Research

Starting with evaluation: AI proposes research questions to clarify scope and objectives. In the research phase, questions need to be answered and evidence collected. The research proof mechanism requires findings to be accompanied by typed proofs (code location, network source, code differences), which are verified by the Prover agent. Unverified claims cannot pass.

Phase 2: Planning

Develop a detailed execution plan including architecture diagrams, task decomposition, and acceptance criteria. Execution tasks are divided into multiple sub-phases, defining the scope of files that must be modified (must) and those that may be modified (may). Acceptance criteria are accepted/rejected by the user, and server verifies test-related criteria upon submission.

Phase 3: Execution

Iterative loop mode: Each sub-phase includes implementation, verification, repair, code review, and submission steps. Production and test code are written by different agents. The scope locking mechanism enforces file scope constraints; updating the scope or plan requires re-approval. Verification configuration files run automatic code quality checks.

Phase 4: Review and Delivery

Blind review phase (4.0): The reviewer agent does not know the implementation details. Issue handling phase (4.1): Resolve identified issues. Final approval (4.2): Deliver after user confirmation. The review system centrally manages feedback, and ReviewGuard blocks phase progression until all review items are resolved by the user.

MCP Server Integration

Integrated with Claude Code via MCP server, providing a standardized tool call interface. Agents call workspace_advance to advance the workflow.

Flask Management Panel

A visual interface where users can view phases, approval requests, manage acceptance criteria, configure verification files, etc. Encrypted random numbers ensure approval security.

Session Recovery Mechanism

Records phase operations, obstacles, decisions, and file changes via progress entries. Restarts regenerate agents to ensure continuity of long-cycle projects.

Telegram Remote Control

Supports remote session control via Telegram bot. Multiple sessions share the bot, with prefixes identifying workspaces. An orphan detection mechanism automatically recovers dead sessions.

Modular Architecture

Functions are organized as modules. The management panel scans directories to enable/disable modules; currently includes the Telegram module.

Agent Role Division

The framework defines 16 professional agents, coordinated by the Orchestrator:

• Plan Advisor: A persistent teammate throughout the session;
• Researcher: Responsible for research and answering questions;
• Prover: Verifies research findings and proofs;
• Engineer: Writes production code;
• Test Engineer: Writes test code;
• Reviewer: Conducts blind code reviews;
• Orchestrator: Coordinates all agents.

Security Boundaries and Limitations

A local workflow governance layer aimed at preventing accidental or overconfident agents from bypassing controls; not designed to defend against malicious users, compromised machines, or hostile networks. Security assumptions: Local machine is trusted; user controls the management panel; network mode is behind a trusted LAN/secure tunnel; port 5111 is not exposed to the public; management token grants full control.

Application Scenarios

• Enterprise-level AI programming: Ensures process traceability and auditability in compliance scenarios;
• Critical system development: Multi-phase verification and manual gating reduce defect risks;
• Team collaboration: Structured processes coordinate multiple developers sharing AI assistants to avoid conflicts;
• Newcomer training: Standardized workflows help novices learn best practices.

Value

Represents the development of AI-assisted programming towards maturity and controllability, balancing the release of AI potential with human supervision and control. It is a topic of ongoing interest in the field of software engineering.