Position for governance and compliance use cases

[ldraney]

Context

The enforcement: "hard" + rules system is essentially a policy engine for AI coding assistants. In regulated environments (finance, healthcare, government), being able to declaratively enforce what Claude can and cannot do has real value beyond developer convenience.

What this could look like

• Audit logging: The logging system already exists. Document it as an audit trail for AI actions.
• Policy-as-code examples: Ship example SOPs for common compliance patterns:
  • "Claude cannot modify files matching **/secrets/**"
  • "Claude cannot run rm -rf or destructive git commands"
  • "All Claude file writes must be logged"
• Enforcement documentation: Clearly document the difference between hard (blocks) and soft (warns) enforcement and when each is appropriate.
• Reporting: A dev-sop-engine audit command that summarizes what rules are active and what they protect.

Why it matters

Governance is a buying trigger for organizations. Individual devs adopt tools for convenience; teams and orgs adopt tools that help them manage risk. Framing the existing rule system as policy enforcement (which it already is) opens a different conversation with potential adopters.

Open questions

• Is this documentation/positioning work, or does it need new features?
• Should example policy SOPs live in this repo or a separate sop-policies repo?