Promotion gate for LLM deployments. Blocks unsafe CI to staging promotion.
Project description
Release Governor
Block promotion when malformed LLM outputs leak past staging validation boundaries.
Designed for staging/pre-prod environments with structured CI/CD workflows.
Install
pip install llm-release-governor
What it does
Release Governor sits between your CI contract checker and your staging environment. It consumes a locc artifact, detects leakage the contract checker allowed through, and enforces a promotion policy per environment.
locc (CI) -> Release Governor (staging gate) -> EGA (runtime)
Quickstart
release-governor evaluate \
--locc-artifact locc_result.json \
--env staging \
--sha $GIT_SHA
Exit 0 = ALLOW, Exit 1 = BLOCK, Exit 2 = REQUIRE_OVERRIDE
What it detects
| Type | Signal |
|---|---|
| PII leakage | PII signals in locc check reasons |
| Schema leakage | Structural diffs locc allowed through |
| Policy leakage | Promotion violates env-specific rules |
Override path
release-governor override create \
--env staging \
--approved-by alice \
--reason "confirmed false positive" \
--leakage-types pii \
--sha $GIT_SHA \
--identity-hash $ARTIFACT_HASH \
--expires-in-days 7
Then: commit the override file and re-run evaluate.
Audit log
release-governor evaluate \
--locc-artifact locc_result.json \
--env staging \
--sha $GIT_SHA \
--audit-log rg_audit.jsonl
{"event_type": "PROMOTION_BLOCKED", "sha": "...", "actor": "system"}
GitHub Actions
- name: Gate promotion
run: |
pip install locc llm-release-governor
locc run --contract contracts/current.json \
--snapshot snapshots/current.json \
--output json > locc_result.json
release-governor evaluate \
--locc-artifact locc_result.json \
--env staging \
--sha ${{ github.sha }}
Environment policies
| Environment | Policy |
|---|---|
| staging | FAIL blocks. HOLD allowed if no schema leakage |
| preprod | FAIL or HOLD blocks |
| prod | PASS only, no diffs, no leakage |
Stack integration
Release Governor is part of the LLM Reliability Stack.
Consumes locc artifacts. Sits upstream of EGA.
| Layer | Tool |
|---|---|
| Design-time | PFA |
| CI | locc |
| Staging | Release Governor |
| Runtime | EGA |
License
MIT
Publishing
Releases are published automatically to PyPI on version tag push.
To release:
git tag v0.1.0
git push origin v0.1.0
To dry-run on TestPyPI first:
Trigger the "Publish to TestPyPI" workflow manually from GitHub Actions.
PyPI trusted publishing must be configured once per project:
PyPI project settings -> Publishing -> Add publisher Owner: Repository: Workflow: publish.yml Environment: pypi
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file llm_release_governor-0.1.0.tar.gz.
File metadata
- Download URL: llm_release_governor-0.1.0.tar.gz
- Upload date:
- Size: 20.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f01061328dcccb1e3b157f013c2b590559c65390f2406f80778c74db438d1622
|
|
| MD5 |
6752050d1857b0381a2bdffa735dca77
|
|
| BLAKE2b-256 |
3c936da1830f6114f3eb4fbff3e02b9ff47c1f244279dabc3b14a5d65b76d647
|
Provenance
The following attestation bundles were made for llm_release_governor-0.1.0.tar.gz:
Publisher:
publish.yml on bh3r1th/llm-release-governor
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
llm_release_governor-0.1.0.tar.gz -
Subject digest:
f01061328dcccb1e3b157f013c2b590559c65390f2406f80778c74db438d1622 - Sigstore transparency entry: 1456737495
- Sigstore integration time:
-
Permalink:
bh3r1th/llm-release-governor@7bf1d5dcb13b6f24428f12f6d418d150d78ff964 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/bh3r1th
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@7bf1d5dcb13b6f24428f12f6d418d150d78ff964 -
Trigger Event:
push
-
Statement type:
File details
Details for the file llm_release_governor-0.1.0-py3-none-any.whl.
File metadata
- Download URL: llm_release_governor-0.1.0-py3-none-any.whl
- Upload date:
- Size: 15.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1b86ef2805c250013dee596889d21dc7073e7867a412a7d6a2c72c07db5a9f2e
|
|
| MD5 |
a7c45dcf532c1b3b1c979086d4645d32
|
|
| BLAKE2b-256 |
88e3eeb1431c9a8894813083f4bc8893b4fb929c6ba51ff003b871b2252fd909
|
Provenance
The following attestation bundles were made for llm_release_governor-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on bh3r1th/llm-release-governor
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
llm_release_governor-0.1.0-py3-none-any.whl -
Subject digest:
1b86ef2805c250013dee596889d21dc7073e7867a412a7d6a2c72c07db5a9f2e - Sigstore transparency entry: 1456737586
- Sigstore integration time:
-
Permalink:
bh3r1th/llm-release-governor@7bf1d5dcb13b6f24428f12f6d418d150d78ff964 -
Branch / Tag:
refs/tags/v1.0.0 - Owner: https://github.com/bh3r1th
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@7bf1d5dcb13b6f24428f12f6d418d150d78ff964 -
Trigger Event:
push
-
Statement type:
