Agent Assurance docs
Agent Assurance is the control plane for teams shipping enterprise AI agents. Self-hosted runners execute DocPull and PolicyStrata locally, then upload normalized evidence for review, release gating, and audit history.
Runner flow
The runner operates inside CI, a developer machine, or a customer VPC. It invokes the OSS engines, writes artifacts, exits non-zero when gates fail, and uploads metadata to the control plane.
agent-assurance runner init support-bi-copilot
docpull sync --source customer-support-docs
policystrata scan --suite customer-data-access
agent-assurance evidence uploadEvidence contract
Runners upload an assurance run and optionally an evidence pack. The API stores source sets, policy suites, findings, run history, artifact references, and release summaries.
{
"run": {
"schemaVersion": "0.1.0",
"runId": "run_demo_saas_bi_20260706",
"project": "saas-bi-agent",
"status": "blocked",
"tools": {
"docpull": "6.x",
"policystrata": "1.x"
},
"findings": {
"context": [],
"policy": []
}
},
"evidencePack": {
"packId": "pack_demo_saas_bi_20260706",
"status": "blocked",
"runRefs": ["run_demo_saas_bi_20260706"]
}
}| Name | Use it for |
|---|---|
| passed | No configured release gate failed. |
| failed | A gate failed and needs remediation or waiver. |
| blocked | A blocker prevents release under the configured policy. |
| needs_review | Evidence requires human review before release. |
Dashboard
The dashboard answers the release question: what changed, what failed, what evidence supports the decision, and can this agent ship?
Data handling
Default enterprise mode is metadata-first. Source credentials, private documents, full traces, schemas, and customer rows should stay inside the customer environment unless a deployment explicitly chooses a redacted artifact mode.
Upload only review evidence
Tenancy
The app uses Better Auth organizations, Neon Postgres, Drizzle, and organization-scoped access paths. Product data is keyed byorganization_id and runtime queries set tenant context before dashboard reads and persistence.
| Name | Use it for |
|---|---|
| Project | The agent or AI workflow under assurance. |
| Assurance run | One runner execution against a project or release candidate. |
| Finding | A normalized context or policy issue emitted by OSS engines. |
| Evidence pack | A reviewable release bundle with summary, hashes, artifacts, and approvals. |
OSS engines
Agent Assurance does not reimplement context crawling or policy scanning. The OSS engines remain independently useful and feed the commercial release workflow.
Local setup
Local development needs Bun, Postgres connection strings, and a Better Auth secret. Without a database, the app shows setup mode instead of authenticated multi-tenant UI.
bun install
cp .env.example .env.local
bun run db:migrate
bun run dev