@governmyai/sdk
v0.1.1
Published
GovernMy.ai SDK — AI governance obligations, evidence tracking, and runtime compliance for Node.js codebases
Maintainers
governmyaiReadme
@governmyai/sdk
GovernMy.ai SDK — AI governance obligations, evidence tracking, and runtime compliance for Node.js codebases.
Covers EU AI Act, ISO 42001, Colorado AI Act, NIST AI RMF, HIPAA (AI provisions), SOX (AI provisions), and FTC AI guidance.
Install
npm install @governmyai/sdkGet a free API key at https://governmy.ai/developers.
Quick start
const { GovernMy } = require('@governmyai/sdk');
const govern = new GovernMy({ apiKey: process.env.GOVERNMY_API_KEY });
// What obligations apply to this AI system?
const response = await govern.getObligations({
riskTier: 'high',
role: 'provider',
industry: 'hr',
useCases: ['resume_screening'],
jurisdiction: ['EU'],
lifecyclePhase: 'deployment',
});
console.log(`${response.obligations.length} obligations apply.`);
console.log(`Human review required: ${response.humanReviewRequired}`);Important: obligations are not verdicts
The SDK never returns "compliant" or "not compliant." It returns obligations — regulatory requirements that apply to your AI system, with flags indicating which require human review. This is both an ethical choice and a legal one: EU AI Act Article 14 explicitly prohibits delegating compliance decisions to automated systems.
Every response includes a humanReviewRequired: boolean field. TypeScript users: this field is non-optional in the type definitions by design — you must handle it.
When to use which package
| What you want | Use this |
|---|---|
| Ask Claude / Cursor governance questions while coding | @governmyai/mcp-server |
| Embed compliance checks in your Node/TS app | @governmyai/sdk (this package) |
| Wrap Anthropic's tool-use loop | @governmyai/sdk-anthropic |
| Instrument LangChain agents | @governmyai/sdk-langchain |
| Pure HTTP from any language | /api/rules/* REST API |
Three integration patterns
1. Design-time scan
One-shot analysis while building. Returns the full list of obligations.
const response = await govern.getObligations({
riskTier: 'high',
role: 'provider',
annexIiiCategory: ['employment'],
industry: 'hr',
sourceSystem: 'sdk_scan', // optional — tags the event log
});
for (const ob of response.obligations) {
console.log(`${ob.id} — ${ob.title}`);
if (ob.humanReview.cannotBeAutoSatisfied) {
console.log(' mandatory human review');
}
}2. CI/CD gate
Fail a build when mandatory-review obligations aren't acknowledged by a named reviewer.
const { HumanReviewRequired } = require('@governmyai/sdk');
try {
await govern.gate(
{
riskTier: 'high',
role: 'provider',
lifecyclePhase: 'deployment',
systemId: 'hiring-ai-v2',
},
{
strict: true,
acknowledged: process.env.GOVERNMY_ACKNOWLEDGED_OBLIGATIONS?.split(',') || [],
}
);
} catch (err) {
if (err instanceof HumanReviewRequired) {
console.error('Build blocked by unresolved regulatory obligations:');
for (const ob of err.obligations) {
console.error(` - ${ob.id}`);
}
process.exit(1);
}
throw err;
}cannotBeAutoSatisfied obligations (Art. 14 etc.) cannot be acknowledged away — they always throw. This is a structural guardrail.
3. Runtime
Wrap consequential AI actions. Default mode is warn (returns decision info). Mode block throws on any required-review obligation.
const { HumanReviewRequired } = require('@governmyai/sdk');
async function evaluateCandidate(candidate) {
try {
const decision = await govern.beforeAction(
{
riskTier: 'high',
role: 'provider',
annexIiiCategory: ['employment'],
useCases: ['resume_screening'],
systemId: 'hiring-ai-v2',
},
{ mode: 'warn' }
);
if (decision.humanReviewRequired) {
// Route to review queue, don't auto-evaluate
return enqueueForHumanReview(candidate, decision.obligations);
}
const llmResult = await callLLM(candidate);
// Log the event for evidence and framework coverage
await govern.logEvents({
context: {
riskTier: 'high',
role: 'provider',
systemId: 'hiring-ai-v2',
useCases: ['resume_screening'],
},
});
return llmResult;
} catch (err) {
if (err instanceof HumanReviewRequired) {
// Only thrown for cannotBeAutoSatisfied obligations in 'warn' mode.
// These cannot be bypassed.
return enqueueForHumanReview(candidate, err.obligations);
}
throw err;
}
}Runtime modes
| Mode | Throws on cannotBeAutoSatisfied? | Throws on humanReview.required? | Returns obligations? |
|---|---|---|---|
| warn (default) | ✅ always | no | yes |
| block | ✅ always | ✅ yes | only on pass |
| log-only | ✅ always | no | yes |
The cannotBeAutoSatisfied throw cannot be configured off. EU AI Act Article 14 (human oversight), ISO 42001 A.8.1, and similar anchor obligations always block — this is structural.
API surface
class GovernMy {
constructor(options: {
apiKey: string;
baseUrl?: string;
timeoutMs?: number;
allowInsecure?: boolean; // plaintext http:// to localhost only
retry?: boolean; // default true; 5xx / 429 / network errors
maxRetries?: number; // default 3
});
// Rules lookup
getObligations(context: QueryContext): Promise<EngineResponse>;
classifyRiskTier(systemData): Promise<RiskTierClassification>;
listFrameworks(): Promise<FrameworksResponse>;
getVersion(): Promise<VersionResponse>;
getRule(id: string): Promise<Obligation>;
getEvidenceRequirements(ids: string | string[]): Promise<EvidenceRequirementsResult[]>;
getCrossReferences(framework: Framework, id: string): Promise<CrossReferencesResponse>;
// Integration helpers
gate(context, options?): Promise<EngineResponse>;
beforeAction(context, options?): Promise<BeforeActionDecision>;
logEvents(events): Promise<EventsResponse>;
}See the full TypeScript definitions in src/index.d.ts.
Agent framework adapters
Core SDK covers the pattern for any framework. Dedicated adapter packages for major frameworks (LangChain, Anthropic tool-use, OpenAI Assistants, Microsoft AutoGen) are planned follow-ups. File an issue if you need one sooner.
Support
- Docs: https://docs.governmy.ai
- API reference: https://docs.governmy.ai/api
- Issues: https://github.com/offsetMy-ai/governmy-sdk/issues
- Email: [email protected]
License
MIT