Skip to main content
The governance layer is an opt-in module that intercepts every tool call and applies a policy decision (ALLOW / BLOCK / REVIEW) before the tool runs. It adds zero overhead when not activated.

Quick start

When the model calls wipe_disk, governance short-circuits the call, issues a signed receipt to receipts.jsonl, and returns a denied result.

Decision outcomes

DecisionEffect
ALLOWTool runs as usual.
BLOCKTool is refused. A receipt is written with the full evidence envelope.
REVIEWA checkpoint is opened. Governance calls your governance_reviewer callback, or Agent UI’s blocking confirmation modal when that is the active console. APPROVE -> tool runs; REJECT -> tool is refused. Either way a receipt is written.
If REVIEW fires and neither a reviewer nor a blocking console is available, the mixin fails closed — the tool is denied without executing.

Tagging tools

Decorator style (colocates policy with the tool):
Dict style (centralizes policy on the agent):
Tags from both sources are additive (union, deduplicated): decorator tags come first, then dict tags are appended. A tool with "review" from a decorator and "blocked" from the dict will carry both tags.

Configuration

Reviewers

An explicit governance_reviewer takes precedence. If none is configured, governance delegates to console.confirm_tool_execution only when the console advertises blocking_confirmation = True; Agent UI’s SSEOutputHandler does this and emits the existing permission_request modal. GAIA’s default console is not consulted because its confirmation method auto-approves. When a policy returns BLOCK, the governed tool body is not executed and the adapter writes a BLOCK receipt. If the active console supports print_policy_alert, GAIA also emits a user-visible policy alert. Agent UI’s SSEOutputHandler sends this as a policy_alert SSE event with the blocked tool, decision, reason, rule IDs, policy version, and receipt ID.

Observability callbacks

Callback exceptions are logged as warnings and never interrupt tool execution.

Security properties

  • Canonical name resolution — governance resolves registered tool names before checking risk tags, so an LLM cannot bypass a tag on mcp_time_get_current_time by calling the alias get_current_time.
  • Envelope-bound receipts — each receipt’s payload_hash is a SHA-256 of the full evidence envelope (action, decision, policy version, constitution hash, actor, timestamp) in strict canonical JSON. Any tampered field changes the hash.
  • Workflow-bound checkpoints — the adapter refuses to resolve a checkpoint under a workflow_id that differs from the one recorded when the checkpoint was opened.
  • Fail-closed REVIEW — no reviewer registered means deny.

Extension points

InterfaceShipped referenceSwap with
PolicyEngineRuleBasedPolicyEngineACGS-lite, LLM judge, OPA
CheckpointRuntimeInMemoryCheckpointBridgeconstitutional-swarm checkpoint service
ReceiptServiceProtocolInMemoryReceiptService / JsonlReceiptServiceDB, log forwarder, chain anchor
PolicyBindingProtocolStaticPolicyBindingServiceconstitutional-swarm policy control plane
All four are @runtime_checkable Protocols — no inheritance required.

Audit log

JsonlReceiptService writes one JSON object per line to a path you choose (receipts.jsonl by default). The log survives process exit and is trivially grep-able:
For multi-process deployments, replace JsonlReceiptService with a dedicated log forwarder or database-backed receipt service.