This is a private document. Please do not share this link publicly.
GOVERNANCE INFRASTRUCTURE FOR AI CODING

The Seatbelt
for the Supercar.

Everyone is building faster AI coding tools. Nobody is building the safety layer. ClosedClaw is the governance infrastructure that lets AI code freely while keeping humans in control.

What Is ClosedClaw?

"Prophylactic as a Service" — the governance layer between AI and your production code.

THE PROBLEM

AI Codes Unsupervised

Developers are using AI tools (Cursor, Copilot, Claude Code) to write and execute code with zero visibility into what changed, why, or whether it's safe.

THE RISK

No Audit Trail

Companies have no governance over AI-generated code. No sandbox isolation. No approval workflow. No risk scoring. If it breaks production, you find out after the fact.

THE SOLUTION

ClosedClaw

A sandboxed execution environment where AI has full coding freedom but zero production access. Humans approve completed work, not individual keystrokes. Outcome governance.

The Mental Model

A senior engineer in a locked room.

The AI Gets Full Tools

Inside the sandbox, the AI can read files, edit code, run tests, execute bash commands, install packages. Full agency. No hand-holding. It works like a real developer.

Zero Access to Production

The sandbox is an ephemeral copy of the repo. Network isolated. Memory limited. Time-capped. The AI cannot touch production, cannot phone home, cannot access secrets. The Director holds the only key to the door.

┌─────────────────────────────────────────────────────────┐ SANDBOX (ephemeral copy, network=none, 10 min max) AI Agent → Read → Edit → Write → Test → Iterate Full tools. Full agency. Full isolation. └──────────────────────────┬──────────────────────────────┘ Safety Post-Mortem (diff, risk score, test results, audit) ┌──────┴──────┐ HUMAN GATE [Merge] [Reject] └──────┬──────┘ ┌──────┴──────┐ PRODUCTION └─────────────┘

How It Works

We call it "Metro Coding" — dispatch on the platform, approve on the train.

1
08:01 AM

Developer sends a task

Via Telegram, web UI, or API: "Add retry logic to the API client with exponential backoff."

2
08:01 – 08:12 AM

AI executes in a sandbox

An ephemeral copy of the repo is created. The AI agent reads code, writes changes, runs tests — completely isolated. No network access. No secrets. No production writes.

3
08:12 AM

Safety Post-Mortem generated

Automatic analysis: files changed, lines added/removed, bash commands run, test results, and a computed risk score (0.0 – 1.0) based on operation severity.

4
08:30 AM (on the metro)

Human reviews and approves

The developer gets a notification with a summary, diff link, and risk score. One tap: [Merge] or [Reject]. No context-switching into an IDE required.

5
08:30 AM

Merge & audit trail

Changes are committed to production branch with full provenance: who approved, what changed, AI execution trace, test results, co-authored-by tag. Sandbox is destroyed.

Three-Tier Governance

Not all operations carry equal risk. We treat them accordingly.

TIER 1: OBSERVATION

Read-Only

File reads, code search, directory listing. Zero mutation risk.

AUTO-APPROVE

TIER 2: DRAFTING

Sandboxed Writes

Edit files, run bash, install packages — all inside the isolated sandbox. Zero production risk.

AUTO-APPROVE

TIER 3: IMPACT

Merge & Deploy

Production mutation. Changes leave the sandbox. This always requires a human.

HUMAN REQUIRED

Risk Scoring

Every execution produces a risk score from 0.0 (safe) to 1.0 (dangerous).

What Gets Scored

0.5 Bash commands with sudo 0.5 .env / secrets file access 0.4 File deletions 0.4 Git config modifications 0.3 Network-related commands 0.2 Large diffs (100+ lines)

What Gets Reported

Summary: "Added retry logic to API client" Files: 3 changed (+47 / -12) Tests: 12 passed, 0 failed Risk: LOW (0.15) Commands: pytest -v, pip install tenacity Duration: 4m 32s, 8 AI turns Branch: kognist-ai-a1b2c3d4

How ClosedClaw Compares

ClosedClaw is not competing with AI coding tools — it is the governance layer that wraps around them.

Capability Cursor / Copilot Claude Code (raw CLI) ClosedClaw
AI writes code Yes Yes Yes
AI executes code Limited Yes (host machine) Yes (sandboxed)
Sandbox isolation No No — runs on host Yes — ephemeral copy, no network
Risk scoring No No Yes — 0.0-1.0 per execution
Human approval gate Accept/reject inline Prompts for permission Async merge approval (Telegram/web)
Audit trail No No persistent log Full — commands, diffs, approvals, timestamps
Works asynchronously No — IDE must be open No — terminal must be open Yes — dispatch and approve from phone
Enterprise governance No No RBAC, compliance logs, team dashboards
Network isolation Full internet access Full internet access --network none (no phone home)
Secrets protection Full .env access Full .env access .env/.ssh/config excluded from sandbox

The Key Insight

Cursor and Copilot are IDE tools — they help you write code faster. Claude Code CLI is an agentic tool — it writes code for you. ClosedClaw is governance infrastructure — it makes both of those safe to use in professional settings. They are complementary, not competitive.

Agentic Coding Landscape

As AI coding shifts from autocomplete to autonomous agents, the governance gap widens.

Tool Model Isolation Governance
GitHub Copilot Autocomplete — suggests code inline None None
Cursor IDE-embedded agent — edits files in context None Accept/reject per edit
Claude Code CLI Terminal agent — full file + bash access Runs on host Per-command prompts
Devin / OpenHands Cloud agent — full VM + browser VM-level Review at end
ClosedClaw Sandboxed agent — orchestrates any AI CLI Container-level (no network, no secrets) Risk scoring + async human gate + full audit

Architecture

Where ClosedClaw sits inside Agent-C.

AGENT-C (The Talent Agency for AI) ├── Agent-C App ────── B2C creative production Novels, screenplays, TikTok, comics, newsletters Voice calibration, narrative governance, tournaments └── ClosedClaw ────────── B2B governance infrastructure Sandboxed code execution, risk scoring, audit trails Enterprise compliance, approval workflows, RBAC ├── SandboxManager ─── Ephemeral repo copies (copy-mount) ├── ClaudeCodeService AI CLI subprocess orchestration ├── SafetyPostMortem ── Risk scoring + diff analysis ├── GitOrchestrator ─── Branch, diff, merge workflows └── CodeAgentService ── Model-agnostic execution layer

Shared Infrastructure

Both products share the same FastAPI backend, PostgreSQL database, event-sourcing system, and Telegram integration. ClosedClaw is not a separate codebase — it is a capability layer inside the platform.

Separate Deployment

Agent-C App runs on Cloud Run (stateless, cheap). ClosedClaw requires persistent filesystem, Git, and the Claude CLI — it deploys on Compute Engine (stateful, isolated). Same backend, different infrastructure.

Who Is This For?

Not everyone needs a seatbelt. But professionals do.

NOT THE TARGET

Power Users / DIY Developers

Senior engineers who already have their own sandbox setups, CI/CD, and review processes. They can build this themselves. They are not the customer.

PRIMARY TARGET

Enterprise Engineering Teams

Companies adopting AI coding tools who need compliance, audit trails, and governance without slowing developers down. The CISO audience.

SECONDARY TARGET

Agencies & Freelancers

Professional developers who need audit trails for client work. "Here's exactly what the AI changed, here's my approval, here's the test output." Professional liability covered.

SECONDARY TARGET

Vibe Coders

Non-traditional developers using AI to build software. They need guardrails because they lack the experience to spot when AI makes dangerous mistakes. The seatbelt metaphor is literal.

Pricing Direction

Positioned by who needs governance, not by AI credits consumed.

Individual
$10–20/mo

Solo developers and vibe coders who want guardrails on their own projects.

  • Sandboxed execution
  • Risk scoring
  • Telegram approval
  • 1 repo
Agency / Team
$30–50/mo

Freelancers and small teams who need audit trails for client work.

  • Everything in Individual
  • Multi-repo support
  • Client-facing audit reports
  • Team approval workflows
Enterprise
$100–500/seat/mo

Organizations that need compliance and governance at scale.

  • Everything in Team
  • RBAC + SSO
  • Compliance dashboards
  • Custom risk policies
  • Dedicated support

The Thesis

Why governance infrastructure matters now.

The Agentic Shift

AI coding is moving from autocomplete (Copilot) to autonomous agents (Claude Code, Devin, OpenHands). Agents don't just suggest code — they write it, test it, and execute it. The attack surface has expanded from "bad suggestion" to "unsupervised production mutation."

The Compliance Gap

Every enterprise adopting AI coding faces the same question: "Who approved this change?" Current tools have no answer. ClosedClaw provides a cryptographic audit trail from task → execution → approval → merge. SOC2-ready governance for AI-generated code.

The Moat

The moat is not in orchestrating a CLI subprocess — anyone can do that. The moat is in the safety model: the risk scoring algorithms, the sandbox spec, the approval workflows, and the enterprise governance layer built on top. Plus the flywheel: every execution improves the risk model.

Current Status

February 2026

What's Built

  • Sandbox manager (copy-mount isolation)
  • Claude Code CLI subprocess orchestration
  • Safety Post-Mortem with risk scoring
  • Git orchestrator (branch/diff/merge)
  • Model-agnostic code agent service
  • Onboarding wizard (CLI vs API mode)
  • Telegram approval workflow
  • Three-tier governance model

What's Next

  • Compute Engine deployment (Cloud Run insufficient)
  • Enterprise RBAC + team management
  • Compliance dashboard + export
  • Custom risk policy configuration
  • Multi-model support (beyond Claude)
  • Public beta with design partners