Enforces agent policy gates: plan-before-write enforcement, audit completeness checking, and tool call linting. Governance is the layer between "what the agent wants to do" and "what the policy allows."
- Write tools require a plan — in
WORKSPACE_WRITEmode withrequire_plan=True, any call toworkspace_write_file,workspace_apply_patch, orworkspace_edit_at_hashmust have a bound plan in the context (context['plan_contract']['content_hash']). --skip-plan-checkoverride — power users can bypass with explicit acknowledgment.- Mode precedence — READ_ONLY and DANGER_FULL_ACCESS modes bypass the plan gate entirely.
- Required events — checks that an audit log contains a minimal set of event types (e.g.,
run_started,run_completed). - Returns a report — does not raise; returns a list of missing event types.
- Schema validation — validates that all registered tools have well-formed JSON Schema
input_schema. - Annotation consistency — flags contradictory annotations (e.g.,
read_only=True, destructive=True). - Returns violations — does not raise; returns list of violations.
PermissionModeenum —READ_ONLY,WORKSPACE_WRITE,PROMPT,ALLOW,DANGER_FULL_ACCESS- Permission checks — used by plan gate, approval manager, and tool registry to gate tool calls.
assert_write_allowedeither returnsNoneor raisesToolPermissionError— never silently allows.WORKSPACE_WRITEmode always requires plan binding (default, overridable only with--skip-plan-check).DANGER_FULL_ACCESSbypasses all governance checks.