PolicyStrata

Agent Assurance docs

Use PolicyStrata Agent Assurance runners, evidence packs, release gates, and audit state for AI agents that touch governed data.

Overview

Agent Assurance is the release-control plane for teams shipping AI agents that touch governed data. Self-hosted runners execute DocPull and PolicyStrata locally, then upload normalized evidence for review, release gating, waivers, and audit history.

CapabilityWhat it covers
Self-hosted runnersCI, developer machines, or customer VPC execution.
Evidence packsReviewable release bundles with summaries, findings, hashes, and artifact references.
Release decisionsPass, fail, block, review, approve, or waive before production.
Org isolationOrganization-scoped projects, release candidates, runner tokens, findings, reviewer decisions, and audit logs.

Runner Flow

The runner operates inside CI, a developer machine, or a customer VPC. It invokes the OSS engines, writes artifacts, exits non-zero when gates fail, and uploads metadata to the control plane.

agent-assurance runner init support-bi-copilot
docpull sync --source customer-support-docs
policystrata scan --suite customer-data-access
agent-assurance evidence upload

Evidence Contract

Runners upload an assurance run and optionally an evidence pack. The API stores source sets, policy suites, findings, run history, artifact references, and release summaries.

{
  "run": {
    "schemaVersion": "0.1.0",
    "runId": "run_demo_saas_bi_20260706",
    "project": "saas-bi-agent",
    "status": "blocked",
    "tools": {
      "docpull": "6.x",
      "policystrata": "1.x"
    },
    "findings": {
      "context": [],
      "policy": []
    }
  },
  "evidencePack": {
    "packId": "pack_demo_saas_bi_20260706",
    "status": "blocked",
    "runRefs": ["run_demo_saas_bi_20260706"]
  }
}
StatusRelease meaning
passedNo configured release gate failed.
failedA gate failed and needs remediation or waiver.
blockedA blocker prevents release under the configured policy.
needs_reviewEvidence requires human review before release.

Dashboard

The dashboard answers the release question: what changed, what failed, what evidence supports the decision, and can this agent ship?

  • Open dashboard: review projects, latest runs, blockers, inputs, findings, and evidence packs.
  • Runner tokens: create scoped bearer tokens for CI or self-hosted runners.

Data Handling

Default enterprise mode is metadata-first. Source credentials, private documents, full traces, schemas, and customer rows should stay inside the customer environment unless a deployment explicitly enables a redacted artifact mode.

Prefer hashes, tool versions, source names, severity, summarized findings, redacted witnesses, artifact references, and reviewer decisions.

Enterprise Control Plane

The control plane keeps release review organized without collecting raw customer data by default. Product data is scoped by organization and project; runners upload metadata, finding summaries, hashes, artifact references, redacted witnesses, and reviewer decisions.

ResourceMeaning
ProjectThe agent or AI workflow under assurance.
Assurance runOne runner execution against a project or release candidate.
FindingA normalized context or policy issue emitted by OSS engines.
Evidence packA reviewable release bundle with summary, hashes, artifacts, and approvals.

OSS Engines

Agent Assurance does not reimplement context crawling or policy scanning. The OSS engines remain independently useful and feed the commercial release workflow.

  • DocPull: context dependency freshness, source diffs, citation gaps, and reproducible context packs.
  • PolicyStrata: cross-layer policy, tenancy, PII, SQL, RLS, and governance invariant checks.

Local Setup

Local development needs Bun, Postgres connection strings, and a Better Auth secret. Without a database, the app shows setup mode instead of authenticated multi-tenant UI.

bun install
cp .env.example .env.local
bun run db:migrate
bun run dev

On this page