# governance-sdk

> AI Agent Governance for TypeScript — policy enforcement, scoring, compliance, and audit for AI agents

- **URL**: https://www.freshcrate.ai/projects/governance-sdk
- **Author**: Lua
- **Category**: MCP Servers
- **Latest version**: `v0.17.0` (2026-05-07)
- **License**: MIT
- **Source**: https://github.com/lua-ai-global/governance
- **Homepage**: https://heygovernance.ai
- **Language**: TypeScript
- **GitHub**: 19 stars, 1 forks
- **Registry**: npm (`governance-sdk`)
- **Tags**: `agent-safety`, `agent-security`, `ai-agents`, `ai-governance`, `compliance`, `injection-detection`, `npm`, `policy-engine`, `prompt-injection`

## Description

AI Agent Governance for TypeScript — policy enforcement, scoring, compliance, and audit for AI agents

## Recent releases

| Version | Date | Urgency | Changes |
| --- | --- | --- | --- |
| `v0.17.0` | 2026-05-07 | High | The condition registry (`registerCondition` / `unregisterCondition` / `getRegisteredCondition` / `getRegisteredConditions` / `clearConditionRegistry`) and `PolicyEngineConfig.conditions` were already on `PolicyEngine` since 0.15, but `GovernanceInstance` (the thing `createGovernance()` returns) didn't expose them — `instance.policies` is a `ReadonlyPolicyEngine` view that intentionally hides mutators. So callers who followed the documented `createGovernance()` flow had no path to register a cus |
| `v0.16.0` | 2026-04-30 | High | 0.15 introduced `governance-sdk/scan/multi-modal` as a host-callable orchestrator with a global "scan everything you opt into" shape. That worked for the SDK plumbing but coupled rules that have nothing to do with each other (a token-budget rule has no business knowing about images). 0.16 moves modality config onto the **policy rule itself**.  ### Added — `scanModalities` on `PolicyRule`  ```ts const rule: PolicyRule = {   id: "image-aware-injection-guard",   name: "Block prompt injection in vi |
| `v0.14.1` | 2026-04-30 | High | `scope_boundary` and `network_allowlist` rules at stage `process` (the default for those conditions, where pre-execution blocking happens) silently never fired on tool calls in 0.14.0 — `evaluateToolCall` (the path behind `processOutputStep`) didn't populate `ctx.targetPath` / `ctx.targetUrl`, and those conditions read those fields exclusively.  0.14.0 wired the field-extraction registry into `wrapTool` (tool_result stage). 0.14.1 wires it into `evaluateToolCall` too — same registry, same generi |
| `0.13.1` | 2026-04-21 | Low | Imported from npm (0.13.1) |
| `v0.13.0` | 2026-04-16 | High | ## Conventions flip + deprecation notices  Follow-up to 0.12. Two small, deliberate changes that the 0.12 roadmap promised — committed now so users have runtime notice before 1.0.  ### OTel \`conventions\` default flips from \`\"both\"\` to \`\"gen_ai\"\`  \`createOtelHooks()\` now defaults to emitting only the GenAI semantic conventions. Governance spans correlate out of the box with Anthropic, OpenAI, and Vercel-AI SDK spans in Honeycomb / Datadog / New Relic.  **Migration.** If your dashboard |
| `v0.13.0` | 2026-04-16 | High | ## Conventions flip + deprecation notices  Follow-up to 0.12. Two small, deliberate changes that the 0.12 roadmap promised — committed now so users have runtime notice before 1.0.  ### OTel \`conventions\` default flips from \`\"both\"\` to \`\"gen_ai\"\`  \`createOtelHooks()\` now defaults to emitting only the GenAI semantic conventions. Governance spans correlate out of the box with Anthropic, OpenAI, and Vercel-AI SDK spans in Honeycomb / Datadog / New Relic.  **Migration.** If your dashboard |
| `v0.13.0` | 2026-04-16 | Medium | ## Conventions flip + deprecation notices  Follow-up to 0.12. Two small, deliberate changes that the 0.12 roadmap promised — committed now so users have runtime notice before 1.0.  ### OTel \`conventions\` default flips from \`\"both\"\` to \`\"gen_ai\"\`  \`createOtelHooks()\` now defaults to emitting only the GenAI semantic conventions. Governance spans correlate out of the box with Anthropic, OpenAI, and Vercel-AI SDK spans in Honeycomb / Datadog / New Relic.  **Migration.** If your dashboard |
| `v0.13.0` | 2026-04-16 | Medium | ## Conventions flip + deprecation notices  Follow-up to 0.12. Two small, deliberate changes that the 0.12 roadmap promised — committed now so users have runtime notice before 1.0.  ### OTel \`conventions\` default flips from \`\"both\"\` to \`\"gen_ai\"\`  \`createOtelHooks()\` now defaults to emitting only the GenAI semantic conventions. Governance spans correlate out of the box with Anthropic, OpenAI, and Vercel-AI SDK spans in Honeycomb / Datadog / New Relic.  **Migration.** If your dashboard |
| `v0.13.0` | 2026-04-16 | Medium | ## Conventions flip + deprecation notices  Follow-up to 0.12. Two small, deliberate changes that the 0.12 roadmap promised — committed now so users have runtime notice before 1.0.  ### OTel \`conventions\` default flips from \`\"both\"\` to \`\"gen_ai\"\`  \`createOtelHooks()\` now defaults to emitting only the GenAI semantic conventions. Governance spans correlate out of the box with Anthropic, OpenAI, and Vercel-AI SDK spans in Honeycomb / Datadog / New Relic.  **Migration.** If your dashboard |
| `v0.13.0` | 2026-04-16 | Medium | ## Conventions flip + deprecation notices  Follow-up to 0.12. Two small, deliberate changes that the 0.12 roadmap promised — committed now so users have runtime notice before 1.0.  ### OTel \`conventions\` default flips from \`\"both\"\` to \`\"gen_ai\"\`  \`createOtelHooks()\` now defaults to emitting only the GenAI semantic conventions. Governance spans correlate out of the box with Anthropic, OpenAI, and Vercel-AI SDK spans in Honeycomb / Datadog / New Relic.  **Migration.** If your dashboard |

## Citation

- HTML: https://www.freshcrate.ai/projects/governance-sdk
- Markdown: https://www.freshcrate.ai/projects/governance-sdk.md
- Dependencies JSON: https://www.freshcrate.ai/api/projects/governance-sdk/deps

_Generated by freshcrate.ai. Indexes npm releases for AI-agent ecosystem packages._