Governance Patterns
A GovernancePolicy is a guardrail - a complete, self-contained holon you define, attach to a Capability or a Steward, and that runs wherever those entities run. Attach one to a Capability and the guardrail travels with it everywhere - running at the Capability level, independently, per the no-aggregation rule.
Governance has a fixed contract: Input is { Action, Initiator, Context },
Output is a status where Code 0 = accepted, non-zero = rejected, 202 =
pending review.
const FormatText = Capability('FormatText', 'Formats text')
.Input(/* ... */).Output()
/* ... */
.Governance(TrustLevelPolicy('medium')) // ← guardrail travels with FormatText
.Execute(/* ... */);
Which guardrail do I need?
| When you want to... | Use |
|---|---|
| Require a minimum trust level | TrustLevelPolicy |
| Restrict who can call this | InitiatorAllowlistPolicy |
| Restrict which actions are allowed | ActionAllowlistPolicy |
| Define custom logic | Governance |
| Compose multiple guardrails into one | CompositePolicy |
| Attach guardrails to a Steward operation | Operation-level governance |
Trust level
const ReadGuardrail = TrustLevelPolicy('medium'); // 'low' | 'medium' | 'high'
const status = await GovernancePolicyRunner(ReadGuardrail).Evaluate({
Action: 'read',
Initiator: { Type: 'human', Id: 'alice@team.com' },
Context: {},
});
status.Code; // 0 = accepted
Trust levels map to initiator types: low = humans only · medium = humans +
automated (no AI) · high = all allowed.
Initiator and action allowlists
InitiatorAllowlistPolicy([...ids]) whitelists known callers (checked against
Initiator.Id). ActionAllowlistPolicy(["read", "list"]) restricts which actions
may run (matched against the Action string).
Custom logic
const WeekdayOnly = Governance('WeekdayOnly', 'Business days only')
.Execute(async (ctx) => {
const day = new Date().getDay();
return day >= 1 && day <= 5 ? GovernanceAccepted() : GovernanceRejected(403, 'Weekdays only');
});
Arbitrary logic, the same fixed I/O. Common codes: 403 (forbidden), 400 (bad input), 202 (pending review).
Composite
CompositePolicy({ Trust: TrustLevelPolicy("medium"), Actions: ActionAllowlistPolicy([...]) })
requires all sub-guardrails to pass, stopping at the first rejection - and the
rejection message names which sub-guardrail failed.
On a Steward operation
Operation.Governance(policy) gives an Operation its own guardrail, independent of
the Steward's defaults: a write op might require medium trust while a read op
allows all. The Steward doesn't reach in to enforce - the Operation self-governs.
Every guardrail is a declaration, not a gate. Declare your intent alongside it
(GovernancePolicyIntent(...).Expect(ExpectGovernanceAccepted()).Run()) and the
boundary is machine-verifiable and version-controlled.
- Composition Patterns → - how the holons fit together