governance-sdk
AI Agent Governance for TypeScript — policy enforcement, scoring, compliance, and audit for AI agents
Description
AI Agent Governance for TypeScript — policy enforcement, scoring, compliance, and audit for AI agents
Release History
| Version | Changes | Urgency | Date |
|---|---|---|---|
| 0.13.1 | Imported from npm (0.13.1) | Low | 4/21/2026 |
| v0.13.0 | ## Conventions flip + deprecation notices Follow-up to 0.12. Two small, deliberate changes that the 0.12 roadmap promised — committed now so users have runtime notice before 1.0. ### OTel \`conventions\` default flips from \`\"both\"\` to \`\"gen_ai\"\` \`createOtelHooks()\` now defaults to emitting only the GenAI semantic conventions. Governance spans correlate out of the box with Anthropic, OpenAI, and Vercel-AI SDK spans in Honeycomb / Datadog / New Relic. **Migration.** If your dashboard | High | 4/16/2026 |
| v0.12.0 | ## Trust hardening Closes the three most load-bearing honesty gaps surfaced by the post-0.11 audit. Theme: the things the SDK already claims must actually hold up under restart, real observability, and real naming. ### Durable integrity audit chain Before 0.12, `integrityAudit: { signingKey }` held chain state (latest hash, sequence, per-event integrity) in a `createGovernance()` closure. Process restart reset the chain to genesis and every Postgres event lost its integrity metadata because t | High | 4/16/2026 |
| v0.11.2 | Adds infrastructure to keep `packages/governance/README.md` (the file npm publishes) in sync with the repo-root README — so the v0.11.1 fix can never silently regress. ## What's new - **`scripts/sync-readme.mjs`** — generates the package README from the root, normalizing repo-relative links (`./packages/...`, `./LICENSE`, `./CONTRIBUTING.md`, etc.) to absolute GitHub URLs so they resolve correctly on npmjs.com. Idempotent. - **`prepublishOnly` hook** runs sync-readme before tsc, guaranteeing e | High | 4/16/2026 |
| v0.10.0 | Tightens the SDK to the surface we can defend, and is honest about everything it doesn't do. No new features. **1,348 tests** pass with **0 failures**. ## Removed (BREAKING) - **`governance-sdk/federation`** — was advisory-only posture exchange with no distributed protocol or signature enforcement. (Note: as of 0.11 this is also not shipped in Lua Governance Cloud.) - **`governance-sdk/sandbox`** — was a `node:vm` wrapper. `node:vm` is not a security boundary (per Node docs; see CVE-2023-32002 | High | 4/15/2026 |
| v0.11.1 | The `packages/governance/README.md` (the file npm publishes) had drifted ~3 release cycles behind the repo-root README. This patch syncs the two so npm users see the same content GitHub viewers see — including the "What this is NOT" scope disclosures, the 0.11 module removals, and the behavioral-scorer demotion. Relative links normalized to absolute GitHub URLs so they resolve correctly when read on npmjs.com. **No code changes. SDK behavior identical to 0.11.0.** If you're already on 0.11.0, | High | 4/15/2026 |
| v0.11.0 | Follow-up to the v0.10 cleanup. After a feature-by-feature audit against actual `governance-cloud` consumers and major competitors (Microsoft `agent-governance-toolkit`, NeMo Guardrails, Phoenix, Langfuse, Braintrust), this release removes 5 modules with no consumers and clarifies framing around 4 more that were oversold as built-in observability/eval infrastructure. **1,328 tests** pass with **0 failures**. **0 runtime dependencies** (unchanged). ## Removed (BREAKING) - **`governance-sdk/eva | High | 4/15/2026 |
| v0.9.0 | ## Highlights **Full pre/post/streaming coverage across all 10 featured framework adapters.** Every featured adapter now supports input pre-scan, output post-scan, streaming post-scan (buffered / sliding / per-chunk), and tool-call enforcement. ## What's new ### Featured adapters — full lifecycle - **Vercel AI SDK** — `createGovernanceMiddleware` now returns `transformParams` (pre), `wrapGenerate` (post), `wrapStream` (streaming post). Config accepts `streamMode`, `streamLookbackChunks`, `str | High | 4/14/2026 |
Dependencies & License Audit
Loading dependencies...
Similar Packages
@piiiico/agent-auditSecurity scanner for AI agent tooling — MCP servers, tool definitions, and agentic pipelines0.3.3
opena2aOpen-source security tools for AI agents. Find vulnerabilities, fix root causes, prove compliance.v0.8.23
@agent-receipts/dashboardMission Control dashboard for Agent Receipts — local web UI for AI agent accountability0.4.0