# Governed Workflow: A Zero-Trust Governance Framework for Claude Code

> Governed Workflow is a zero-trust orchestration layer designed for Claude Code. It ensures the controllability and security of AI-assisted coding sessions through phase gating, scope locking, and manual approval mechanisms.

- 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm)
- 发布时间: 2026-04-24T20:45:09.000Z
- 最近活动: 2026-04-24T20:50:19.935Z
- 热度: 150.9
- 关键词: Claude Code, AI编程, 工作流治理, 零信任, MCP服务器, 代码审查, 人工审批, 软件开发
- 页面链接: https://www.zingnex.cn/en/forum/thread/governed-workflow-claude-code
- Canonical: https://www.zingnex.cn/forum/thread/governed-workflow-claude-code
- Markdown 来源: floors_fallback

---

## Governed Workflow: Introduction to the Zero-Trust Governance Framework for Claude Code

Governed Workflow is a zero-trust orchestration layer designed for Claude Code. It addresses issues such as lack of structured processes, scope creep, self-certification, and context loss in traditional AI coding assistants for complex projects through phase gating, scope locking, and manual approval mechanisms, ensuring the controllability and security of AI-assisted coding sessions. The framework introduces software engineering best practices into the field of AI-assisted coding and is suitable for scenarios like enterprise-level AI programming and critical system development.

## Governance Challenges in AI Programming

Traditional AI coding assistants use a 'request-response' model, which has the following flaws in complex projects:
1. **Lack of structured processes**: AI may code directly without sufficient research, leading to unreasonable solution design;
2. **Scope creep risk**: Modifying files beyond expectations in a single session, introducing side effects;
3. **Self-certification issue**: AI tends to believe its own code is correct, lacking external validation;
4. **Context loss**: Compression of long session context leads to loss of important information, and AI "forgets" previous decisions.
Governed Workflow aims to address these issues.

## Core Design Concepts: Zero Trust and Phased Workflow

### Zero Trust Principles
Adopting the 'never trust, always verify' concept: AI agents cannot self-certify their results; each phase transition requires server verification; research must be well-documented; file modifications are limited to authorized scopes; and key checkpoints require manual approval.
### Phased Workflow
Divided into six phases: Evaluation, Research, Planning, Execution, Review, and Delivery. Each phase has clear entry conditions and exit criteria.
### Manual Gating Mechanism
Manual gates are set at four key transition points: Preparation Review (1.4), Plan Review (2.1), Code Review (3.N.3), and Final Approval (4.2). Continuation requires manual approval via the management panel to prevent AI from self-approving critical decisions.

## Detailed Explanation of the Governed Workflow

### Phase 1: Evaluation and Research
Starting with evaluation: AI proposes research questions to clarify scope and objectives. In the research phase, questions need to be answered and evidence collected. The **research proof mechanism** requires findings to be accompanied by typed proofs (code location, network source, code differences), which are verified by the Prover agent. Unverified claims cannot pass.
### Phase 2: Planning
Develop a detailed execution plan including architecture diagrams, task decomposition, and acceptance criteria. Execution tasks are divided into multiple sub-phases, defining the scope of files that must be modified (must) and those that may be modified (may). Acceptance criteria are accepted/rejected by the user, and server verifies test-related criteria upon submission.
### Phase 3: Execution
Iterative loop mode: Each sub-phase includes implementation, verification, repair, code review, and submission steps. Production and test code are written by different agents. The **scope locking mechanism** enforces file scope constraints; updating the scope or plan requires re-approval. **Verification configuration files** run automatic code quality checks.
### Phase 4: Review and Delivery
Blind review phase (4.0): The reviewer agent does not know the implementation details. Issue handling phase (4.1): Resolve identified issues. Final approval (4.2): Deliver after user confirmation. The **review system** centrally manages feedback, and ReviewGuard blocks phase progression until all review items are resolved by the user.

## Technical Implementation Highlights

### MCP Server Integration
Integrated with Claude Code via MCP server, providing a standardized tool call interface. Agents call workspace_advance to advance the workflow.
### Flask Management Panel
A visual interface where users can view phases, approval requests, manage acceptance criteria, configure verification files, etc. Encrypted random numbers ensure approval security.
### Session Recovery Mechanism
Records phase operations, obstacles, decisions, and file changes via progress entries. Restarts regenerate agents to ensure continuity of long-cycle projects.
### Telegram Remote Control
Supports remote session control via Telegram bot. Multiple sessions share the bot, with prefixes identifying workspaces. An orphan detection mechanism automatically recovers dead sessions.
### Modular Architecture
Functions are organized as modules. The management panel scans directories to enable/disable modules; currently includes the Telegram module.

## Agent Role Division and Security Boundaries

### Agent Role Division
The framework defines 16 professional agents, coordinated by the Orchestrator:
- Plan Advisor: A persistent teammate throughout the session;
- Researcher: Responsible for research and answering questions;
- Prover: Verifies research findings and proofs;
- Engineer: Writes production code;
- Test Engineer: Writes test code;
- Reviewer: Conducts blind code reviews;
- Orchestrator: Coordinates all agents.
### Security Boundaries and Limitations
A local workflow governance layer aimed at preventing accidental or overconfident agents from bypassing controls; not designed to defend against malicious users, compromised machines, or hostile networks. Security assumptions: Local machine is trusted; user controls the management panel; network mode is behind a trusted LAN/secure tunnel; port 5111 is not exposed to the public; management token grants full control.

## Application Scenarios and Value

### Application Scenarios
- **Enterprise-level AI programming**: Ensures process traceability and auditability in compliance scenarios;
- **Critical system development**: Multi-phase verification and manual gating reduce defect risks;
- **Team collaboration**: Structured processes coordinate multiple developers sharing AI assistants to avoid conflicts;
- **Newcomer training**: Standardized workflows help novices learn best practices.
### Value
Represents the development of AI-assisted programming towards maturity and controllability, balancing the release of AI potential with human supervision and control. It is a topic of ongoing interest in the field of software engineering.