Runtime Governance Profile
The Runtime Governance profile (org.peacprotocol/runtime-governance) provides observer-scope signed records for runtime governance events: policy evaluation decisions, safety check results, compliance gate outcomes, and operating mode transitions. Compatible with Microsoft AGT (Agent Governance Toolkit) and AAIF (Agent AI Interoperability Framework).
Package: @peac/adapter-runtime-governance
Observer scope
Runtime governance records describe what governance systems reported. PEAC does not evaluate policies, run safety checks, or enforce compliance rules. Your runtime governance infrastructure (policy engine, safety classifier, compliance service) owns those decisions. PEAC provides portable, offline-verifiable signed evidence of what those systems reported.
Install
pnpm add @peac/adapter-runtime-governance @peac/protocol
Type URIs
6 type URIs are registered under the org.peacprotocol/runtime-governance extension group (Section 27, RTGOV-001..007):
| Type URI | Description |
|---|---|
org.peacprotocol/runtime-governance-policy-evaluation | Policy was evaluated against an agent action or request |
org.peacprotocol/runtime-governance-safety-check | Safety classification was performed |
org.peacprotocol/runtime-governance-compliance-gate | Compliance gate was evaluated (pass/fail/pending) |
org.peacprotocol/runtime-governance-mode-transition | Agent operating mode or boundary was changed |
org.peacprotocol/runtime-governance-override-decision | A governance override was issued by an authorized party |
org.peacprotocol/runtime-governance-audit-trigger | Audit event was triggered by the governance system |
Quick start
import {
buildPolicyEvaluationRecord,
buildSafetyCheckRecord,
buildComplianceGateRecord,
buildModeTransitionRecord,
} from '@peac/adapter-runtime-governance';
import { issue } from '@peac/protocol';
// Record a policy evaluation result
const policyExt = buildPolicyEvaluationRecord({
policy_ref: 'ref:policy/content-safety-v2',
evaluation_result: 'allowed',
subject_ref: 'ref:agent-action/generate-report-001',
evaluated_at: new Date().toISOString(),
});
const jws = await issue({
sub: 'ref:agent-action/generate-report-001',
iss: 'https://governance.example.com',
type: 'org.peacprotocol/runtime-governance-policy-evaluation',
extensions: policyExt,
}, signingKey);
// Record a safety check result
const safetyExt = buildSafetyCheckRecord({
check_ref: 'ref:safety-check/output-filter-001',
check_result: 'safe',
classifier_ref: 'ref:classifier/content-shield-v3',
checked_at: new Date().toISOString(),
});
const jws = await issue({
sub: 'ref:output/response-001',
iss: 'https://safety.example.com',
type: 'org.peacprotocol/runtime-governance-safety-check',
extensions: safetyExt,
}, signingKey);
Core fields
Policy Evaluation
| Field | Required | Description |
|---|---|---|
policy_ref | Yes | Opaque reference to the evaluated policy |
evaluation_result | Yes | Result: allowed, denied, escalated, pending |
subject_ref | No | Reference to what was evaluated |
evaluated_at | Yes | ISO 8601 timestamp |
Safety Check
| Field | Required | Description |
|---|---|---|
check_ref | Yes | Opaque reference to the safety check run |
check_result | Yes | Result: safe, unsafe, uncertain |
classifier_ref | No | Reference to the classifier used |
checked_at | Yes | ISO 8601 timestamp |
Compliance Gate
| Field | Required | Description |
|---|---|---|
gate_ref | Yes | Opaque reference to the compliance gate |
gate_result | Yes | Result: pass, fail, pending, exempt |
rule_refs | No | Array of opaque references to evaluated rules |
evaluated_at | Yes | ISO 8601 timestamp |
Mode Transition
| Field | Required | Description |
|---|---|---|
from_mode | Yes | Mode being exited |
to_mode | Yes | Mode being entered |
transition_ref | No | Reference to the authorization for this transition |
transitioned_at | Yes | ISO 8601 timestamp |
AGT and AAIF compatibility
Runtime governance records are designed to complement Microsoft AGT-governed agent deployments. When your AGT infrastructure produces governance decisions, issue a PEAC runtime governance record at each decision boundary. The signed record can be verified offline by auditors or downstream systems using only the issuer's public key.
import { buildPolicyEvaluationRecord } from '@peac/adapter-runtime-governance';
import { issue } from '@peac/protocol';
import { attachA2aCarrier } from '@peac/mappings-a2a';
// AGT evaluated a policy -- record it
const ext = buildPolicyEvaluationRecord({
policy_ref: 'ref:agt-policy/allowed-actions-v1',
evaluation_result: 'allowed',
subject_ref: 'ref:agent-request/tool-call-001',
evaluated_at: new Date().toISOString(),
});
const jws = await issue({
sub: 'ref:agent-request/tool-call-001',
iss: 'https://agt.corp.example.com',
type: 'org.peacprotocol/runtime-governance-policy-evaluation',
extensions: ext,
}, signingKey);
// Optionally attach to the outgoing A2A artifact
const artifact = attachA2aCarrier(a2aArtifact, {
receipt_ref: computeReceiptRef(jws),
receipt_jws: jws,
});
Upstream artifact preservation
Where your governance system produces a native artifact (an AGT decision record, a policy evaluation report, a compliance certificate), preserve a reference to it using an opaque ref rather than embedding the artifact content:
// Correct: reference to upstream artifact
upstream_artifact_ref: 'ref:agt-decision/eval-2026-001'
upstream_artifact_ref: 'sha256:abc123...' // content hash
// Incorrect: embedding the artifact inline
upstream_artifact: { policy: '...', decision: '...' } // not recommended
Non-goals
Runtime governance records do not:
- Evaluate policies themselves
- Classify content for safety
- Enforce compliance rules
- Replace AGT, OPA, or other policy engines
- Provide real-time monitoring or alerting
- Replace OpenTelemetry spans for observability
Related
- A2A Integration: Carry governance records through A2A metadata
- Observability / OTel: Bridge governance records to OTel spans
- Provisioning Lifecycle: Credential and access management records
- Agent Protocols: All protocol mappings