Governance Direction: lionagi Governed Orchestration¶
Version: 1.0 | Phase: 2 — Synthesis and Standards Status: Accepted — blocking all Phase 3-7 implementation
Note on phase and play numbering: This document uses P-numbers (P11, P12–P24) to refer to sequential implementation phases in the governed orchestration build-out. P11 is the synthesis phase that produced this document; P12–P24 are the 13 implementation phases described in Section 7. Each P-number corresponds to a bounded scope of work (ADR revision, substrate implementation, adapters, or docs) that feeds into the next.
This document is the master blueprint for lionagi's governed orchestration build-out (implementation phases P12–P24). It records the strategic direction, architecture decisions, ADR verdicts, the full phase list, integration plan, and risk register. Developers beginning implementation must read this document in full before writing any code.
1. Strategic Direction¶
1.1 Thesis¶
Governed orchestration is the product. lionagi's differentiator is not model integration or orchestration convenience — it is the ability to certify that an automated run followed a declared charter: enforceable permissions, tamper-evident evidence, task certificates, and segregation-of-duties constraints. Competitors (LangGraph, LlamaIndex, CrewAI, AutoGen) provide orchestration. None provide orchestration-time governance with verifiable compliance artifacts.
The build strategy is build-over-adopt for governance primitives (hash chains, policy resolution, log tiers, certificates) and wrap-over-rewrite for external frameworks (LangGraph, LlamaIndex, CrewAI). lionagi governs at the boundary; it does not replace the user's existing tooling.
1.2 What We Are Building¶
The smallest coherent governed orchestration surface, end-to-end. Every component listed below must integrate before any adapter is meaningful.
Charter DSL v0 — YAML-shaped governance contract language. Strict schema, no wildcards, no prose-only rules, deterministic policy resolution, exact registry entries, deny-by-default permissions. Compiled to runtime targets; ratified with a reproducible SHA-256 hash. IDE hints generated from the same Pydantic schema used by the CLI validator. See: docs/governance/standards/dsl-style.md
Runtime Substrate — the engine that Charter contracts compile into and execute against:
- Immutable evidence nodes (SHA-256 hash chains, append-only audit storage)
OperationContext— per-operation actor identity, policy pin, trace IDs, propagated explicitly- Log tier governance — MUTABLE / PROTECTED / IMMUTABLE tiers, application-layer backends
- Gate framework — hard, soft, advisory gate results; fail-closed exceptions; single canonical
GateResult - Policy release pinning — session-bound snapshot, most-specific-wins resolver, deny-on-tie
- Task certificates — minted at run completion, consuming evidence chain head, gate outcomes, break-glass state, and policy version
Orchestration Integration — governance wired into existing lionagi execution paths:
Session.flow()enforces role allowlists, op limits, artifact contracts, and charter checks- Per-operation evidence sidecars (
Branch.operate(middle=...)) - CLI
FlowPlanvalidation: charter activation, op budgets, artifact contracts - Run-end certificate minting after artifact verification
Governance Layer Objects — the safety control surface:
- Break-glass protocol: emergency elevated mode with immutable justification evidence and lifecycle spans
- JIT tool grants: no-standing-capability, single-use permit semantics resolved through the registry
- Tool registry allowlists: exact-match, compiled DSL targets, policy-resolved privileged tier
- Segregation of duties: assignment-time conflict matrix, bidirectional role independence
OTel Governance Tracing — projection over typed governance records:
- Typed records are created first; trace/span IDs are embedded in evidence
- OTel spans carry evidence hashes for enterprise correlation
- Span names follow the governance span taxonomy (see
docs/governance/standards/trace-naming.md) - Enterprise readiness path: retention tiers, redaction, SIEM export, cost tracking, audit/ops separation
Provider Adapters — Two Waves:
- G1 SDK-native: PydanticAI, OpenAI Agents SDK, Anthropic Agent SDK (~200 LOC each, native event hooks)
- G2 Framework: LangGraph, LlamaIndex, CrewAI (zero-rewrite, coarse boundary governance)
1.3 What We Are Not Building¶
The following scope is explicitly cut from the current implementation phases. These items may reopen in a future revision.
| Cut Item | Rationale |
|---|---|
| G3 edge adapters (smolagents, OpenCode, HuggingFace) | Provider research marks these as smaller targets; core substrate is the constraint |
| External policy engine in critical path (OPA/Rego, Cedar) | Build stdlib+Pydantic path first; adopt only after v0 ships |
Fine-grained LangGraph ToolNode internal governance | Depends on internal API stability; coarse graph-boundary governance ships first |
| LlamaIndex multi-agent handoff translation | Deferred until single-agent tool translation is stable |
| CrewAI Flow (hierarchical delegation) translation | Deferred until Crew preflight and coarse wrappers are validated |
| REST evidence API | Authenticated, redacted, tenant-aware evidence reads are unresolved in v0 |
| Database-backed tamper-proof storage | v0 is library-mode tamper-evidence; Merkle packaging and Ed25519 signing are future |
| Permissive DSL features | Prose-only constraints, wildcards, probabilistic auth, boolean expression language, inheritance, auto-SoD, model-id actors — all killed for v0 |
| Dashboards and metrics UI | Not a v0 concern; SIEM export is the enterprise readiness path |
1.4 Market Positioning¶
lionagi enters a crowded orchestration market and must carve a distinct position. The governance layer is that position: users who need auditable, certifiable automated runs (regulated industries, enterprise compliance teams, high-stakes automation) cannot get this from existing frameworks. The charter model (declare constraints, compile them, enforce at runtime, certify outcomes) is the product. The adapters are the distribution mechanism.
2. Architecture Overview¶
Governance is an additive runtime layer — it does not replace existing lionagi execution infrastructure.
┌──────────────────────────────────────────────────────────────────┐
│ Charter DSL v0 │
│ YAML-shaped source → CLI validate → compile → ratification hash │
└────────────────────────────┬─────────────────────────────────────┘
│ compilation targets
┌────────────────────┼──────────────────────────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────────────┐ ┌─────────────────────┐
│ Gate │ │ Registry + Policy │ │ SoD + Charter │
│ Registry │ │ Release Pin │ │ Runtime Objects │
│ (ADR-0051) │ │ (ADR-0052) │ │ (ADR-0047/0048) │
└──────┬───────┘ └──────────┬───────────┘ └─────────┬───────────┘
│ │ │
└─────────────────────┼─────────────────────────┘
▼
┌──────────────────────────────────────────────────────────────────┐
│ ActionManager.execute_governed() │
│ Phase: pre-gate → execution → post-gate → evidence sidecar │
│ (ADR-0043/0044 resolved: ActionManager owns pipeline) │
└────────────────────────────┬─────────────────────────────────────┘
│ emits
┌─────────────────────┼────────────────────────────┐
▼ ▼ ▼
┌────────────┐ ┌──────────────────────┐ ┌──────────────────────┐
│ Evidence │ │ OperationContext │ │ Log Tiers │
│ Chain │ │ (actor, policy pin, │ │ MUTABLE / │
│ (ADR-0041) │ │ trace IDs) │ │ PROTECTED / │
│ │ │ (ADR-0050) │ │ IMMUTABLE │
│ │ │ │ │ (ADR-0049) │
└─────┬──────┘ └──────────┬───────────┘ └──────────┬───────────┘
│ │ │
└────────────────────┼──────────────────────────┘
▼
┌──────────────────────────────────────────────────────────────────┐
│ OTel Projection │
│ Typed records → span with evidence hash → SIEM / collector │
│ Spans are projection; evidence chain is authoritative storage │
└──────────────────────────────────────────────────────────────────┘
│ consumed by
┌──────────────────────────┼───────────────────────────────────────┐
│ Session.flow() / FlowPlan │
│ Charter activation → op limits → artifact contracts │
│ → run-end certificate minting (ADR-0042) │
└──────────────────────────┬───────────────────────────────────────┘
│ wraps
┌──────────────────────────┼───────────────────────────────────────┐
│ Provider Adapters │
│ G1: PydanticAI | OpenAI Agents SDK | Anthropic Agent SDK │
│ G2: LangGraph | LlamaIndex | CrewAI │
│ Zero-rewrite: accept user's existing objects at the boundary │
└──────────────────────────────────────────────────────────────────┘
Layering rules:
- Evidence chain is the source of truth — OTel spans are projections, not the record.
ActionManagerowns the single governed execution pipeline — gates plug into phases, not around it.OperationContextis created and propagated explicitly —contextvarsis a bridge only.- Charter compilation must resolve all targets before activation; unresolved targets fail closed.
- Adapters claim only what they govern — coarse boundary wrappers emit boundary evidence only.
3. Provider Adapter Strategy¶
3.1 Zero-Rewrite Principle¶
Users bring their existing objects. lionagi wraps the user's existing object and governs its execution boundary. The adapter does not rewrite the user's framework code. A governed adapter has the shape:
GovernedAdapter(user_object=their_existing_thing, charter=loaded_charter)
The adapter intercepts invocation, enforces the charter at the boundary, emits evidence, and returns results. Internal framework calls (LangGraph node transitions, LlamaIndex retrieval steps, CrewAI task delegation) are observed evidence, not governed lionagi tool calls, unless the user explicitly translates framework tools into lionagi Tool objects.
3.2 G1 — SDK-Native Adapters¶
These adapters receive first implementation because they expose typed event streams and native hooks.
| Target | Hook Mechanism | Governed Events | Coarse/Fine |
|---|---|---|---|
| PydanticAI | instrument_*, run-level hooks | Tool calls, model requests, output validation | Both supported |
| OpenAI Agents SDK | Tracing hooks, AgentHook events | Tool calls, handoffs, model outputs, run lifecycle | Both supported |
| Anthropic Agent SDK | Native event stream, tool blocks | Tool use blocks, model turns, result extraction | Both supported |
Each G1 adapter is approximately 200 LOC. Fine-grained claims require the framework tool to be translated into a registered lionagi Tool object. Coarse-only claims govern invocation boundaries.
3.3 G2 — Framework Adapters¶
These adapters accept existing user objects and apply coarse governance at the boundary.
| Target | Accepted Objects | Coarse Boundary | Fine Governance |
|---|---|---|---|
| LangGraph | CompiledStateGraph | Graph invoke entry/exit | Requires tool translation; fine mode explicitly labeled |
| LlamaIndex | AgentWorkflow, FunctionAgent, ReActAgent, QueryEngineTool, FunctionTool | Agent run entry/exit | Tool translation supported for FunctionTool |
| CrewAI | Crew, CrewPlan (preflight) | Crew kickoff entry/exit | Hierarchical delegation not governed in v0 |
Internal framework state transitions (LangGraph node routing, LlamaIndex retrieval pipelines, CrewAI task delegation chains) are observed boundary evidence, not governed lionagi actions, in coarse mode. Any adapter claiming fine governance for internal steps must register those steps as translated lionagi Tool objects with registry entries.
3.4 G3 — Edge Adapters (Not In Scope for Current Implementation)¶
smolagents, OpenCode, and HuggingFace inference suites remain optional. They reopen only if earlier implementation phases complete ahead of schedule with clean adversarial test results.
3.5 Adapter Claim Standards¶
Every adapter ships with an explicit claim matrix in its docstring and test fixture. The matrix declares: which events are governed (gate + evidence), which events are observed-only (boundary evidence, no gate enforcement), and which events are not captured. Overclaiming governance for internal framework calls is a defect that fails the adversarial test suite.
4. DSL Strategy¶
4.1 Charter DSL v0 Overview¶
Charter DSL v0 is YAML-shaped, not YAML-arbitrary. It has a fixed top-level block set, strict Pydantic schema, and deterministic compilation. It is not a general-purpose policy language. Unsupported features are rejected at parse time with actionable error messages.
Canonical top-level blocks (required unless marked optional):
charter_dsl — version pin ("0.1")
kind — agent_charter | session_charter
metadata — identity, release, ratification
agents — actor bindings (one per agent_charter, two or more per session_charter)
registry — ratified tool/model/path snapshot with evidence
constraints — executable gate or hook bindings with enforcement levels
sod — segregation-of-duties conflict matrix (required, rules: [] if inactive)
permissions — explicit allow/deny rules with specificity resolution
break_glass — (optional) emergency elevated mode with attestation and time bounds
trace — span and evidence requirements for runtime verification
Full syntax specification: docs/governance/standards/dsl-style.md
Three concrete charter examples are in: docs/governance/charter-dsl-v0.md
4.2 Compilation Pipeline¶
Charter compilation follows six ordered phases. Each phase is a gate — failure fails closed.
Phase 1: Parse
YAML source → AST nodes
Validates: top-level block presence, key spelling, value types
Rejects: unknown keys, wrong types, missing required blocks
Phase 2: Validate
Schema validation via Pydantic models
Checks: constraint binding exclusivity (exactly one of gate_id/hook_name),
SoD rule structure, permission specificity, trace span name set
Phase 3: Bind
Resolves gate_id → registered GateExecutor
Resolves hook_name + hook_phase → registered hook
Resolves registry entry values → canonical identifiers
Fails closed on any unresolved target
Phase 4: Normalize
Produces canonical JSON representation
Comments stripped; field order fixed; enum values lowercased
Output is deterministic given the same input
Phase 5: Emit
Produces typed runtime target objects:
- GateRegistration objects (one per constraint)
- RegistryEntry objects (one per registry entry)
- SoDRule objects (bidirectional, one per sod.rules entry)
- EvidenceRequirement objects (from constraints and trace)
- TraceExpectation objects (from trace.require_spans)
- PermissionPolicy object (from permissions block)
- PolicyPin record (from metadata.policy_release)
Phase 6: Activate
Computes SHA-256 hash of normalized JSON
Compares against metadata.ratification.hash (must match for accepted charters)
Records activation evidence (charter_id, hash, policy_pin, activated_at)
Registers all emitted targets with the runtime
Returns typed AgentCharter or SessionCharter runtime object
4.3 Runtime Binding¶
At runtime, the compiled charter binding is the source of authority for:
- Gate enforcement:
ActionManager.execute_governed()consults registered gates byconstraint_id - Registry enforcement: tool calls check against ratified registry snapshots
- Policy resolution: ADR-0052 resolver uses the policy pin from the charter
- SoD checks: role conflict matrix is evaluated at assignment time
- Trace verification: required spans are validated post-run against the OTel export
4.4 IDE Hints and CLI Integration¶
The same Pydantic schema that validates charters at runtime is exported as JSON Schema for IDE integration. Editor hints cannot drift from runtime validation because they share the same source.
CLI commands (planned — not yet implemented; implementation is tracked in the charter parser and flow governance phases):
li charter validate <file>— parse + validate, report errors with line numbersli charter compile <file>— full compilation through Phase 5, output runtime target summaryli charter activate <file>— full compilation through Phase 6, register targets in session
5. Tracing Strategy¶
5.1 Architecture: Records First, Spans Second¶
The governance tracing architecture has a strict hierarchy:
- The runtime creates typed governance records first (evidence nodes, gate results, certificates)
trace_idandspan_idare embedded into evidence at record creation time- OTel spans are projected from the same records, carrying evidence hashes for correlation
- Spans are never the authoritative storage for governance decisions
This means: an auditor verifying a run reads the evidence chain, not the OTel export. OTel is the enterprise observability interface (SIEM, alerting, dashboards), not the compliance record.
5.2 Span Taxonomy Reference¶
The canonical span registry is defined in docs/governance/standards/trace-naming.md (section 4). That file is the authoritative source for span names, required attributes, and retention tiers. The summary below uses the same attribute names as trace-naming.md.
Base spans:
| Span Name | Trigger | Key Required Attributes |
|---|---|---|
governance.operation | Operation start | governance.operation.name, governance.charter.id, governance.policy.version, governance.actor.id, governance.actor.role, governance.evidence.hash |
gate.evaluate | Gate execution | gate.id, gate.tool.name, gate.verdict, gate.enforcement, gate.policy.version, gate.charter.id, gate.evidence.hash, gate.reason |
evidence.emit | Evidence node creation | evidence.id, evidence.kind, evidence.chain.hash, evidence.previous.hash, evidence.tier, evidence.payload.hash |
registry.lookup | Registry entry check | registry.tool.name, registry.role, registry.allowed, registry.policy.version, registry.lookup.source, registry.evidence.hash |
policy.resolve | Policy resolution | policy.count, policy.strategy, policy.winner, policy.version, policy.conflict.count, policy.evidence.hash |
certificate.mint | Certificate creation | certificate.id, certificate.task.id, certificate.gates.passed, certificate.gates.failed, certificate.grade, certificate.defensibility, certificate.evidence.chain.hash, certificate.break.glass |
sod.check | SoD matrix evaluation | sod.role, sod.capability, sod.verdict, sod.policy.version, sod.evidence.hash |
Additional spans (permit, certificate, and break-glass lifecycle — implemented in the OTel tracing phase):
| Span Name | Trigger | Key Required Attributes |
|---|---|---|
permit.issue | JIT permit issued | permit.id, permit.scope, permit.tool.name, permit.issuer.id, permit.subject.id, permit.expires.at, permit.evidence.hash |
permit.consume | JIT permit consumed on tool call | permit.id, permit.tool.name, permit.subject.id, permit.consumed.at, permit.consume.result, permit.evidence.hash |
permit.revoke | JIT permit revoked before expiry | permit.id, permit.revoked.by, permit.revoked.at, permit.revoke.reason, permit.evidence.hash |
certificate.verify | Certificate re-verification | certificate.id, certificate.verification.result, certificate.superseded.by, certificate.evidence.chain.hash |
breakglass.open | Break-glass activation | breakglass.window.id, breakglass.activated.at, breakglass.requested.by, breakglass.approved.by, breakglass.reason, breakglass.max.duration, breakglass.evidence.hash |
breakglass.expire | Break-glass window expired | breakglass.window.id, breakglass.activated.at, breakglass.expired.at, breakglass.authority, breakglass.tools.used.count, breakglass.expiry.reason |
breakglass.close | Break-glass closed or revoked | breakglass.window.id, breakglass.closed.at, breakglass.close.reason, breakglass.tool.call.count, breakglass.certificate.id |
breakglass.notify | Emergency notification sent | breakglass.window.id, breakglass.notification.target, breakglass.notification.kind, breakglass.notification.result |
gate.justify | SOFT gate override with justification | gate.id, gate.verdict, gate.enforcement, gate.justification, gate.justification.actor.id, gate.evidence.hash |
See trace-naming.md section 4 for the complete attribute list for every span type.
5.3 Enterprise Readiness Path¶
The span schema is designed for enterprise readiness from the start. Retrofitting observability attributes onto opaque spans is expensive — declaring them in the schema creates the migration path.
| Capability | Design Element | Implementation phase |
|---|---|---|
| Retention tiers | Log tier governance aligned with span retention fields | Evidence chain phase; OTel tracing phase |
| Sensitive data redaction | Evidence record field exclusion rules documented at emit time | Evidence chain phase |
| SIEM export | OTel collector-compatible span format; attribute naming follows OTel semconv | OTel tracing phase |
| Backpressure | Span export failure must not block evidence chain writes | OTel tracing phase |
| Alerting | gate.verdict: DENY and breakglass.open are alertable events | OTel tracing phase |
| Cost tracking | governance.operation spans carry operation budget attributes | Flow governance integration phase |
| Audit/ops separation | Audit spans go to immutable SIEM sink; ops spans go to mutable collector | OTel tracing phase |
6. ADR Slate Verdict¶
All 12 governance ADRs are reviewed. The verdict is five SURVIVE, seven REVISE, zero KILL. No ADR is correct-as-is across the entire governance design; revisions resolve overlaps and bind the ADRs to the Charter DSL compilation pipeline and shared runtime types.
| ADR | Title | Verdict | Rationale |
|---|---|---|---|
| ADR-0041 | Immutable Evidence Nodes | SURVIVE | Hash-chain evidence is the correct foundation. Matches P7's stdlib SHA-256 build path and P1's missing chain-tip/canonical hash substrate. Implementation must follow it without modification. |
| ADR-0042 | Task Certificate | REVISE | Certificate stays, but must inherit ADR-0041 evidence types rather than redeclaring Element-based references. Minting must consume OperationContext, gate records, break-glass state, and policy pin. |
| ADR-0043 | Governed Tool Declaration | REVISE | Rename to "Governed Tool Wrapper" to match the actual implementation (a wrapper + metadata, not just a declaration). ActionManager is the single execution pipeline owner; gates plug into its phases. |
| ADR-0044 | Tool Gates | REVISE | Keep binary gates and fail-closed exceptions. Define one canonical GateResult type (currently duplicated with ADR-0050). Treat break-glass as a separate emergency lifecycle, not a HARD gate override. |
| ADR-0045 | Break-Glass Protocol | REVISE | Keep the emergency path. Add activation/revoke lifecycle spans (breakglass.open, breakglass.close). Clarify library-mode limits: no hardware HSM, no distributed consensus. Reconcile evidence/certificate path with OperationContext. |
| ADR-0046 | JIT Tool Grant | REVISE | Keep no-standing-capability and single-use permit semantics. The registry/policy-resolved privileged tier is authoritative for requires_jit; decorator metadata is a declaration hint, not the source of truth. |
| ADR-0047 | Agent Charter | REVISE | Replace Python-only charter objects with DSL-first compilation. Runtime AgentCharter and SessionCharter objects are compiler outputs, not hand-constructed. CLI validation and activation evidence are mandatory. |
| ADR-0048 | Agent SoD | SURVIVE | Assignment-time conflict matrices and role independence are correct and required. Must be implemented before CrewAI hierarchical/delegation paths can be claimed governed. |
| ADR-0049 | Log Tier Governance | SURVIVE | MUTABLE/PROTECTED/IMMUTABLE model is correct. Application-layer backend deferral is the right call for v0. Complements evidence chain rather than replacing it. |
| ADR-0050 | Operation Context | REVISE | Keep active assertion, explicit propagation, and evidence embedding. Remove the duplicated GateResult type (canonical home is ADR-0044). Settle pipeline phase ownership with ADR-0043. Allow contextvars as a propagation bridge only, never as the authoritative source of context state. |
| ADR-0051 | Tool Registry Allowlists | REVISE | Keep append-only exact registry semantics. Make registry entries compiled DSL targets, not a parallel policy plane. The registry is a runtime enforcement artifact of Charter compilation, not an independently authored store. |
| ADR-0052 | Policy Resolution | SURVIVE | Most-specific-wins, deny-on-tie, staged releases, and session pinning are the canonical resolver algorithm. Wire it into Charter DSL compilation (the permissions block compiles to policy rules) and registry scope. |
Revision convergence groups:
- ADR-0043 + ADR-0044 + ADR-0050 → one governed execution pipeline in
ActionManager - ADR-0047 + ADR-0051 + ADR-0052 → unified under Charter DSL compilation
- ADR-0045 + ADR-0046 → explicit lifecycle evidence and OTel spans for emergency/elevated paths
7. Implementation Phase List¶
13 phases (P12–P24). No phase may be added without explicit scope cut elsewhere. G3 adapters, REST evidence API, dashboards, and fine-grained framework internals are the first cut targets if budget is exceeded. P-numbers are sequential identifiers; each number corresponds to one bounded scope of work described below.
P12 — ADR Slate Consolidation (the governance consolidation phase)¶
| Field | Value |
|---|---|
| Category | A — ADR revision |
| Playbook | feature |
| Effort | medium |
| Scope | Revise ADR-0042, 0043, 0044, 0045, 0046, 0047, 0050, 0051 to remove duplicated types and bind DSL/runtime ownership. Produce cross-reference table: which ADR owns each type. |
| Dependencies | This document |
| Measurement | All revised ADRs cite evidence inventory; no duplicated GateResult; cross-reference table complete; ADR doc links to tests and implementation path |
| Files Modified | docs/_archive/v0/ADR-0042-*.md, ADR-0043-*.md, ADR-0044-*.md, ADR-0045-*.md, ADR-0046-*.md, ADR-0047-*.md, ADR-0050-*.md, ADR-0051-*.md |
P13 — Charter DSL Parser and Schema¶
| Field | Value |
|---|---|
| Category | B — DSL implementation |
| Playbook | feature |
| Effort | high |
| Scope | Implement canonical DSL Pydantic models, YAML parser, schema validation, legacy variant rejection with migration diagnostics, and JSON Schema export for IDE hints. Must handle all required blocks, optional break_glass, enforcement enum normalization, and constraint binding exclusivity check. |
| Dependencies | P12 |
| Measurement | Unit tests for parser; property tests for schema round-trips; fixtures cover three canonical charter examples; wildcards and legacy apiVersion keys are rejected with line-specific error messages; JSON Schema output passes VS Code schema validation |
| Files Modified | lionagi/protocols/governance/charter.py, lionagi/protocols/governance/dsl.py, lionagi/cli/orchestrate/charter.py, tests/governance/test_charter_dsl.py |
P14 — Charter Compiler and Runtime Targets¶
| Field | Value |
|---|---|
| Category | B — DSL implementation |
| Playbook | feature |
| Effort | high |
| Scope | Compile DSL through all six phases. Emit GateRegistration, RegistryEntry, SoDRule, EvidenceRequirement, TraceExpectation, PermissionPolicy, and PolicyPin objects. Activation must verify SHA-256 hash against metadata.ratification.hash; unresolved targets fail closed. |
| Dependencies | P13 |
| Measurement | Golden compile snapshots stable across Python versions; activation fails closed on hash mismatch; activation fails closed on unresolved gate or hook target; coverage across all seven runtime target families; adversarial test: tampered charter hash is rejected |
| Files Modified | lionagi/protocols/governance/compiler.py, lionagi/protocols/governance/runtime.py, lionagi/cli/orchestrate/charter.py, tests/governance/test_charter_compile.py |
P15 — Evidence Chain and Log Tiers¶
| Field | Value |
|---|---|
| Category | C — Substrate |
| Playbook | feature |
| Effort | high |
| Scope | Canonical JSON evidence nodes with SHA-256 chain hashing (stdlib hashlib, zero external dependency). Append-only audit pile behavior (existing Pile gets append-only mode). Tier-aware DataLogger emitting MUTABLE, PROTECTED, and IMMUTABLE records. Evidence chain verify() that detects tampering, reordering, and deletion. |
| Dependencies | P12 |
| Measurement | Tamper, reorder, delete tests pass; property tests for SHA-256 determinism; microbenchmark confirms synchronous hashing stays under 1ms for typical evidence payloads; sensitive field exclusion is documented at emit time |
| Files Modified | lionagi/protocols/governance/evidence.py, lionagi/protocols/generic/log.py, lionagi/protocols/generic/pile.py, lionagi/session/branch.py, tests/governance/test_evidence_chain.py |
P16 — OperationContext and Policy Release Pinning¶
| Field | Value |
|---|---|
| Category | C — Substrate |
| Playbook | feature |
| Effort | high |
| Scope | OperationContext with actor identity, policy release pin, trace IDs, operation budget, and evidence embedding helpers. Explicit propagation via function arguments. contextvars bridge: set at async boundary for tools that cannot accept explicit context, but never used as the authoritative store. Policy release pin validated against the session charter at Session.flow() entry. |
| Dependencies | P15 |
| Measurement | Async propagation tests show context is correctly available in governed tool calls; missing context fails closed in governed mode; contextvars contains only a reference to the explicit context, not the state itself; policy pin mismatch fails the flow before execution |
| Files Modified | lionagi/protocols/governance/context.py, lionagi/session/branch.py, lionagi/session/session.py, lionagi/operations/operate/operate.py, tests/governance/test_operation_context.py |
P17 — Governed ActionManager Gates¶
| Field | Value |
|---|---|
| Category | C — Substrate |
| Playbook | feature |
| Effort | high |
| Scope | Tool.governance_meta descriptor, @governed_tool decorator, ActionManager.execute_governed() pipeline (pre-gate → execution → post-gate → evidence sidecar), gate registry executor, and no-bypass controls on raw tool execution. Single canonical GateResult type (ADR-0044 owner). Hard gates raise GovernanceViolationError on deny; soft gates emit advisory evidence; advisory gates record without blocking. |
| Dependencies | P14, P16 |
| Measurement | Happy-path test (ALLOW result, evidence emitted); deny test (DENY raises error, evidence immutable); soft gate test (SOFT allows with justification evidence); advisory test (ADVISORY records without blocking); raw-tool bypass adversarial test fails closed; exactly one GateResult import path |
| Files Modified | lionagi/protocols/action/tool.py, lionagi/protocols/action/manager.py, lionagi/protocols/action/function_calling.py, lionagi/protocols/governance/gates.py, tests/governance/test_tool_gates.py |
P18 — Flow Governance Integration¶
| Field | Value |
|---|---|
| Category | D — Orchestration integration |
| Playbook | feature |
| Effort | high |
| Scope | Define and implement TaskCertificate type (minting, grade computation, evidence chain head embedding). Wire charter activation into Session.flow() entry; enforce role allowlists and op limits from compiled charter; validate artifact contracts in FlowPlan; attach per-operation evidence sidecars via Branch.operate(middle=...); mint run-end TaskCertificate after artifact verification; expose li charter activate and li flow run --charter CLI paths. |
| Dependencies | P17 |
| Measurement | Integration fixture proves: op limit exceeded → run blocked; role not in allowlist → op blocked; artifact missing → certificate not minted; break-glass event recorded in immutable evidence; run certificate contains evidence chain head hash and policy version |
| Files Modified | lionagi/session/session.py, lionagi/operations/flow.py, lionagi/operations/types.py, lionagi/cli/orchestrate/flow.py, lionagi/cli/orchestrate/_orchestration.py, tests/governance/test_flow_governance.py |
P19 — Certificates, Break-Glass, JIT, Registry, SoD¶
| Field | Value |
|---|---|
| Category | E — Layer |
| Playbook | feature |
| Effort | high |
| Scope | Full governance layer object implementations: TaskCertificate (verification, replay detection, certificate store querying — minting type is defined in P18), BreakGlassProtocol (activation with attestation evidence, lifecycle spans, revocation, DEGRADED certificate path), JITGrant (single-use permit, registry/policy-resolved requires_jit, expiry), ToolRegistry (compiled DSL targets, exact-match, policy-resolved scope), PolicyResolver (ADR-0052 most-specific-wins), SoDMatrix (bidirectional conflict, assignment-time check). |
| Dependencies | P18 |
| Measurement | Certificate replay is blocked; break-glass audit evidence is immutable and non-exportable via normal paths; JIT grant is consumed exactly once; deny-on-tie test case; SoD matrix property test for bidirectional conflicts; adversarial test: elevated tool call outside break-glass window is rejected |
| Files Modified | lionagi/protocols/governance/certificate.py, lionagi/protocols/governance/break_glass.py, lionagi/protocols/governance/jit.py, lionagi/protocols/governance/registry.py, lionagi/protocols/governance/policy.py, lionagi/protocols/governance/sod.py, lionagi/session/branch.py, tests/governance/test_layer_controls.py |
P20 — OTel Governance Tracing¶
| Field | Value |
|---|---|
| Category | F — Tracing |
| Playbook | feature |
| Effort | medium |
| Scope | Project typed governance records onto OTel spans using the full governance span registry defined in standards/trace-naming.md (base spans plus permit lifecycle, certificate lifecycle, break-glass open/close/notify, and SOFT gate justification spans). Embed evidence hashes and trace/span IDs bidirectionally. Span export failure must not block evidence chain writes (backpressure). Retention tier alignment with log tier governance. |
| Dependencies | P19 |
| Measurement | Every governance record type has a corresponding span; all span attribute names are dot-separated; evidence.emit span carries chain tip hash; breakglass.open span is alertable; evidence chain verification passes without OTel export; backpressure test confirms evidence writes complete when span export is blocked |
| Files Modified | lionagi/protocols/governance/tracing.py, lionagi/protocols/generic/log.py, tests/governance/test_tracing.py |
P21 — SDK-Native Governed Endpoints (G1)¶
| Field | Value |
|---|---|
| Category | G1 — SDK-native adapters |
| Playbook | feature |
| Effort | medium |
| Scope | Zero-rewrite governed endpoints for PydanticAI (instrument_* hooks), OpenAI Agents SDK (AgentHook event stream), and Anthropic Agent SDK (native tool-use block handling). Each adapter: ~200 LOC, accepts the user's existing agent/runner object, emits boundary evidence, enforces the compiled charter at the invocation boundary. Explicit claim matrix in docstring and test. |
| Dependencies | P17, P20 |
| Measurement | Contract tests with mocked typed event streams; package-shape validation confirms no framework internals are imported unconditionally; coarse/fine claim matrix documented; adversarial test: overclaiming internal tool call governance fails the claim matrix check |
| Files Modified | lionagi/adapters/openai_agents.py, lionagi/adapters/anthropic_agents.py, tests/adapters/test_governed_sdk_adapters.py |
P22 — Framework Governed Endpoints (G2)¶
| Field | Value |
|---|---|
| Category | G2 — Framework adapters |
| Playbook | feature |
| Effort | medium |
| Scope | Zero-rewrite governed wrappers for LangGraph (CompiledStateGraph), LlamaIndex (AgentWorkflow, FunctionAgent, ReActAgent, QueryEngineTool, FunctionTool), and CrewAI (Crew, CrewPlan preflight). Coarse boundary governance only. Fine mode available only for translated lionagi Tool objects. CrewAI hierarchical delegation is not governed in v0. |
| Dependencies | P18, P19 |
| Measurement | Contract tests for graph invoke, LlamaIndex tool translation, CrewPlan preflight; claim matrix documents what is and is not governed; unsupported delegation call fails closed with a descriptive GovernanceViolationError; coarse-only adapters emit boundary evidence correctly |
| Files Modified | lionagi/adapters/langgraph.py, lionagi/adapters/crewai.py, tests/adapters/test_governed_framework_adapters.py |
P23 — Governance Test and Adversarial Fixture Pack¶
| Field | Value |
|---|---|
| Category | H — Hygiene and docs |
| Playbook | feature |
| Effort | medium |
| Scope | Shared conftest.py and fixture library for all governance tests. Marker lanes: @pytest.mark.governance, @pytest.mark.adversarial, @pytest.mark.property. Deterministic adversarial suites for: charter parser (injection, malformed, wildcard), gate executor (bypass, type mismatch), evidence chain (tamper, reorder), registry (exact-match bypass), policy resolver (tie, ambiguity), SoD (conflict evasion), JIT (replay, expiry), break-glass (window exhaustion). Mutation and fuzz entrypoints for parser and evidence chain. |
| Dependencies | P13-P22 |
| Measurement | PR adversarial lane deterministic and passing; property tests cover chain/SoD/policy invariants with Hypothesis; adversarial bypass suite passes for all nine threat categories; mutation tests achieve ≥80% kill rate |
| Files Modified | tests/governance/conftest.py, tests/governance/fixtures/, pyproject.toml, tests/governance/test_adversarial_charter.py, tests/governance/test_adversarial_gates.py, tests/governance/test_adversarial_evidence.py, tests/governance/test_adversarial_policy.py |
P24 — Docs, Migration Guide, and Public API Polish¶
| Field | Value |
|---|---|
| Category | H — Hygiene and docs |
| Playbook | fix |
| Effort | medium |
| Scope | User-facing governed orchestration guide, CLI reference (li charter, li flow), adapter claim matrix (table: adapter × event × governance level), migration path from ungoverned lionagi usage, standards cleanup pass, and lionagi/governance/__init__.py ergonomic public API with typed imports. Documentation examples must run or have snapshot-validated output. |
| Dependencies | P21, P22, P23 |
| Measurement | Documentation examples run or snapshot-validated; adapter claim matrix matches adversarial test fixture labels; migration guide covers the three most common ungoverned patterns; no banned token matches; public API imports resolve in <100ms |
| Files Modified | docs/governance/, README.md, docs/_archive/v0/README.md, lionagi/governance/__init__.py, tests/docs/test_governance_examples.py |
8. Integration Plan¶
The governance build is additive. After implementation, existing lionagi code will be modified at well-defined extension points only. New modules will live in lionagi/protocols/governance/ (proposed — not yet created). Existing modules will receive narrow additions.
8.1 lionagi/protocols/¶
New package: lionagi/protocols/governance/
| Module | Contents |
|---|---|
evidence.py | EvidenceNode, EvidenceChain, ChainVerifier, SHA-256 hash utilities |
context.py | OperationContext, contextvars bridge, policy pin, actor identity helpers |
gates.py | GateResult, GateExecutor, GateRegistry, GovernanceViolationError |
charter.py | AgentCharter, SessionCharter, CharterId, RatificationRecord |
dsl.py | CharterDSL Pydantic models, YAML parser, JSON Schema exporter |
compiler.py | Six-phase compiler: parse → validate → bind → normalize → emit → activate |
runtime.py | GateRegistration, RegistryEntry, SoDRule, EvidenceRequirement, TraceExpectation |
certificate.py | TaskCertificate, minting, verification, replay registry |
break_glass.py | BreakGlassProtocol, attestation, lifecycle spans, DEGRADED certificate path |
jit.py | JITGrant, single-use permit, expiry, requires_jit resolution |
registry.py | ToolRegistry, exact-match, policy-resolved scope, compiled DSL target store |
policy.py | PolicyResolver, most-specific-wins, deny-on-tie, staged release pinning |
sod.py | SoDMatrix, bidirectional conflict, assignment-time check |
tracing.py | OTel span projections, evidence hash embedding, backpressure-safe export |
Modified: lionagi/protocols/generic/
| File | Change |
|---|---|
log.py | Add tier-aware emission: MUTABLE, PROTECTED, IMMUTABLE record routing |
pile.py | Add append-only mode for audit records |
Modified: lionagi/protocols/action/
| File | Change |
|---|---|
tool.py | Add governance_meta descriptor and @governed_tool decorator |
manager.py | Add execute_governed() pipeline; raw execution path marked as non-governed |
function_calling.py | Thread OperationContext through tool execution call stack |
8.2 lionagi/session/¶
| File | Change |
|---|---|
branch.py | Mount: evidence chain, policy pin, charter binding, role identity, JIT grant store |
session.py | Mount: charter activation at flow entry, certificate store, break-glass window tracking |
Branch gains governance state that is initialized when a charter is activated. Ungoverned branches remain unchanged — governance is opt-in at the Session.flow() or Branch.activate_charter() call.
8.3 lionagi/cli/orchestrate/¶
| File | Change |
|---|---|
charter.py | New: li charter validate, li charter compile, li charter activate commands |
flow.py | Add: --charter flag, flow-plan governance validation, certificate reporting |
_orchestration.py | Add: artifact evidence sidecars, run-end certificate hook |
8.4 lionagi/adapters/¶
New adapter modules (P21, P22). The base class is GovernedAdapter in lionagi/adapters/governed_base.py (ADR-0068). Each concrete adapter module contains the framework-specific GovernedAdapter subclass and its claim matrix.
| Module | Exported Class | Target | Play |
|---|---|---|---|
lionagi/adapters/openai_agents.py | GovernedOpenAIAgent | OpenAI Agents SDK | P21 |
lionagi/adapters/anthropic_agents.py | GovernedAnthropicAgent | Anthropic Agent SDK | P21 |
lionagi/adapters/langgraph.py | GovernedLangGraph | LangGraph CompiledStateGraph | P22 |
lionagi/adapters/crewai.py | GovernedCrew | CrewAI Crew | P22 |
Each adapter module exports exactly one concrete GovernedAdapter subclass. The claim matrix is documented in the class docstring and mirrored in the test fixture (tests/adapters/).
No adapter module is added until the substrate (P15-P17) and flow governance (P18) are complete and verified. An adapter claiming governance before the substrate exists is a false claim.
8.5 lionagi/tools/¶
| Change | Details |
|---|---|
Add governance_meta to built-in tools | read_file, write_file, exec_command, and other built-ins get governance metadata |
| Safe defaults | Destructive-action tools (write, exec) default to registry-required, hard gate |
| Registry identity | Built-in tool IDs are canonical and match the DSL tool.* identifier namespace |
8.6 Public API (lionagi/governance/)¶
After P19, expose ergonomic imports over the full protocol path:
from lionagi.governance import (
AgentCharter,
SessionCharter,
TaskCertificate,
EvidenceChain,
OperationContext,
ToolRegistry,
PolicyResolver,
SoDMatrix,
BreakGlassProtocol,
JITGrant,
governed_tool,
GovernanceViolationError,
)
The public API is the migration entry point. v1 migration attaches governance to existing branches via branch.activate_charter(charter) without requiring Session-level flow rewrites.
9. Risk Register¶
| Risk | Likelihood (1-5) | Impact (1-5) | Mitigation | Recovery Rule |
|---|---|---|---|---|
| DSL/runtime drift: Charter compiles to targets the runtime does not enforce, creating a false governance claim | 3 | 5 | Golden compile snapshots from the DSL parser and compiler phases; activation fails closed on unresolved targets; each target type has a corresponding integration test in the flow governance phase | ADR-impl drift triggers the "match ADR or revise" recovery: pause implementation, revise the ADR, re-pass the gate |
| Coarse adapter overclaiming: Adapter claims governance for internal framework calls that are not enforced | 4 | 5 | Claim matrix per adapter; the adversarial fixture pack phase checks claim matrix against emitted evidence; coarse-only adapters emit boundary evidence only | Later bypass/test gaps queue a substrate patch or ADR amendment; adapter ships with explicit scope limitation in docs |
OperationContext propagation ambiguity: contextvars used as authoritative store, causing governance gaps under concurrency | 3 | 4 | Explicit propagation is the design; contextvars is bridge-only; the OperationContext phase tests prove no authoritative hidden accumulation; async propagation tests cover concurrent operation paths | Substrate bug queues a foundation patch and blocks API widening until the fix is verified |
GateResult type duplication: Incompatible GateResult types across ADR-0044 and ADR-0050 cause certificate, span, and policy inconsistencies | 4 | 4 | The ADR consolidation phase establishes one canonical GateResult before any substrate implementation; cross-reference table in ADR revision locks ownership | ADR contradictions get a binding tie-break from the ADR consolidation phase; no implementation proceeds without resolution |
| Evidence integrity misrepresented: Library-mode hash chains mistakenly claimed as tamper-proof storage | 3 | 5 | Documentation is explicit: library-mode tamper-evidence, sensitive-field exclusion, backend immutability is not provided by lionagi core; audit trail is advisory in adversarial custody settings | Any claim of tamper-proof storage triggers an immediate doc correction and governance violation |
| Break-glass undermines HARD gate semantics: Emergency path is used to bypass normal governance as a convenience | 3 | 5 | Break-glass has a separate emergency lifecycle distinct from normal gate results; all activations emit immutable justification evidence; DEGRADED certificate signals non-standard run; lifecycle spans are alertable | Behavioral gaps queue a substrate/ADR coverage patch; repeated misuse triggers a policy tightening revision |
| External package APIs move before adapters land: LangGraph, LlamaIndex, CrewAI, or SDK-native packages change their event or hook API | 3 | 3 | Runtime package validation at adapter import; contract tests use mocked event shapes with explicit version pins; claim_matrix.py documents which API version the claim matrix was verified against | Integration breakage triggers rollback to last verified version, patch, or documented incompatibility until upstream stabilizes |
| Deny-on-tie creates availability failures: Common policies accidentally hit the tie-deny rule in production | 3 | 4 | Canary policy tests in the governance layer phase; deny-on-tie test cases in the adversarial fixture pack; clear error messages name the conflicting rule IDs; deny remains the integrity-safe default | Later defects queue a policy patch with specificity adjustments |
| Trace export becomes treated as compliance storage: Teams use OTel export instead of the evidence chain for audits | 2 | 4 | Architecture documentation is explicit: spans are projections, evidence chain is authoritative; certificate.mint span does not contain the full certificate; evidence hash in spans is for correlation only | Integration breakage blocks downstream until the misuse is corrected and the evidence chain is adopted |
| Scope exceeds 13 phases: Implementation finds the 13 phases insufficient and scope creeps | 4 | 4 | G3 adapters, REST evidence API, dashboards, and fine-grained framework internals are the first cut; the adversarial fixture and docs phases are deferrable if substrate phases slip | Budget/time pressure forces a minimum viable cut: G1+substrate+flow is the irreducible core; G2 and layer objects are deferrable |
Cross-References¶
| Document | Path | Contents |
|---|---|---|
| DSL Style | docs/governance/standards/dsl-style.md | Charter DSL syntax conventions, required blocks, formatting rules, two examples |
| ADR Style | docs/governance/standards/adr-style.md | ADR structure, status values, revision conventions |
| Test Style | docs/governance/standards/test-style.md | Test fixture naming, marker lanes, coverage thresholds |
| Trace Naming | docs/governance/standards/trace-naming.md | Span name registry, required attributes, retention tiers |
| Error Messages | docs/governance/standards/error-messages.md | Error message conventions for human and agent consumers |
| Commit and PR Style | docs/governance/standards/commit-and-pr-style.md | Commit message format, PR description structure |
| Charter DSL v0 | docs/governance/charter-dsl-v0.md | Canonical Charter DSL v0 with three complete examples |
This document is authoritative for implementation phases P12–P24. Changes require a governance ADR revision or an explicit direction amendment with project maintainers' approval.