Release governance-sdk 0.12.0

- Durable integrity chain: chain state persists to storage atomically
  and resumes on restart via getChainHead(); legacy adapters degrade
  gracefully with onAuditError warning
- OTel GenAI semantic conventions: dual-emit gen_ai.* attributes
  alongside governance.* for APM correlation; conventions: 'both' | 'gen_ai' | 'governance'
- Honest MCP naming: mcp-allowlist and mcp-call-recorder re-export aliases
  alongside original mcp-trust and mcp-chain-audit
- Fix remote-enforce lastConnected staleness: 4xx errors no longer mark
  connection as offline — only network failures do
- README: clarify Bedrock entry-gate scope and multi-modal gap
- Postgres schema: integrity columns in base DDL, BIGINT sequence,
  unique partial index; auto-migration on connect

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: scotty595

README.md

@@ -65,11 +65,25 @@ detection — nothing more. To pre-empt scope questions:
 - **Simulator does not replay side effects** — it evaluates policy outcomes
   against synthetic scenarios, it does not execute tools.
 - **`enforce()` does not hash-chain by default** — opt in with
-  `integrityAudit: { signingKey }` for tamper-evident audit.
+  `integrityAudit: { signingKey }` for tamper-evident audit. Since 0.12
+  the chain is persisted durably (survives process restart) when the
+  storage adapter supports `createAuditEventWithIntegrity` (memory and
+  Postgres adapters both do). HMAC chains are still only tamper-evident
+  to holders of the signing secret — rotate and pair with an external
+  anchor if you need adversary-grade non-repudiation.
 - **Cloud `register()` is a synthetic confirmation** — the API auto-registers
   on first `enforce()`.
 - **No built-in red team / jailbreak harness.** Use inspect-ai, PyRIT, or
   Garak — a policy-only harness would be easily mistaken for model coverage.
+- **Bedrock is entry-gate only.** The Bedrock adapter scans the prompt
+  going into `invokeAgent` and (with a helper) the final response text.
+  Tool executions **inside** AWS action groups are opaque — the adapter
+  cannot see them, let alone block them. Use `guardToolUse()` to enforce
+  at the tool level manually, or push tool calls onto the host side.
+- **Multi-modal content is not scanned.** Image, PDF, and audio blocks
+  on Anthropic/Vercel AI/Genkit/LlamaIndex/Bedrock are passed through
+  without injection detection. A vision-enabled agent bypasses every
+  input scan in this release. Multi-modal coverage lands in 0.13.
 
 ## Packages
 

packages/governance/CHANGELOG.md

@@ -1,5 +1,91 @@
 # Changelog
 
+## [0.12.0] - 2026-04-16 — Trust hardening
+
+Closes the three most load-bearing honesty gaps surfaced by the post-0.11
+audit. Theme: the things the SDK already claims must actually hold up under
+restart, real observability, and real naming.
+
+### Changed — integrity audit chain is now durable (BREAKING-ISH)
+
+Before 0.12, `integrityAudit: { signingKey }` maintained chain state
+(latest hash, sequence, per-event integrity) in a `createGovernance()`
+closure. Process restart reset the chain to genesis and every event in
+Postgres lost its integrity metadata because the write path never touched
+the `integrity_*` columns the schema already defined.
+
+**What changed:**
+- `GovernanceStorage` gained three optional methods —
+  `createAuditEventWithIntegrity(event, integrity)`, `getChainHead()`,
+  `getAuditIntegrity(eventId)`. Memory and Postgres adapters implement
+  all three.
+- `createGovernance()` now writes the event and its integrity metadata
+  in a single `INSERT` when the storage adapter is integrity-aware, and
+  resumes the chain from `getChainHead()` on boot. Kill the process
+  mid-stream, boot a fresh instance, and `integrityChain.stats()`
+  returns the pre-crash sequence; `verifyAuditIntegrity()` passes across
+  the restart boundary.
+- Third-party storage adapters written against the 0.11 interface still
+  work. They fall back to the old in-process integrity map and emit an
+  `onAuditError` notice explaining the chain is session-local on that
+  adapter.
+
+**Schema:** the base `getSchemaSQL()` now creates the integrity columns
+on fresh tables; the existing `getIntegrityMigrationSQL()` remains for
+0.11.x tables. Both paths are idempotent (`CREATE TABLE IF NOT EXISTS`,
+`ADD COLUMN IF NOT EXISTS`). `integrity_sequence` widened from `INTEGER`
+to `BIGINT`. A `UNIQUE` index on `integrity_sequence` enforces no
+duplicate sequences even under concurrent writers.
+
+**Honesty update:** the "What this is NOT" section in the README was
+rewritten to state what HMAC chains prove and don't prove. No more
+"tamper-evident" without the caveat.
+
+### Changed — OTel GenAI semantic conventions
+
+`createOtelHooks()` gained a `conventions: "governance" | "gen_ai" | "both"`
+option. `"both"` (the 0.12 default) is additive: existing `governance.*`
+attributes and operation names still emit, and `gen_ai.system`,
+`gen_ai.request.model`, `gen_ai.usage.input_tokens` /
+`gen_ai.usage.output_tokens`, `gen_ai.response.finish_reasons`,
+`gen_ai.tool.name`, `gen_ai.tool.call.id` appear alongside when present
+in the event detail. `"gen_ai"` switches operation names to the GenAI
+form (`gen_ai.policy.evaluate`, `gen_ai.tool.execute`,
+`gen_ai.agent.register`, `gen_ai.audit.log`) so governance spans can
+correlate with Anthropic / OpenAI / Vercel-AI SDK spans in Honeycomb /
+Datadog / New Relic. The default flips to `"gen_ai"` in 0.13.
+
+### Changed — honest naming for MCP plugins
+
+`createMCPTrustRegistry` is a URI allowlist, not a cryptographic trust
+registry; `createChainAuditor` records caller-reported MCP calls, not
+auto-propagated sub-calls. Both are now also exported under honest
+names:
+
+- `createMCPAllowlist` (new export path:
+  `governance-sdk/plugins/mcp-allowlist`)
+- `createMCPCallRecorder` (new export path:
+  `governance-sdk/plugins/mcp-call-recorder`)
+
+The original exports stay at their original paths and behave
+identically. Rename on your next touch of the file; no rush.
+
+### Fixed — remote status staleness after 4xx errors
+
+`createRemoteEnforcer().status()` flipped `connected: false` whenever
+the last `enforce()` call threw a `RemoteEnforcementError`, even on a
+non-retryable 4xx. A 4xx means the API answered us — the connection is
+fine. Status now stays `connected: true` through API-layer errors and
+only reports `connected: false` on a network/timeout failure.
+
+### Roadmap (0.13+)
+
+Not in this release; on the roadmap:
+- Shipped ML injection classifier as an opt-in peer-dep package.
+- Multi-modal input scanning (image / PDF / audio) on Anthropic / Vercel
+  AI / Genkit / LlamaIndex / Bedrock.
+- Compliance evidence export (signed, dated dossiers).
+
 ## [0.11.2] - 2026-04-16 — Automate README sync
 
 Adds infrastructure to prevent the npm README from drifting out of sync

packages/governance/README.md

@@ -65,11 +65,25 @@ detection — nothing more. To pre-empt scope questions:
 - **Simulator does not replay side effects** — it evaluates policy outcomes
   against synthetic scenarios, it does not execute tools.
 - **`enforce()` does not hash-chain by default** — opt in with
-  `integrityAudit: { signingKey }` for tamper-evident audit.
+  `integrityAudit: { signingKey }` for tamper-evident audit. Since 0.12
+  the chain is persisted durably (survives process restart) when the
+  storage adapter supports `createAuditEventWithIntegrity` (memory and
+  Postgres adapters both do). HMAC chains are still only tamper-evident
+  to holders of the signing secret — rotate and pair with an external
+  anchor if you need adversary-grade non-repudiation.
 - **Cloud `register()` is a synthetic confirmation** — the API auto-registers
   on first `enforce()`.
 - **No built-in red team / jailbreak harness.** Use inspect-ai, PyRIT, or
   Garak — a policy-only harness would be easily mistaken for model coverage.
+- **Bedrock is entry-gate only.** The Bedrock adapter scans the prompt
+  going into `invokeAgent` and (with a helper) the final response text.
+  Tool executions **inside** AWS action groups are opaque — the adapter
+  cannot see them, let alone block them. Use `guardToolUse()` to enforce
+  at the tool level manually, or push tool calls onto the host side.
+- **Multi-modal content is not scanned.** Image, PDF, and audio blocks
+  on Anthropic/Vercel AI/Genkit/LlamaIndex/Bedrock are passed through
+  without injection detection. A vision-enabled agent bypasses every
+  input scan in this release. Multi-modal coverage lands in 0.13.
 
 ## Packages
 

packages/governance/package.json

@@ -1,6 +1,6 @@
 {
   "name": "governance-sdk",
-  "version": "0.11.2",
+  "version": "0.12.0",
   "description": "AI Agent Governance for TypeScript — policy enforcement, scoring, compliance, and audit for AI agents",
   "type": "module",
   "main": "./dist/index.js",
@@ -161,10 +161,18 @@
       "types": "./dist/plugins/mcp-trust.d.ts",
       "import": "./dist/plugins/mcp-trust.js"
     },
+    "./plugins/mcp-allowlist": {
+      "types": "./dist/plugins/mcp-allowlist.d.ts",
+      "import": "./dist/plugins/mcp-allowlist.js"
+    },
     "./plugins/mcp-chain-audit": {
       "types": "./dist/plugins/mcp-chain-audit.d.ts",
       "import": "./dist/plugins/mcp-chain-audit.js"
     },
+    "./plugins/mcp-call-recorder": {
+      "types": "./dist/plugins/mcp-call-recorder.d.ts",
+      "import": "./dist/plugins/mcp-call-recorder.js"
+    },
     "./injection-classifier": {
       "types": "./dist/injection-classifier.d.ts",
       "import": "./dist/injection-classifier.js"

packages/governance/src/audit-chain-restart.test.ts

@@ -0,0 +1,107 @@
+/**
+ * Integration test: the HMAC integrity chain must survive process restart.
+ *
+ * Simulates the restart by discarding the original createGovernance()
+ * instance (closures gone, chain state lost) and creating a fresh one
+ * against the same storage. The second instance must resume the chain
+ * and produce events whose sequence continues from where the first
+ * instance left off, with verifyAuditIntegrity passing end-to-end.
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { createGovernance, createMemoryStorage } from "./index.js";
+import { verifyAuditIntegrity } from "./audit-integrity-verify.js";
+import type { GovernanceStorage } from "./storage.js";
+
+const KEY = "test-signing-key-0.12-restart";
+
+async function writeSomeEvents(gov: Awaited<ReturnType<typeof createGovernance>>, count: number) {
+  for (let i = 0; i < count; i++) {
+    await gov.audit.log({
+      agentId: "restart-agent",
+      eventType: "test_event",
+      outcome: "success",
+      severity: "info",
+      detail: { iteration: i },
+    });
+  }
+}
+
+describe("integrity chain restart durability (0.12)", () => {
+  it("resumes sequence from storage on fresh createGovernance() call", async () => {
+    const storage: GovernanceStorage = createMemoryStorage();
+
+    const gov1 = createGovernance({ storage, integrityAudit: { signingKey: KEY } });
+    await writeSomeEvents(gov1, 5);
+    const stats1 = gov1.integrityChain!.stats();
+    assert.equal(stats1.latestSequence, 5, "first instance wrote sequences 1..5");
+    const firstHash = stats1.latestHash;
+
+    // Simulate restart: drop gov1 entirely, keep storage.
+    const gov2 = createGovernance({ storage, integrityAudit: { signingKey: KEY } });
+    // Write one more event — must pick up at sequence 6 and chain to firstHash.
+    await writeSomeEvents(gov2, 1);
+    const stats2 = gov2.integrityChain!.stats();
+    assert.equal(stats2.latestSequence, 6, "second instance resumed at sequence 6");
+    assert.notEqual(stats2.latestHash, firstHash, "new event produced new head");
+
+    // Full chain must verify end-to-end across the boundary.
+    const chain = await gov2.integrityChain!.export();
+    assert.equal(chain.length, 6, "export includes all 6 events");
+    assert.deepEqual(
+      chain.map((e) => e.integrity.sequence),
+      [1, 2, 3, 4, 5, 6],
+      "sequences are contiguous across restart",
+    );
+
+    const verification = await verifyAuditIntegrity(chain, KEY);
+    assert.equal(verification.valid, true, verification.breakDetail ?? "chain should verify");
+    assert.equal(verification.eventsVerified, 6);
+  });
+
+  it("getChainHead returns null for empty storage (cold start)", async () => {
+    const storage = createMemoryStorage();
+    const head = await storage.getChainHead!();
+    assert.equal(head, null);
+  });
+
+  it("legacy storage adapter (no createAuditEventWithIntegrity) still works but warns", async () => {
+    // Build an adapter that implements the core interface but omits the
+    // new integrity methods, emulating a third-party 0.11.x adapter.
+    const base = createMemoryStorage();
+    const legacy: GovernanceStorage = {
+      createAgent: base.createAgent,
+      getAgent: base.getAgent,
+      getAgentByName: base.getAgentByName,
+      listAgents: base.listAgents,
+      updateAgent: base.updateAgent,
+      deleteAgent: base.deleteAgent,
+      createAuditEvent: base.createAuditEvent,
+      queryAuditEvents: base.queryAuditEvents,
+      countAuditEvents: base.countAuditEvents,
+      // intentionally omit: createAuditEventWithIntegrity, getChainHead, getAuditIntegrity
+    };
+
+    const warnings: unknown[] = [];
+    const gov = createGovernance({
+      storage: legacy,
+      integrityAudit: { signingKey: KEY },
+      onAuditError: (e) => warnings.push(e),
+    });
+
+    await writeSomeEvents(gov, 2);
+    const chain = await gov.integrityChain!.export();
+    assert.equal(chain.length, 2, "chain export still works via in-memory fallback");
+    const verification = await verifyAuditIntegrity(chain, KEY);
+    assert.equal(verification.valid, true);
+    assert.ok(
+      warnings.length >= 2,
+      "onAuditError fired at least once per write on legacy adapter",
+    );
+    assert.ok(
+      warnings.every((w) => w instanceof Error && /chain is session-local/.test(w.message)),
+      "warning explains the session-local downgrade",
+    );
+  });
+});