Files
wehub-resource-sync 23f7624596
ADR-166 MCP Bridge Security Lock / Static-source security lock (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / Compose default binds loopback + Mongo has auth (push) Failing after 2s
CodeQL Advanced / Analyze (rust) (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / plugin-agent-federation bindHost default (push) Failing after 1s
ADR-166 MCP Bridge Security Lock / Runtime behavior — 401 + terminal gate + fail-closed (push) Failing after 4s
business-pods-smoke / smoke (push) Failing after 1s
all-plugins-smoke / smoke-all (push) Failing after 2s
CI/CD Pipeline / Security & Code Quality (push) Failing after 1s
CI/CD Pipeline / Test Suite (ubuntu-latest) (push) Failing after 1s
CI/CD Pipeline / Build & Package (macos-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (ubuntu-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (windows-latest) (push) Has been skipped
CI/CD Pipeline / Documentation & Examples (push) Failing after 1s
Clone Tracker (14-day rolling) / Snapshot clones for ruflo ecosystem (push) Failing after 1s
CodeQL Advanced / Analyze (actions) (push) Failing after 1s
CodeQL Advanced / Analyze (javascript-typescript) (push) Failing after 1s
federation-peer-rust / stable-noop (push) Failing after 1s
metaharness-ci / score (push) Failing after 1s
metaharness-ci / router-compat (push) Failing after 0s
metaharness-ci / similarity-tests (push) Failing after 0s
no-agentbbs-smoke / smoke-without-agentbbs (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (windows-latest) (push) Has been skipped
codex-integration-audit / Codex integration audit (push) Failing after 1s
helpers-manifest-guard / guard (push) Failing after 1s
🔗 Cross-Agent Integration Tests / 🤝 Agent Coordination Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🧠 Memory Sharing Integration (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🛡️ Fault Tolerance Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / ⚡ Performance Integration Tests (push) Has been skipped
metaharness-ci / mcp-scan (push) Failing after 1s
metaharness-ci / eject-dryrun (push) Failing after 1s
metaharness-ci / metaharness-real-data (push) Failing after 0s
no-cli-optdep-bloat-2561 / guard (push) Failing after 1s
no-metaharness-smoke / smoke-without-metaharness (push) Failing after 1s
no-phantom-agentic-flow-subpath / guard (push) Failing after 1s
🔄 Automated Rollback Manager / 🚨 Failure Detection (push) Failing after 1s
V3 CI/CD Pipeline / Plugin hooks smoke / ubuntu-latest / Node 22 (push) Failing after 1s
V3 CI/CD Pipeline / ruflo-graph-intelligence build + test smoke (#2044, ADR-123) (push) Failing after 1s
CVE Audit Gate / Audit root (critical-blocking) (push) Failing after 2s
cost-tracker-smoke / smoke (push) Failing after 3s
oia-audit-weekly / audit (push) Failing after 2s
ruflo-agent-smoke / ruflo-agent structural smoke (push) Failing after 1s
📊 Status Badges Update / 📊 Update Status Badges (push) Failing after 1s
V3 CI/CD Pipeline / Static regression guards (#2267 YAML + (push) Failing after 1s
V3 CI/CD Pipeline / Test V3 Packages (push) Failing after 0s
V3 CI/CD Pipeline / agent_execute provider routing smoke (#2042) (push) Failing after 0s
CVE Audit Gate / Audit v3 (critical-blocking) (push) Failing after 1s
federation-peer-rust / stable-native (push) Failing after 2s
🔗 Cross-Agent Integration Tests / 🚀 Integration Test Setup (push) Failing after 2s
neural-trader-smoke / runtime-smoke (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (macos-latest) (push) Has been skipped
V3 CI/CD Pipeline / Build V3 (ubuntu-latest) (push) Has been skipped
V3 CI/CD Pipeline / Type Check V3 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 24 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 22 (push) Failing after 2s
V3 CI/CD Pipeline / browser rvf create flag smoke (#2015) (push) Failing after 0s
V3 CI/CD Pipeline / Dependency review (#2046) (push) Has been skipped
V3 CI/CD Pipeline / Supply-chain audit (#2046) (push) Failing after 0s
V3 CI/CD Pipeline / witness marker drift smoke (#2021) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader portfolio CG smoke (#2068, ADR-126 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader backtest signing smoke (#2068, ADR-126 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / kg-extract type-import classification smoke (#2049) (push) Failing after 0s
V3 CI/CD Pipeline / witness verify precondition smoke (#1880) (push) Failing after 2s
V3 CI/CD Pipeline / neural-trader pipeline risk-gate smoke (#2068, ADR-126 Phase 5) (push) Failing after 0s
V3 CI/CD Pipeline / neural-trader feature attribution smoke (#2068, ADR-126 Phase 6) (push) Failing after 0s
V3 CI/CD Pipeline / plugin-registry signature verification smoke (#1922, CWE-347) (push) Failing after 4s
V3 CI/CD Pipeline / memory stats legacy-DB smoke (#2120) (push) Failing after 4s
V3 CI/CD Pipeline / github deprecated actions smoke (#2089, ADR-127 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / graph query + pathfinder smoke (ADR-130 P2+P5) (push) Has been skipped
V3 CI/CD Pipeline / graph trajectory hooks smoke (ADR-130 P3) (push) Has been skipped
V3 CI/CD Pipeline / graph plugin adapter smoke (ADR-130 P4) (push) Has been skipped
V3 CI/CD Pipeline / graph benchmark (ADR-130 P6) (push) Has been skipped
V3 CI/CD Pipeline / statusline generator delegation smoke (#2195) (push) Failing after 1s
V3 CI/CD Pipeline / wizard init regression guard (#2206 (push) Failing after 1s
V3 CI/CD Pipeline / memory no-stray-db smoke (ADR-125 P7) (push) Failing after 1s
V3 CI/CD Pipeline / github-safe injection smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github actions pin smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github attribution opt-in smoke (#2089, ADR-127 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / pre-bash hook safety smoke (#2017) (push) Failing after 1s
V3 CI/CD Pipeline / Memory import smoke / ubuntu-latest (push) Failing after 0s
V3 CI/CD Pipeline / MCP protocol smoke / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / ruvllm WASM auto-init smoke (#2086) (push) Failing after 4s
V3 CI/CD Pipeline / MCP paired-tool round-trip smoke (#1889) (push) Failing after 1s
V3 CI/CD Pipeline / Plugin package install-safety (#1902/#1903/#1904) (push) Failing after 1s
V3 CI/CD Pipeline / Tool description discoverability (ADR-112) (push) Failing after 3s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (22) (push) Failing after 1s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (24) (push) Failing after 1s
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Vector-index dimension audit (#1947) (push) Failing after 0s
V3 CI/CD Pipeline / Hook-command install safety (#1921) (push) Failing after 1s
V3 CI/CD Pipeline / ToolOutputGuardrail smoke (ADR-131, (push) Failing after 1s
V3 CI/CD Pipeline / init-bundle invariants smoke (#2095, ADR-128 Phase 5) (push) Failing after 1s
V3 CI/CD Pipeline / wasm provider bridge smoke (ADR-129 P1) (push) Failing after 2s
V3 CI/CD Pipeline / wasm gallery CRUD smoke (ADR-129 P3) (push) Failing after 1s
V3 CI/CD Pipeline / wasm plugin bridge smoke (ADR-129 P4) (push) Failing after 0s
V3 CI/CD Pipeline / wasm compose smoke (ADR-129 P2) (push) Failing after 4s
V3 CI/CD Pipeline / graph schema smoke (ADR-130 P1) (push) Failing after 0s
Validate Marketplace / validate (push) Failing after 1s
🔍 Verification Pipeline / 🚀 Setup Verification (push) Failing after 1s
🔍 Verification Pipeline / 🛡️ Security Verification (push) Has been skipped
🔍 Verification Pipeline / 📝 Code Quality (push) Has been skipped
🔍 Verification Pipeline / 🧪 Test Verification (${{ matrix.os }}, Node ${{ matrix.node }}) (push) Has been skipped
🔍 Verification Pipeline / 🏗️ Build Verification (push) Has been skipped
🔍 Verification Pipeline / 📚 Documentation Verification (push) Has been skipped
CVE Audit Gate / High-severity report (warn only) (push) Has been cancelled
🔄 Automated Rollback Manager / 🔄 Execute Rollback (push) Has been cancelled
🔄 Automated Rollback Manager / ✅ Post-Rollback Verification (push) Has been cancelled
🔄 Automated Rollback Manager / 📊 Rollback Monitoring (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / windows-latest (push) Has been cancelled
🔄 Automated Rollback Manager / ⏳ Manual Rollback Approval (push) Has been cancelled
V3 CI/CD Pipeline / MCP protocol smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Memory import smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / ubuntu-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Publish to npm (alpha) (push) Has been cancelled
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / macos-latest / Node 22 (push) Has been cancelled
V3 CI/CD Pipeline / Plugin hooks smoke / macos-latest / Node 22 (push) Has been cancelled
CI/CD Pipeline / Deploy & Release (push) Has been cancelled
CI/CD Pipeline / CI Status (push) Has been cancelled
🔗 Cross-Agent Integration Tests / 📊 Integration Test Report (push) Has been cancelled
🔄 Automated Rollback Manager / 🔍 Pre-Rollback Validation (push) Has been cancelled
🔍 Verification Pipeline / ⚡ Performance Verification (push) Has been cancelled
🔍 Verification Pipeline / 📊 Verification Report (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:02:19 +08:00

8.4 KiB

Getting Started with @claude-flow/guidance

Background: How Claude Code Uses Memory Files

In Claude Code, CLAUDE.md and CLAUDE.local.md are loaded into the agent's working context at session start. They are the primary mechanism for telling Claude Code how to behave on your project:

File Who it's for Committed?
CLAUDE.md The whole team Yes
CLAUDE.local.md You, on this machine No (auto-gitignored)

Claude Code searches upward from the current directory and loads every instance it finds. In a monorepo, a child directory's CLAUDE.md layers on top of the root's. Run /memory in Claude Code to see which files were loaded.

The @import pattern offers an alternative to CLAUDE.local.md for developers using multiple git worktrees:

# In CLAUDE.md (committed):
@~/.claude/my_project_instructions.md

What This Package Adds

The Guidance Control Plane takes these plain-text files and turns them into structured, enforceable, auditable policy. Without it, Claude Code loads CLAUDE.md as raw text and relies on the model to follow it. With it, rules become typed objects with gates that block violations before they execute.

Installation

npm install @claude-flow/guidance@v3alpha

Requires Node.js 20+.

Minimal Setup

import { createGuidanceControlPlane } from '@claude-flow/guidance';

const plane = createGuidanceControlPlane({
  rootGuidancePath: './CLAUDE.md',
  localGuidancePath: './CLAUDE.local.md', // optional, your personal overrides
});
await plane.initialize();

This reads both files, compiles them into a policy bundle (constitution + rule shards + manifest), and prepares all subsystems.

What Happens at Initialization

  1. LoadCLAUDE.md is read as the root guidance. CLAUDE.local.md (if present) is read as an overlay. Local rules supplement or override root rules.
  2. Compile — Both files are parsed into structured rules. Each rule gets an ID, risk class, domain tags, tool class tags, and intent tags.
  3. Shard — Rules are broken into task-scoped shards. The always-loaded invariants form the constitution (first ~30-60 lines of the root file). Everything else becomes retrievable shards.
  4. Index — Shards are loaded into the retriever for similarity-based lookup.
  5. Activate gates — Enforcement gates are configured from the compiled rules.

Core Loop

Every agent task follows this pattern:

// 1. Retrieve relevant rules for this task
const guidance = await plane.retrieveForTask({
  taskDescription: 'Fix the login timeout bug',
  intent: 'bug-fix',
});
// guidance.constitution — always-loaded invariants
// guidance.shards — task-relevant rules

// 2. Gate commands before execution
const gateResults = plane.evaluateCommand('git reset --hard');
for (const result of gateResults) {
  if (result.decision === 'deny') {
    console.error(`Blocked: ${result.reason}`);
    // Don't execute the command
  }
}

// 3. Track the run
const event = plane.startRun('task-123', 'bug-fix');
// ... agent does work ...
const evaluations = await plane.finalizeRun(event);

Using Individual Modules

You don't have to use the all-in-one control plane. Each module is independently importable:

// Just the gates
import { createGates } from '@claude-flow/guidance/gates';
const gates = createGates({ destructiveOps: true, secrets: true });

// Just the proof chain
import { createProofChain } from '@claude-flow/guidance/proof';
const chain = createProofChain('my-hmac-key');

// Just the trust system
import { createTrustSystem } from '@claude-flow/guidance/trust';
const trust = createTrustSystem();

All 20 modules are available as separate entry points. See the API Reference for the full list.

CLAUDE.md vs. CLAUDE.local.md

What goes in CLAUDE.md (shared, committed)

Team-level guidance everyone benefits from:

# Build & Test
Run `npm test` before committing. Run `npm run build` to type-check.

# Coding Standards
- No `any` types. Use `unknown` when the type is truly unknown.
- All public functions require JSDoc.

# Architecture
This project uses a layered architecture. See docs/architecture.md.

# Domain Rules
- Never write to the `users` table without a migration.
- API responses must include `requestId` for tracing.

What goes in CLAUDE.local.md (private, not committed)

Machine-specific or personal notes:

# My Environment
- Local API: http://localhost:3001
- Test DB: postgres://localhost:5432/myapp_test

# Preferences
- Show git diffs before committing
- I prefer verbose error messages

The @import alternative for worktrees

If you use multiple git worktrees, CLAUDE.local.md is awkward because each worktree needs its own copy. The @ import pattern inside CLAUDE.md points to a shared file in your home directory:

@~/.claude/my_project_instructions.md

How the optimizer uses both files

The optimizer watches which CLAUDE.local.md experiments reduce violations. When a local rule consistently outperforms the root, the optimizer proposes promoting it to CLAUDE.md with an ADR:

const optimized = await plane.optimize();
// optimized.promoted — rules moved from local to root
// optimized.demoted — ineffective root rules flagged
// optimized.adrsCreated — decision records

WASM Acceleration

If the pre-built WASM binary is available, hot-path operations (hashing, secret scanning, destructive detection) run 1.25-1.96x faster automatically:

import { getKernel, isWasmAvailable } from '@claude-flow/guidance/wasm-kernel';

console.log(isWasmAvailable()); // true if WASM loaded
const k = getKernel(); // WASM or JS fallback — same API either way

No configuration needed. The bridge detects WASM availability at load time.

File Organization

@claude-flow/guidance/
  src/
    index.ts            # Control plane + re-exports
    compiler.ts         # CLAUDE.md → PolicyBundle
    retriever.ts        # Shard similarity retrieval
    gates.ts            # Enforcement gates (4 built-in)
    gateway.ts          # Tool gateway (idempotency + schema + budget)
    proof.ts            # Hash-chained proof envelopes
    continue-gate.ts    # Step-level agent control
    memory-gate.ts      # Memory write authorization
    capabilities.ts     # Typed permission algebra
    trust.ts            # Trust score accumulation
    authority.ts        # Authority levels + irreversibility
    adversarial.ts      # Threat/collusion detection + quorum
    meta-governance.ts  # Governance over governance
    coherence.ts        # Coherence scoring + economic budgets
    uncertainty.ts      # Probabilistic belief tracking
    temporal.ts         # Bitemporal assertions
    truth-anchors.ts    # Immutable external facts
    ledger.ts           # Run logging + evaluators
    optimizer.ts        # Rule evolution
    headless.ts         # Automated compliance testing
    wasm-kernel.ts      # WASM host bridge
  wasm-kernel/          # Rust source for WASM kernel
  wasm-pkg/             # Pre-built WASM binary
  tests/                # 1088 tests across 24 files
  docs/
    guides/             # Conceptual guides
    tutorials/          # Step-by-step walkthroughs
    reference/          # API reference
    diagrams/           # Architecture diagrams
    adrs/               # Architecture Decision Records (G001-G025)

Verification

To confirm both files are being loaded and enforced:

  1. Add a unique rule to CLAUDE.md: # Test: Always respond in English
  2. Add a different rule to CLAUDE.local.md: # Test: Prefer bullet points
  3. Start Claude Code and run /memory — both files should appear as loaded
  4. Ask Claude to restate each unique rule to confirm both were applied

Then, initialize the guidance control plane and confirm:

const plane = createGuidanceControlPlane({
  rootGuidancePath: './CLAUDE.md',
  localGuidancePath: './CLAUDE.local.md',
});
await plane.initialize();
const bundle = plane.getBundle();
console.log(bundle.constitution.length);  // > 0
console.log(bundle.shards.length);        // > 0

Next Steps