Gatewaystack Governance

This plugin appears to do what it claims, but take these precautions before installing: - Verify the package source and publisher on npm/GitHub (the SKILL.md and package.json point to a GitHub repo and an npm package). Confirm the maintainer identity and package integrity (checksums, npm publisher account). - Audit and protect the audit log and state files. The plugin records tool names and arguments (and optionally DLP matches) in audit.jsonl and other state files; these can contain secrets. Ensure the files are stored in a safe location with correct filesystem permissions (not world-readable) and consider enabling disk encryption or restricting access. - Review and customize policy.json before enabling wide privileges. The default policy is deny-by-default, but double-check allowedTools, roles, rate limits, and any escalation settings to match your environment. - Optional packages (@gatewaystack/transformabl-core, @gatewaystack/limitabl-core) are only required for DLP and behavioral features; install them only if you need those features and trust their source. - Run the plugin self-test (npm test or the CLI self-test) and inspect the code (already included) if you have concerns; if you operate in a high-security environment, trial in an isolated instance first. Overall: coherent and consistent with its stated purpose, but the audit/state data it creates is sensitive — protect those files and verify the package origin before deploying.