Agent Assurance docs
Use PolicyStrata Agent Assurance runners, evidence packs, release gates, and audit state for AI agents that touch governed data.
Overview
Agent Assurance is the release-control plane for teams shipping AI agents that touch governed data. Self-hosted runners execute DocPull and PolicyStrata locally, then upload normalized evidence for review, release gating, waivers, and audit history.
| Capability | What it covers |
|---|---|
| Self-hosted runners | CI, developer machines, or customer VPC execution. |
| Evidence packs | Reviewable release bundles with summaries, findings, hashes, and artifact references. |
| Release decisions | Pass, fail, block, review, approve, or waive before production. |
| Org isolation | Organization-scoped projects, release candidates, runner tokens, findings, reviewer decisions, and audit logs. |
Runner Flow
The runner operates inside CI, a developer machine, or a customer VPC. It invokes the OSS engines, writes artifacts, exits non-zero when gates fail, and uploads metadata to the control plane.
agent-assurance runner init support-bi-copilot
docpull sync --source customer-support-docs
policystrata scan --suite customer-data-access
agent-assurance evidence uploadEvidence Contract
Runners upload an assurance run and optionally an evidence pack. The API stores source sets, policy suites, findings, run history, artifact references, and release summaries.
{
"run": {
"schemaVersion": "0.1.0",
"runId": "run_demo_saas_bi_20260706",
"project": "saas-bi-agent",
"status": "blocked",
"tools": {
"docpull": "6.x",
"policystrata": "1.x"
},
"findings": {
"context": [],
"policy": []
}
},
"evidencePack": {
"packId": "pack_demo_saas_bi_20260706",
"status": "blocked",
"runRefs": ["run_demo_saas_bi_20260706"]
}
}| Status | Release meaning |
|---|---|
passed | No configured release gate failed. |
failed | A gate failed and needs remediation or waiver. |
blocked | A blocker prevents release under the configured policy. |
needs_review | Evidence requires human review before release. |
Dashboard
The dashboard answers the release question: what changed, what failed, what evidence supports the decision, and can this agent ship?
- Open dashboard: review projects, latest runs, blockers, inputs, findings, and evidence packs.
- Runner tokens: create scoped bearer tokens for CI or self-hosted runners.
Data Handling
Default enterprise mode is metadata-first. Source credentials, private documents, full traces, schemas, and customer rows should stay inside the customer environment unless a deployment explicitly enables a redacted artifact mode.
Prefer hashes, tool versions, source names, severity, summarized findings, redacted witnesses, artifact references, and reviewer decisions.
Enterprise Control Plane
The control plane keeps release review organized without collecting raw customer data by default. Product data is scoped by organization and project; runners upload metadata, finding summaries, hashes, artifact references, redacted witnesses, and reviewer decisions.
| Resource | Meaning |
|---|---|
| Project | The agent or AI workflow under assurance. |
| Assurance run | One runner execution against a project or release candidate. |
| Finding | A normalized context or policy issue emitted by OSS engines. |
| Evidence pack | A reviewable release bundle with summary, hashes, artifacts, and approvals. |
OSS Engines
Agent Assurance does not reimplement context crawling or policy scanning. The OSS engines remain independently useful and feed the commercial release workflow.
- DocPull: context dependency freshness, source diffs, citation gaps, and reproducible context packs.
- PolicyStrata: cross-layer policy, tenancy, PII, SQL, RLS, and governance invariant checks.
Local Setup
Local development needs Bun, Postgres connection strings, and a Better Auth secret. Without a database, the app shows setup mode instead of authenticated multi-tenant UI.
bun install
cp .env.example .env.local
bun run db:migrate
bun run dev