Block dangerous tool calls, scan every output for PII and secrets, keep a compliance-grade audit trail — without changing how you use Claude Code, Cursor, Codex, or OpenClaw.
Three real failure modes the plugins are built to stop. Same policy set across all four surfaces.
Your assistant runs migrate.py --target=prod because nothing told it not to. The dangerous-command hook fires before exec, blocks the call, and records the attempted policy violation.
A CRM lookup pulls 50 customer records into the conversation. PII detection runs on the tool output, redacts what's sensitive, and logs which fields were redacted — before the model ever sees them.
Compliance review asks how a specific tool call was permitted. Decision records show which policy fired, which version, and what the matching context was. Not a log line — a structured trail.
All four plugins share the same 80+ governance policy set. OpenClaw, Claude Code, and Cursor enforce inline on every governed tool call; Codex uses a hybrid model (hard-enforced on terminal commands, advisory via skills for other tools — see card below). Sub-10ms overhead per tool call. Source-available under BSL 1.1.
before_tool_call — reverse shells, SSRF, SQLi, prompt injection, PII in argumentsmessage_sending hook (Telegram, Discord, Slack, webhooks)SOUL.md / CLAUDE.md from tampering.cursor/settings.json + .cursorrules write protectionexec_command path (80+ policies)Curious how the four plugins compare on capability and limit-by-tier? See the full Community vs Evaluation vs Enterprise feature matrix.
All four plugins work for free against the public Community SaaS endpoint or your own self-hosted AxonFlow stack. Upgrade to Plugin Pro for 10× daily quota, 200/minute burst headroom, 30-day audit retention, 50 custom policies, 20 HITL approvals per rolling 7 days, and email support — $9.99 USD for 90 days, one-time payment, no auto-renewal.
See Plugin Pro details →No. Each plugin defaults to the public Community SaaS endpoint at try.getaxonflow.com — install and you're governed in under 2 minutes. When you outgrow Free-tier quotas or want self-hosted retention, point the plugin at your own stack via AXONFLOW_ENDPOINT.
Free gives you 200 governed events/day, 25 governed write events/minute, 3-day audit retention, 4 custom policies, and 2 HITL approvals per rolling 7 days. Plugin Pro at $9.99/90 days raises those caps to 2,000 events/day, 200/minute, 30-day retention, 50 custom policies, and 20 approvals per rolling 7 days, plus LLM cost pre-flight and email support.
The 80+ built-in policy set is identical across OpenClaw, Claude Code, Cursor, and Codex — same rules, same audit trail format. The enforcement model differs: OpenClaw, Claude Code, and Cursor enforce inline on every governed tool call. Codex uses a hybrid — hard-enforced on terminal commands via PreToolUse hooks, advisory via skills (the agent decides whether to follow) for Write/Edit/MCP tools.
Each plugin emits a heartbeat at most once every 7 days during activity (version, OS/arch, environment class, license tier, and the deployment's org_id — the cs_<uuid> anonymous tenant identifier on hosted Community SaaS, the operator-supplied value on self-hosted, or the local-dev-org sentinel when neither is configured). No prompts, payloads, or API keys. Opt out across all surfaces with export AXONFLOW_TELEMETRY=off. Full schema at docs.getaxonflow.com/docs/telemetry.
3–10ms per tool call across all four plugins (policy pre-check 2–5ms + PII detection 1–3ms + SQLi scan 1–2ms + async audit 0ms). Imperceptible in interactive use.
