v0.13.0 — Conventions flip + deprecation notices

Conventions flip + deprecation notices

Follow-up to 0.12. Two small, deliberate changes that the 0.12 roadmap promised — committed now so users have runtime notice before 1.0.

OTel `conventions` default flips from `"both"` to `"gen_ai"`

`createOtelHooks()` now defaults to emitting only the GenAI semantic conventions. Governance spans correlate out of the box with Anthropic, OpenAI, and Vercel-AI SDK spans in Honeycomb / Datadog / New Relic.

Migration. If your dashboards query the legacy `governance.*` operation names (`governance.enforcement`, `governance.audit`, etc.), set `conventions: "both"` explicitly:

```ts
createOtelHooks({ conventions: "both" });
```

This keeps the old op names alongside the new `gen_ai.*` attributes — same as the 0.12 default. `conventions: "governance"` disables GenAI emission entirely for customers who cannot adopt the spec yet.

`createMCPTrustRegistry` and `createChainAuditor` now warn

Both names misrepresented what the functions do. The honest names shipped as path re-exports in 0.12; 0.13 adds a one-shot `console.warn` when the old names are called so you see the nudge at runtime, once per process.

• `createMCPTrustRegistry` → rename to `createMCPAllowlist` (path: `governance-sdk/plugins/mcp-allowlist`)
• `createChainAuditor` → rename to `createMCPCallRecorder` (path: `governance-sdk/plugins/mcp-call-recorder`)

Removal scheduled for 1.0. Behaviour identical across both names — internals refactored into a shared `buildAllowlist` / `buildCallRecorder` so the honest names call the core directly and don't retrigger the deprecation path.

Tests

1,340 tests, 0 failures (up from 1,337).

What's next

• 0.14 — Multi-modal input scanning + signed compliance evidence export.

v0.12.0 — Trust hardening

Trust hardening

Closes the three most load-bearing honesty gaps surfaced by the post-0.11 audit. Theme: the things the SDK already claims must actually hold up under restart, real observability, and real naming.

Durable integrity audit chain

Before 0.12, integrityAudit: { signingKey } held chain state (latest hash, sequence, per-event integrity) in a createGovernance() closure. Process restart reset the chain to genesis and every Postgres event lost its integrity metadata because the write path never touched the integrity_* columns the schema defined.

• GovernanceStorage gained three optional methods: createAuditEventWithIntegrity(), getChainHead(), getAuditIntegrity(). Memory and Postgres adapters implement all three.
• createGovernance() now persists integrity metadata in a single INSERT when the adapter is integrity-aware, and resumes the chain from getChainHead() on boot. Kill the process mid-stream, boot a fresh instance, and verifyAuditIntegrity() passes across the restart boundary.
• Third-party adapters written against the 0.11 interface still work. They fall back to the old in-process integrity map and emit an onAuditError notice.
• Postgres schema: integrity columns in base DDL, integrity_sequence widened to BIGINT, unique partial index prevents duplicate sequences under concurrent writers.

OTel GenAI semantic conventions

createOtelHooks() gained a conventions: "governance" | "gen_ai" | "both" option. "both" (the 0.12 default) is additive: governance.* still emits, and gen_ai.system, gen_ai.request.model, gen_ai.usage.input_tokens/output_tokens, gen_ai.response.finish_reasons, gen_ai.tool.name, gen_ai.tool.call.id appear alongside. "gen_ai" switches operation names to the GenAI form so governance spans correlate with Anthropic / OpenAI / Vercel-AI SDK spans in Honeycomb / Datadog / New Relic. Default flips to "gen_ai" in 0.13.

Honest naming for MCP plugins

• createMCPAllowlist (new path: governance-sdk/plugins/mcp-allowlist) — was createMCPTrustRegistry
• createMCPCallRecorder (new path: governance-sdk/plugins/mcp-call-recorder) — was createChainAuditor

The original exports stay and behave identically. Rename on your next touch of the file; no rush.

Fixed — remote status staleness after 4xx errors

createRemoteEnforcer().status() flipped connected: false on any RemoteEnforcementError, including non-retryable 4xxs. A 4xx means the API answered — the connection is live. Status now only reports connected: false on network/timeout failures.

Tests

1,337 tests, 0 failures. CI green.

What's next

• 0.13 — Ship governance-sdk-ml (real ML classifier, published benchmark report).
• 0.14 — Multi-modal input scanning + signed compliance evidence export.

v0.11.2 — Automate README sync (no code changes)

Adds infrastructure to keep packages/governance/README.md (the file npm publishes) in sync with the repo-root README — so the v0.11.1 fix can never silently regress.

What's new

• scripts/sync-readme.mjs — generates the package README from the root, normalizing repo-relative links (./packages/..., ./LICENSE, ./CONTRIBUTING.md, etc.) to absolute GitHub URLs so they resolve correctly on npmjs.com. Idempotent.
• prepublishOnly hook runs sync-readme before tsc, guaranteeing every npm release ships an in-sync README.
• npm run sync-readme at the monorepo root for manual runs during dev.
• CI guard added to .github/workflows/ci.yml — fails the build if anyone commits a manual edit to the package README without running the sync. Catches drift on PRs.

What's NOT new

No code changes. SDK behavior identical to 0.11.1. This is purely build/CI infra.

If you're already on 0.11.1, this upgrade is unnecessary unless you want to track infra fixes.

v0.11.1 — Sync npm README with repo (no code changes)

The packages/governance/README.md (the file npm publishes) had drifted ~3 release cycles behind the repo-root README. This patch syncs the two so npm users see the same content GitHub viewers see — including the "What this is NOT" scope disclosures, the 0.11 module removals, and the behavioral-scorer demotion.

Relative links normalized to absolute GitHub URLs so they resolve correctly when read on npmjs.com.

No code changes. SDK behavior identical to 0.11.0.

If you're already on 0.11.0, this upgrade is purely cosmetic — bump for accurate npm docs.

v0.11.0 — Scope honesty pass 2

Follow-up to the v0.10 cleanup. After a feature-by-feature audit against actual governance-cloud consumers and major competitors (Microsoft agent-governance-toolkit, NeMo Guardrails, Phoenix, Langfuse, Braintrust), this release removes 5 modules with no consumers and clarifies framing around 4 more that were oversold as built-in observability/eval infrastructure.

1,328 tests pass with 0 failures. 0 runtime dependencies (unchanged).

Removed (BREAKING)

• governance-sdk/eval-trace, governance-sdk/eval-scorer, governance-sdk/eval-types, and the gov.eval field on GovernanceInstance. The in-memory trace ring buffer + naive eval-adjustment scoring loop was unused by every audited consumer and easily mistaken for a real eval pipeline. Use a dedicated harness (inspect-ai, PyRIT, Garak, Phoenix, Langfuse, Braintrust) and route results to your audit stream via gov.audit.log().
• governance-sdk/plugins/mcp-annotations — annotation-rule generator was a static template, not a runtime governance feature.
• governance-sdk/supply-chain-sbom — proprietary LuaAgentSBOM capability manifest with no producers or consumers. The CycloneDX exporter (governance-sdk/supply-chain-cyclonedx) and the supply-chain policy primitive (governance-sdk/supply-chain) remain.
• GovernMCPConfig.traceCollector field — removed alongside gov.eval. Tool-call audit events still fire via gov.audit.

Demoted (no API change — README framing only)

• metrics, otel-hooks, action-recorder, behavioral-scorer — remain shipped, but no longer headlined as built-in observability/eval/dynamic-trust features. A real OTel + OpenInference exporter and a TrustEngine promotion of behavioral scoring are on the v0.12 roadmap.

Migration

• gov.eval.submit(...) callers: stop calling. Eval results should land in your existing audit stream or your harness's own store.
• import { generateAgentSBOM } from 'governance-sdk/supply-chain-sbom': if you need an SBOM, use governance-sdk/supply-chain-cyclonedx instead (CycloneDX 1.5, validates against the official schema).
• import { generateAnnotationRules } from 'governance-sdk/plugins/mcp-annotations': no replacement; build annotation-aware rules directly with policy-builder or policy-yaml.
• traceCollector in createGovernedMCP(...) config: drop the field.

Stats

• 49 → 44 export paths
• 1,358 → 1,328 tests
• 0 runtime dependencies (unchanged)

Full changelog: https://github.com/lua-ai-global/governance/blob/main/packages/governance/CHANGELOG.md

v0.10.0 — Scope honesty release

Tightens the SDK to the surface we can defend, and is honest about everything it doesn't do. No new features. 1,348 tests pass with 0 failures.

Removed (BREAKING)

• governance-sdk/federation — was advisory-only posture exchange with no distributed protocol or signature enforcement. (Note: as of 0.11 this is also not shipped in Lua Governance Cloud.)
• governance-sdk/sandbox — was a node:vm wrapper. node:vm is not a security boundary (per Node docs; see CVE-2023-32002-class escapes). Use OS-level isolation (containers, gVisor, Firecracker) for untrusted code.
• governance-sdk/eval-red-team and gov.eval.runRedTeam(...) — was a policy-effectiveness audit, not adversarial jailbreak testing. Use a dedicated harness (inspect-ai, PyRIT, Garak) and submit results via gov.eval.submit(...).
• packages/governance-benchmark moved to research/governance-benchmark/ and marked private.

Renamed (additive — old names still work for one minor)

• dryRun → simulatePolicy (preferred)
• fleetDryRun → simulateFleetPolicy (preferred)
• assessCompliance → mapToEuAiAct (preferred)

Documentation

• New "What this is NOT" section pre-empting scope questions (kill switch is per-process, sandbox gone, injection F1 ≈ 0.48, compliance is self-assessment, SBOM is npm-only, eval is in-memory, etc.)
• Fixed pattern-count drift: README says 54 patterns (matching source).
• Benchmark README reports actual baseline numbers (precision 0.685, recall 0.373, F1 0.483, FP rate 0.074).

Migration

• If you imported from governance-sdk/federation, governance-sdk/sandbox, or governance-sdk/eval-red-team — those subpaths are gone.
• If you used dryRun / fleetDryRun / assessCompliance, those still work in 0.10 — but simulatePolicy / simulateFleetPolicy / mapToEuAiAct are the preferred names.

v0.9.0 — Full LLM lifecycle coverage across featured adapters

Highlights

Full pre/post/streaming coverage across all 10 featured framework adapters. Every featured adapter now supports input pre-scan, output post-scan, streaming post-scan (buffered / sliding / per-chunk), and tool-call enforcement.

What's new

Featured adapters — full lifecycle

• Vercel AI SDK — createGovernanceMiddleware now returns transformParams (pre), wrapGenerate (post), wrapStream (streaming post). Config accepts streamMode, streamLookbackChunks, streamLookbackChars.
• Anthropic SDK — createGovernedMessages, createGovernedMessageStream
• LangChain — wrapChatModel overrides .invoke() and .stream() with governance pre/post enforcement
• OpenAI Agents SDK — createInputGuardrail, createOutputGuardrail produce SDK-native guardrail objects
• Mastra Processor — implements processOutputStream with per-chunk / sliding / buffered modes
• Mastra middleware — exposes scanInput, scanOutput, scanOutputStream helpers
• Genkit — createGovernedGenerate, createGovernedGenerateStream
• LlamaIndex — wrapLlamaLLM wraps any LLM implementing chat({ messages, stream? })
• Mistral — createGovernedChat, createGovernedChatStream
• Ollama — createGovernedOllamaChat, createGovernedOllamaChatStream

Specialty adapters

• MCP — added symmetric input injection scan on tool-call arguments (scanToolInputs, inputInjectionThreshold) to match existing output scan
• Bedrock — entry-gate pre-scan on invokeAgent input + scanOutput helper for post-scan

Shared core

• New src/plugins/pre-post-enforce.ts and src/plugins/pre-post-stream.ts — shared pre/post + streaming helpers power every featured adapter.

Breaking changes

Drop Node 18 support

engines.node bumped from >=18 to >=20. Node 18 reached end-of-life in April 2025, and several existing tests (Ed25519 agent identity, audit-integrity HMAC chain, agent-identity tokens) require crypto primitives that aren't reliable on Node 18. CI matrix is now [20, 22, 24].

Pruned 8 adapter stubs

Removed plugins/crewai, plugins/autogen, plugins/semantic-kernel, plugins/a2a, plugins/e2b, plugins/deno, plugins/cloudflare-ai, plugins/composio — they didn't meaningfully govern anything. Python support is via the Lua Governance REST API.

Docs

READMEs refactored to a single Featured tier (10 adapters) and a Specialty tier (MCP, Bedrock) with honest scope framing.

Install

```bash
npm install governance-sdk
```

Zero runtime dependencies. 1,291 tests. MIT licensed.

Full changelog: https://github.com/lua-ai-global/governance/blob/main/packages/governance/CHANGELOG.md