PolicyStrata
Docs/Agent Assurance
Runner evidenceOrg tenancyRelease gates

Agent Assurance docs

Agent Assurance is the control plane for teams shipping enterprise AI agents. Self-hosted runners execute DocPull and PolicyStrata locally, then upload normalized evidence for review, release gating, and audit history.

Self-hosted runners
Evidence packs
Release decisions
Org tenancy

Runner flow

The runner operates inside CI, a developer machine, or a customer VPC. It invokes the OSS engines, writes artifacts, exits non-zero when gates fail, and uploads metadata to the control plane.

bash
agent-assurance runner init support-bi-copilot
docpull sync --source customer-support-docs
policystrata scan --suite customer-data-access
agent-assurance evidence upload

Evidence contract

Runners upload an assurance run and optionally an evidence pack. The API stores source sets, policy suites, findings, run history, artifact references, and release summaries.

payload
{
  "run": {
    "schemaVersion": "0.1.0",
    "runId": "run_demo_saas_bi_20260706",
    "project": "saas-bi-agent",
    "status": "blocked",
    "tools": {
      "docpull": "6.x",
      "policystrata": "1.x"
    },
    "findings": {
      "context": [],
      "policy": []
    }
  },
  "evidencePack": {
    "packId": "pack_demo_saas_bi_20260706",
    "status": "blocked",
    "runRefs": ["run_demo_saas_bi_20260706"]
  }
}
NameUse it for
passedNo configured release gate failed.
failedA gate failed and needs remediation or waiver.
blockedA blocker prevents release under the configured policy.
needs_reviewEvidence requires human review before release.

Dashboard

The dashboard answers the release question: what changed, what failed, what evidence supports the decision, and can this agent ship?

Data handling

Default enterprise mode is metadata-first. Source credentials, private documents, full traces, schemas, and customer rows should stay inside the customer environment unless a deployment explicitly chooses a redacted artifact mode.

Upload only review evidence

Prefer hashes, tool versions, source names, severity, summarized findings, redacted witnesses, artifact references, and reviewer decisions.

Tenancy

The app uses Better Auth organizations, Neon Postgres, Drizzle, and organization-scoped access paths. Product data is keyed byorganization_id and runtime queries set tenant context before dashboard reads and persistence.

NameUse it for
ProjectThe agent or AI workflow under assurance.
Assurance runOne runner execution against a project or release candidate.
FindingA normalized context or policy issue emitted by OSS engines.
Evidence packA reviewable release bundle with summary, hashes, artifacts, and approvals.

OSS engines

Agent Assurance does not reimplement context crawling or policy scanning. The OSS engines remain independently useful and feed the commercial release workflow.

Local setup

Local development needs Bun, Postgres connection strings, and a Better Auth secret. Without a database, the app shows setup mode instead of authenticated multi-tenant UI.

bash
bun install
cp .env.example .env.local
bun run db:migrate
bun run dev