Open-source AI governance · by Prysio

Everyone ships skills.
Nobody ships governance.

Starfish is the governance.

A governance-first, deny-by-default layer for AI agents. Drop it onto any Claude or AI build and every tool call, agent action, and capability passes one decision point that defaults to deny — with a tamper-evident audit trail of everything that ran.

View on GitHub → projectstarfish.ca
Research preview · governance core implemented & 307 conformance tests green · Apache-2.0

Prysio teaches. Starfish governs. The academy shows you how to build with AI; Starfish is our open project for running those agents safely — least privilege, prompt-injection defense, and an audit trail, instead of hope.

Two things, one trusted core

Starfish is an original, clean-room project built as governance first, with capabilities as guests inside it — not the other way around.

🛡️ A portable governance overlay

Drop it onto any existing Claude / AI agent or skill build and it brings that build under governance: every tool call, agent action, and capability passes a single decision point that defaults to deny. It can even govern Claude Code itself, via its hooks.

🖥️ GCS Starfish — mission control

A governed desktop app (Electron + React) that visualizes the model: a bridge / mission-control UI where you see and approve what your agents are doing in real time.

What it governs

Model-agnostic — Claude, OpenAI, Gemini, OpenRouter, or a local model. Governance is the same constant whichever model runs the work.

📁 File system
Boundary-confined reads and writes — no reaching outside the lines.
⌨️ Shell & exec
Raw shell gated; catastrophic commands denied outright.
🌐 Network / MCP / web
Admitted-but-tainted; tainted data can't exfiltrate to a foreign destination.
🧩 Skills & capabilities
Vetted + risk-rated, deny-by-default. Prompt-injection is rejected outright.
🔑 Secrets & .env
Reading is deny-by-default; secret values never egress.
🗑️ Deletion
Impact-assessed, reversible, hard-ruled — no system files, no skills, no folders.

Constitutional principles

The supreme source of truth is GOVERNANCE.md. These are the rules nothing can run around.

01
Governance precedes execution. No action without authorization. The default is DENY.
02
All work is a task. Nothing runs outside the governed task lifecycle. No task, no tool.
03
Auditability. Every meaningful action is recorded to a hash-chained, append-only log.
04
Bounded autonomy. Agents may automate work; they may never expand their own authority.
05
Human authority. A human is the final approver. Proposer ≠ approver.
06
Evidence-based ("no unbacked word"). An agent's claims ("tests pass," "I ran X") are checked against the recorded deeds; unbacked claims are blocked.
07
Fail-closed. Missing or corrupt governance halts startup; nothing runs ungoverned.

Govern Claude Code in four commands

Seed governance under .starfish (your project untouched), wire the hooks, and run a resident, fail-closed Policy Decision Point.

starfish init --overlay --yes       # seed governance under .starfish
starfish install --claude-code      # wire the hooks
starfish daemon                     # resident, fail-closed decision point
starfish doctor                     # audit the lockdown

Installs from npm (npm i -g project-starfish) or GitHub as one self-contained bundle — no runtime deps. Requires Node ≥ 18. Verified against Claude Code 2.1.183.

The security model in one breath

Vetting is the only door
Provenance, license, static signals + a prompt-injection screen → a risk tier. Low auto-registers; medium+ is quarantined pending your consent.
Prompt-injection = hard reject
Highest tier. Overrides even a trusted publisher.
Per-skill confinement
Each skill gets a unique sandbox; other skills, the governance dir, and the audit log are invisible to it. No symlinks.
Publisher signing (Ed25519)
A skill signed over its manifest hash by a pinned key is cryptographically trusted.
Triple-checked integrity
Per-file SHA-256 manifests; verify before / during / after; drift → auto-quarantine.
Operator-signed self-integrity
The system verifies itself the way it verifies skills; tamper → safe mode. Optional external audit anchoring.

Free, open, and yours

You do not need a commercial license to use Starfish — even at a company. The core and CLI are Apache-2.0: free for personal and commercial use, forever. Adopt it, embed it, ship it. Separate enterprise layers — external audit-anchoring & compliance reporting (SOC 2 / 17a-4 / SR 11-7), SSO/RBAC & fleet management, a signed skill registry with remote kill-switch, managed cloud, and support — fund continued open development. Using the open core never requires payment.

Apache-2.0. The Project Starfish name and logo are trademarks. Enterprise enquiries: hello@projectstarfish.ca