Runtime Governance Records
Record portable signed evidence of agent runtime governance decisions — policy evaluations, safety checks, compliance gates, capability constraints, and mode transitions. Works with any governance runtime: AGT, AAIF, and custom managed agent platforms.
Package: @peac/adapter-runtime-governance — Conformance Section 27 RTGOV-001..007
Observer scope
PEAC records what your governance runtime reported happened. It does not enforce policies, evaluate safety, score agents, or replace your governance layer. The runtime owns the decision; PEAC makes the decision verifiable outside the system that made it.
What gets recorded
The runtime governance profile covers seven observable event categories under theorg.peacprotocol/runtime-governance namespace. Each event maps to one of the 6 type URIs in the extension registry.
| Type URI | When to emit |
|---|---|
| org.peacprotocol/rtgov-policy-evaluation | A policy was evaluated against an action, tool call, or capability request |
| org.peacprotocol/rtgov-safety-check | A safety boundary was checked — input validation, output filtering, scope guard |
| org.peacprotocol/rtgov-compliance-gate | A compliance gate was reached — access control, license check, jurisdictional boundary |
| org.peacprotocol/rtgov-capability-constraint | A capability was granted, limited, or denied by the runtime |
| org.peacprotocol/rtgov-mode-transition | The agent runtime changed mode — e.g. supervised to autonomous, paused to resumed |
| org.peacprotocol/rtgov-audit-checkpoint | A periodic or triggered audit checkpoint was reached during a session |
Install
pnpm add @peac/adapter-runtime-governance @peac/protocolBasic Usage
The adapter accepts your runtime's governance event output and maps it to a structured PEAC record. Pass the record to issue()with your signing key to produce a compact JWS.
import { mapRuntimeGovernanceEvent } from '@peac/adapter-runtime-governance';
import { issue } from '@peac/protocol';
import { loadKey } from '@peac/crypto';
const signingKey = await loadKey(process.env.PEAC_SIGNING_KEY_JSON!);
// Your governance runtime emits a structured event
const governanceEvent = {
kind: 'policy-evaluation',
policy_ref: 'urn:policy:agent-safety-v2',
subject_ref: 'did:key:z6Mk...',
outcome: 'allowed',
reason_code: 'scope_permitted',
evaluated_at: new Date().toISOString(),
};
// Map to PEAC record shape
const record = mapRuntimeGovernanceEvent({
event: governanceEvent,
issuer: 'https://governance.example.com',
subject: 'did:key:z6Mk...',
});
// Issue a signed record
const { jws } = await issue({
claims: record,
issuer: 'https://governance.example.com',
signingKey,
});
// jws is a compact JWS — carry it in PEAC-Receipt header or A2A metadata
console.log(jws);Record shape
Each record carries governance-specific fields inside the extension block. All identifiers are opaque references — no raw policy text, agent identity strings, or runtime-internal data is stored inline.
{
"iss": "https://governance.example.com",
"sub": "did:key:z6MktyMgNkikLRwqEYq7FRX5...",
"iat": 1747008000,
"typ": "interaction-record+jwt",
"peac": {
"kind": "interaction",
"pillars": ["safety", "compliance"],
"type": "org.peacprotocol/rtgov-policy-evaluation",
"extension": {
"policy_ref": "urn:policy:agent-safety-v2",
"subject_ref": "did:key:z6Mk...",
"outcome": "allowed",
"reason_code": "scope_permitted",
"evaluated_at": "2026-05-11T10:00:00.000Z",
"upstream_artifact": {
"source": "agt-policy-engine",
"version_ref": "urn:version:2026-05-11"
}
}
}
}The upstream_artifact block preserves the raw source attribution from the governance runtime without synthesizing additional semantics.
Microsoft AGT / AAIF Compatibility
The runtime governance adapter was designed with the Azure AI Foundry (AAIF) and Agent Governance Toolkit (AGT) event model as the primary mapper use case. AGT governance events map directly into RTGOV type URIs without schema changes.
PolicyEvaluatedAGTrtgov-policy-evaluationDirect 1:1 mapping — policy ref, subject, and outcome preserved
SafetyFilterAppliedAGTrtgov-safety-checkSafety boundary event with filter_ref and input_hash digest
ComplianceCrossingAGTrtgov-compliance-gateJurisdiction or access-control gate with checkpoint_ref
CapabilityGranted / DeniedAGTrtgov-capability-constraintMaps granted, limited, and denied states to outcome field
import { mapAgtGovernanceEvent } from '@peac/adapter-runtime-governance';
// AGT emits its native event shape
const agtEvent = await agtRuntime.getLastGovernanceEvent();
// Map to PEAC record — no extra wiring needed
const record = mapAgtGovernanceEvent(agtEvent, {
issuer: 'https://governance.example.com',
});Upstream artifact preservation
PEAC never synthesizes governance outcomes from incomplete data. Theupstream_artifact block is required on all RTGOV records and preserves the source runtime's attribution without interpretation.
No finality synthesis
A policy evaluation "allowed" record does not mean the action was taken. The governance runtime owns that decision.
Opaque refs only
Policy documents, agent identities, and capability names must be referenced by opaque URN or DID — never inlined.
Explicit outcome
The outcome field accepts allowed, denied, partial, bypassed, and unknown. No implicit positive defaults.
Conformance — Section 27 (RTGOV)
Seven requirements cover the observable emitted-record semantics for runtime governance records.
| ID | Requirement |
|---|---|
| RTGOV-001 | Each record MUST carry a type URI from the RTGOV registry |
| RTGOV-002 | The upstream_artifact block MUST be present and non-empty |
| RTGOV-003 | Policy, subject, and capability identifiers MUST be opaque refs (urn:, did:, ref:, sha256:, peac:, https:) |
| RTGOV-004 | The outcome field MUST be one of: allowed, denied, partial, bypassed, unknown |
| RTGOV-005 | Records MUST NOT synthesize outcome from partial data without explicit finality evidence |
| RTGOV-006 | Mode transitions MUST carry both from_mode and to_mode as opaque strings |
| RTGOV-007 | Audit checkpoints MUST include an evaluated_at timestamp in ISO 8601 format |
Resources
Add governance evidence to your agent platform
Install @peac/adapter-runtime-governance and map your existing governance events to portable PEAC records without changing your policy engine.