Skip to content

feat(governance): Add GovernancePlugin for runtime agent governance#102

Open
sunilp wants to merge 2 commits intogoogle:mainfrom
sunilp:feat/governance-plugin
Open

feat(governance): Add GovernancePlugin for runtime agent governance#102
sunilp wants to merge 2 commits intogoogle:mainfrom
sunilp:feat/governance-plugin

Conversation

@sunilp
Copy link
Copy Markdown

@sunilp sunilp commented Mar 19, 2026

Summary

Adds a GovernancePlugin that provides runtime governance for ADK agents — policy-based tool filtering, delegation scope enforcement, and structured audit trails — without modifying agent logic.

Moved here from google/adk-python#4897 per maintainer guidance (community plugins belong in this repo).

What it does

  • Policy-based tool filtering — evaluate tool calls against custom policies before execution; deny with structured reasons
  • Tool argument validation — regex-based argument pattern enforcement (e.g., SQL queries must start with SELECT)
  • Delegation scope enforcement — control which agents can delegate to which other agents
  • Structured audit trail — every policy decision logged with timestamp, agent, tool, decision, and reason
  • Pluggable architecture — custom PolicyEvaluator protocol for organization-specific rules; custom AuditHandler for integration with logging/SIEM systems

Usage

from google.adk_community.governance import (
    GovernancePlugin, PolicyEvaluator, PolicyDecision, ToolPolicy,
)

class MyPolicyEvaluator(PolicyEvaluator):
    async def evaluate_tool_call(self, *, tool_name, tool_args,
                                 agent_name, context):
        if tool_name == "dangerous_tool":
            return PolicyDecision.deny("Tool not allowed by policy")
        return PolicyDecision.allow()

plugin = GovernancePlugin(
    policy_evaluator=MyPolicyEvaluator(),
    tool_policies={"sql_tool": ToolPolicy(allowed_arg_patterns={"query": r"^SELECT"})},
)
# runner = Runner(..., plugins=[plugin])

Files

  • src/google/adk_community/governance/governance_plugin.py — plugin implementation (692 lines)
  • src/google/adk_community/governance/__init__.py — public API exports
  • tests/unittests/governance/test_governance_plugin.py — unit tests (577 lines)

Testing plan

  • 577 lines of unit tests covering: policy evaluation, tool filtering, argument validation, delegation scope enforcement, audit trail generation, edge cases
  • Tests use mocks for ADK internals (BaseAgent, CallbackContext, InvocationContext)

Related

@sunilp
feat(governance): Add GovernancePlugin for runtime agent governance
ff756ea 
Adds policy-based tool filtering, delegation scope enforcement,
and structured audit trails for ADK agents.

Moved from google/adk-python#4897 per maintainer guidance.
This was referenced Mar 20, 2026
Closed
Closed
aeoess pushed a commit to aeoess/agent-passport-python that referenced this pull request Mar 20, 2026
feat: APSPolicyEvaluator — ADK GovernancePlugin adapter
092d329 
Maps sunilp's PolicyEvaluator protocol (google/adk-python-community#102)
to APS 3-signature policy chain (intent → decision → receipt).

- APSPolicyEvaluator: evaluate_tool_call + evaluate_agent_delegation
- APSPolicyDecision: duck-typed compatible with ADK's PolicyDecision
- Wildcard scope expansion (tool:* → specific tool)
- Monotonic narrowing enforcement for delegation
- Full cryptographic proof chain in metadata
- 16 tests, 3 suites, 102 total passing

102 tests, 0 failures.
@sunilp
Copy link
Copy Markdown
Author

sunilp commented Mar 27, 2026

Friendly bump — anything needed from my side to move this forward? Happy to address feedback or adjust the scope.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sunilp