Skip to main content

Governed maintenance automerge for any repo, any agent: receipts with re-runnable evidence, a measured-only calibration ledger, graduated per-class autonomy gates, signed rows, and a kill switch.

Project description

govern — the missing layer, installable

Every AI coding agent ships code and asks you to trust it. govern makes the trust measurable instead: receipts with re-runnable evidence, a measured-only calibration ledger, graduated per-class autonomy gates, and a kill switch — in any repo, with any agent (Claude Code, Cursor, Codex, humans). Stdlib-only Python, no model, no cloud, nothing to phone home to.

Extracted from the production loop that governs the Titan repository, where the same arithmetic earned three change classes automerge eligibility on measured track record. The extraction is pinned byte-identical to the source by a parity contract run in CI against the live 130+-row ledger.

Install

pip install ./packages/govern     # or pipx install govern-kit
govern init                       # idempotent; never overwrites existing files

init drops: .govern.toml (conventions), a receipt template (the evidence contract), an empty measured ledger, a CI workflow (gate as a PR check, score-on-merge), and the GOVERN_STOP kill-switch doc.

The loop

  1. A change ships with a receipt: what changed, the claimed verdict, a confidence, and a ### How measured block of hermetic commands.
  2. After the receipt is human-merged (govern check-merged refuses working-tree or doctored copies), govern score re-runs the evidence verbatim against merged main and appends a scored_by="measured" row. Self-reported verdicts can never move the measured ledger.
  3. govern gate computes TRUST/GATE overall and per change class: a class earns auto-merge ELIGIBLE only at ≥95% high-confidence hit-rate over a ≥10-claim recency window — judged per class, so one class's burst cannot evict another's track record.
  4. touch GOVERN_STOP halts every gated automation instantly. The gate refusing while that file exists is the contract.

Anti-gaming invariants (all inherited from production incidents)

  • Merged-only scoring — no credit for work that never survived review.
  • Content-hash guard — the scored receipt must be byte-identical to the merged one.
  • Invariant-pin exclusion — a receipt measured only by tests its own PR introduced is a tautology: recorded, flagged, never counted toward TRUST.
  • In-place rescores — rewriting a row preserves ledger order so the recency window cannot be gamed by remove-and-append.
  • Sticky pins — automated rescores can never un-pin an adjudicated row.
  • Goodhart markers — excluded receipts are dropped before windowing.

Signature layers, honestly described

  • HMAC (sig) — proves the ledger wasn't edited by anyone without the key. The key-holder is still you: this convinces your own CI, not an auditor at arm's length.
  • SSH (ssh_sig) — anyone verifies rows against the public key you publish in .govern/allowed_signers, using stock ssh-keygen. Backdating detection relies on the ledger living in public git history; the signature alone proves authorship and integrity, not time.

What this package is — and is not

This package is the trust layer: it scores receipts, keeps the measured ledger, and computes graduated-autonomy gates. It contains no agent, no model, and no execution engine. SignalBrain Forge runs governed change control as a product; the Titan runtime that earned this kit's reference track record is private. Installing govern-kit gives you the referee — what you build on top of it is yours.

Commands

govern score docs/improvements/0001-fix.md   # or --all, or --rescore
govern gate                                  # exit 0 = TRUST
govern gate --class bugfix                   # exit 0 = that class is ELIGIBLE
govern status                                # one-screen scoreboard
govern check-merged <receipt>                # Track-1 guard, exit 0 = scoreable
govern init                                  # install into this repo

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

govern_kit-0.1.0.tar.gz (20.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

govern_kit-0.1.0-py3-none-any.whl (23.6 kB view details)

Uploaded Python 3

File details

Details for the file govern_kit-0.1.0.tar.gz.

File metadata

  • Download URL: govern_kit-0.1.0.tar.gz
  • Upload date:
  • Size: 20.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for govern_kit-0.1.0.tar.gz
Algorithm Hash digest
SHA256 f7ec1b05f64157230b40a16f8a21520525536ae69f12f607ad9e9c03263a97a9
MD5 5d76ee98bacedacfef297955803e84eb
BLAKE2b-256 d5d475b4b0e5d9f55b11d1e638eccb2c4097768b76cd1da803666467336e98d3

See more details on using hashes here.

File details

Details for the file govern_kit-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: govern_kit-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 23.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for govern_kit-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b4fd8e943e0573e7c06a27c2a85e18099d60df96b3ba9e2ed77d979108785c15
MD5 0c92a3cf1d199872df69b1c350d22985
BLAKE2b-256 b0529d0bfb27da782db26c2c6db7b3e5a71946eae7e17fe871876702145caa5a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page