Governed maintenance automerge for any repo, any agent: receipts with re-runnable evidence, a measured-only calibration ledger, graduated per-class autonomy gates, signed rows, and a kill switch.
Project description
govern — the missing layer, installable
Every AI coding agent ships code and asks you to trust it. govern makes the
trust measurable instead: receipts with re-runnable evidence, a measured-only
calibration ledger, graduated per-class autonomy gates, and a kill switch —
in any repo, with any agent (Claude Code, Cursor, Codex, humans). Stdlib-only
Python, no model, no cloud, nothing to phone home to.
Extracted from the production loop that governs the Titan repository, where the same arithmetic earned three change classes automerge eligibility on measured track record. The extraction is pinned byte-identical to the source by a parity contract run in CI against the live 130+-row ledger.
Install
pip install ./packages/govern # or pipx install govern-kit
govern init # idempotent; never overwrites existing files
init drops: .govern.toml (conventions), a receipt template (the evidence
contract), an empty measured ledger, a CI workflow (gate as a PR check,
score-on-merge), and the GOVERN_STOP kill-switch doc.
The loop
- A change ships with a receipt: what changed, the claimed verdict, a
confidence, and a
### How measuredblock of hermetic commands. - After the receipt is human-merged (
govern check-mergedrefuses working-tree or doctored copies),govern scorere-runs the evidence verbatim against merged main and appends ascored_by="measured"row. Self-reported verdicts can never move the measured ledger. govern gatecomputes TRUST/GATE overall and per change class: a class earnsauto-merge ELIGIBLEonly at ≥95% high-confidence hit-rate over a ≥10-claim recency window — judged per class, so one class's burst cannot evict another's track record.touch GOVERN_STOPhalts every gated automation instantly. The gate refusing while that file exists is the contract.
Anti-gaming invariants (all inherited from production incidents)
- Merged-only scoring — no credit for work that never survived review.
- Content-hash guard — the scored receipt must be byte-identical to the merged one.
- Invariant-pin exclusion — a receipt measured only by tests its own PR introduced is a tautology: recorded, flagged, never counted toward TRUST.
- In-place rescores — rewriting a row preserves ledger order so the recency window cannot be gamed by remove-and-append.
- Sticky pins — automated rescores can never un-pin an adjudicated row.
- Goodhart markers — excluded receipts are dropped before windowing.
Signature layers, honestly described
- HMAC (
sig) — proves the ledger wasn't edited by anyone without the key. The key-holder is still you: this convinces your own CI, not an auditor at arm's length. - SSH (
ssh_sig) — anyone verifies rows against the public key you publish in.govern/allowed_signers, using stockssh-keygen. Backdating detection relies on the ledger living in public git history; the signature alone proves authorship and integrity, not time.
What this package is — and is not
This package is the trust layer: it scores receipts, keeps the measured
ledger, and computes graduated-autonomy gates. It contains no agent, no
model, and no execution engine. SignalBrain Forge runs governed change
control as a product; the Titan runtime that earned this kit's reference
track record is private. Installing govern-kit gives you the referee —
what you build on top of it is yours.
Commands
govern score docs/improvements/0001-fix.md # or --all, or --rescore
govern gate # exit 0 = TRUST
govern gate --class bugfix # exit 0 = that class is ELIGIBLE
govern status # one-screen scoreboard
govern check-merged <receipt> # Track-1 guard, exit 0 = scoreable
govern init # install into this repo
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file govern_kit-0.1.0.tar.gz.
File metadata
- Download URL: govern_kit-0.1.0.tar.gz
- Upload date:
- Size: 20.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f7ec1b05f64157230b40a16f8a21520525536ae69f12f607ad9e9c03263a97a9
|
|
| MD5 |
5d76ee98bacedacfef297955803e84eb
|
|
| BLAKE2b-256 |
d5d475b4b0e5d9f55b11d1e638eccb2c4097768b76cd1da803666467336e98d3
|
File details
Details for the file govern_kit-0.1.0-py3-none-any.whl.
File metadata
- Download URL: govern_kit-0.1.0-py3-none-any.whl
- Upload date:
- Size: 23.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b4fd8e943e0573e7c06a27c2a85e18099d60df96b3ba9e2ed77d979108785c15
|
|
| MD5 |
0c92a3cf1d199872df69b1c350d22985
|
|
| BLAKE2b-256 |
b0529d0bfb27da782db26c2c6db7b3e5a71946eae7e17fe871876702145caa5a
|