Introducing Runtime Governance for AI Agents: Sekuire TypeScript SDK v0.2.0

Introducing Runtime Governance for AI Agents: Sekuire TypeScript SDK v0.2.0

AI agents are moving into production fast—but most are doing it without guardrails. Sekuire’s TypeScript SDK v0.2.0 brings a local-first, standards-based governance layer to every LLM call, tool invocation, network request, and filesystem access.

This release implements the Open Agent Governance Specification (OAGS) in a way that fits directly into your existing TypeScript stack: three files, one import, zero platform dependency.

The Problem

Teams building with OpenAI, Anthropic, Google, Ollama, or local models have no consistent way to define and enforce what their agents are allowed to do at runtime. Typical issues include:

•Model access: Any agent can call any model key it has access to.

•Tool permissions: Tools are wired in code, often with overly broad capabilities.

•Network boundaries: Agents can call arbitrary domains if the HTTP client allows it.

•Filesystem constraints: Read/write access is rarely scoped or audited.

When something goes wrong—an agent calls a blocked tool, hits a restricted model, or reaches out to an unauthorized domain—there’s usually:

•No policy layer to prevent the action.

•No signed audit trail to reconstruct what happened.

Governance becomes a patchwork of ad-hoc checks, environment variables, and code comments.

What the Sekuire TypeScript SDK Does

The Sekuire TypeScript SDK is a local-first governance layer for AI agents. It:

•Implements the Open Agent Governance Specification (OAGS).

•Runs entirely inside your process—no network calls, no external platform.

•Requires no account and no extra infrastructure.

You define policies in a sekuire.yml file next to your agent code. At runtime, a PolicyEnforcer evaluates every sensitive action against those rules:

•LLM calls

•Tool invocations

•Network requests

•Filesystem access

If an action violates policy, the SDK throws a PolicyViolationError before the action executes.

Result: Governance is centralized in a single policy file, enforced consistently across your agents, with no changes required from your LLM provider.

What’s New in v0.2.0

Version 0.2.0 closes key gaps between running locally and running safely in production. It introduces four major capabilities:

1. LLM-Layer Policy Enforcement

Every supported LLM provider—OpenAI, Anthropic, Google, and Ollama—now integrates with the policy layer via:

•enforcePreCall() before each chat() or chatStream() invocation.

•enforcePostCall() after each call completes.

2. Production Override Protection

To prevent dev-only overrides from leaking into production:

•The SEKUIRE_POLICY_DEV_OVERRIDE env var

•And the override constructor flag

are silently ignored when NODE_ENV=production.

This guarantees that production environments always respect the committed policy, regardless of local dev shortcuts.

3. Policy Immutability

When the PolicyEnforcer is constructed:

•Object.freeze() is applied to the ActivePolicy and its content.

Once loaded, the policy becomes immutable at runtime:

•No accidental or malicious mutation of policy rules

•Stronger guarantees that what you reviewed is what is enforced

4. Ed25519 Event Signing

SekuireLogger now supports cryptographically signed audit events:

•Accepts a privateKey config option

•Signs every audit event payload with Ed25519

•Each event carries a signature verifiable with the corresponding public key

This enables:

•Tamper-evident audit logs

•Verifiable incident reconstruction

•Stronger compliance posture

Getting Started

Install the SDK:

Create a sekuire.yml policy file next to your agent code. Here is a minimal example:

Then initialize the enforcer in your agent code:

See the README for full configuration options and advanced usage.

Links

GitHub: github.com/sekuire/sdk

npm: npmjs.com/package/@sekuire/sdk

OAGS Specification: github.com/sekuire/oags

Documentation: docs.sekuire.ai