npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

sage-governance

v1.0.4

Published

SAGE - Open-source governance runtime harness for agentic coding systems. Intercepts, evaluates, and audits developer prompts before code is written, and performs code security scans/fixes after AI code generation.

Downloads

775

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

olustarolustar

Keywords

mcpgovernanceai-safetyfairnesseu-ai-actgdprethicscomplianceagenticllmauditfairlearnresponsible-aimodel-card

Readme

SAGE — Supervisory Agentic Governance Engine

Open-source governance runtime harness for agentic coding systems. Intercepts, evaluates, and audits developer prompts before code is written, and performs code security scans/fixes after AI code generation.

License: MIT MCP Compatible Works With

Based on the shift in developer responsibilities and the capabilities outlined in the sage-governance npm documentation, here is a structured problem statement that captures the core issue SAGE is designed to resolve.

Getting Started (How to Use SAGE)

Using SAGE is simple and works globally on any machine with Node.js installed.

1. Install SAGE Globally

Run this command in your terminal:

npm install -g sage-governance

This installs the sage command so you can use SAGE from anywhere.

2. Verify Installation

sage --check

You should see:

  • Version information
  • Loaded policy files
  • System status

3. Connect SAGE to Your Coding Agent

SAGE works seamlessly via MCP with tools like:

  • Cursor
  • Claude Code
  • VSCode Copilot
  • Cline
  • Continue
  • OpenCode
  • Trae
  • Kimi Code
  • Windsurf

Once connected via MCP, SAGE will automatically intercept prompts and file writes.

4. Developer Workflow

[ You type a prompt ] 
         │
         ▼
[ SAGE intercepts request ] 
         │
         ▼
[ Risk is evaluated ] 
         │
         ▼
[ Human decision made ] 
         │
         ▼
[ Code allowed or blocked ] 
         │
         ▼
[ Immutable audit log created ]
  • No extra steps during development.
  • Works silently in the background.
  • Forces safe, conscious decisions at execution boundaries.

Problem Statement

The Shift in Developer Roles — and the Governance Blind Spot

Software engineering is rapidly evolving. Developers are no longer just writing code line by line — they are orchestrating AI-powered coding agents (e.g., Cursor, Claude Code, Cline).

Because these agents generate large blocks of code automatically, they also make hidden choices regarding:

  • Ethics
  • Compliance
  • Data usage
  • Security

These decisions often go unnoticed until it is too late.

Core Challenges

1. Post-Hoc Audit Failure

  • Most governance tools act after the code is written (CI/CD pipelines or production monitoring).
  • By then, architectural risks are already deeply embedded into the system.

2. Invisible Compliance & Ethical Violations

AI agents can silently introduce compliance issues such as:

  • Sneaking in protected attributes (race, sex, age) where legally prohibited.
  • Biased model logic or training routines.
  • Non-compliant algorithms.

⚠️ These systemic architectural issues do not trigger traditional code linters.

3. The Illusion of “Fair” AI

AI systems often appear mathematically correct but hide zero-sum tradeoffs. You cannot satisfy all fairness metrics simultaneously when base rates differ across groups:

  • Demographic Parity
  • Equalized Odds
  • Predictive Parity

Developers are rarely informed about these trade-offs by regular code-generation assistants.

4. Compliance Misalignment

AI agents do not inherently understand complex frameworks like the EU AI Act (Annex III), UNESCO AI Ethics guidelines, or core human rights principles. This creates massive legal liabilities, data-handling risks, and ethical violations down the line.

What SAGE Solves

SAGE shifts AI governance from reactive ──> proactive.

High-Level Interception Architecture

[ Developer Prompt ] 
         │
         ▼
[ Coding Agent ] 
         │
         ▼
[ SAGE Interception Layer ] 
         │
         ├─► 1. Intent Analysis
         ├─► 2. Risk Classification
         └─► 3. Regulation Mapping
         │
         ▼
[ Human Decision Required ] ──► ( ✅ Approve / ✏️ Modify / ❌ Reject )
         │
         ▼
[ Secure Code Execution ] 
         │
         ▼
[ Immutable Audit Log ]

Key Differentiator — “Before the Pen Hits the File”

Most static analysis tools scan after code exists. SAGE intervenes before any file is written.

             [ Request to Write Code ]
                        │
                        ▼
                  [ Security Scan ]
                        │
         ┌──────────────┴──────────────┐
         ▼                             ▼
[ No Critical Issues ]        [ Critical Issues Found ]
         │                             │
         ▼                             ▼
   ( ✅ Write )                  ( ❌ Block )
                                       │
                                       ▼
                              [ Developer Action ]
                                 ├─ Accept Risk
                                 ├─ Apply Fix
                                 └─ Reject Action
                                       │
                                       ▼
                        [ Audit Log Entry Created ]
                                       │
                                       ▼
                        [ Final Outcome Applied ]

The Three Core Agents

| Agent Name | Primary Role | Core Functionality | | --- | --- | --- | | 1. SAGE Agent | Governance Brain | Detects intent/risk, flags protected attributes, maps requirements to regulations (e.g., UN Human Rights Charter, EU AI Act, UNESCO AI Ethics Guidelines, IEEE P7000s, etc.), and details fairness tradeoffs clearly. | | 2. Coding Agent | Execution Engine | Writes and modifies code. This third-party agent only acts on approved decisions passed down by the harness. | | 3. Security Agent | Risk Scanner | Fully deterministic (no AI hallucinations). Catches hardcoded secrets, PII exposure, bias loops, and weak data handling. |

Security Severity Matrix

  • P0 ── Critical: Structural policy hazard. Must stop execution immediately.
  • P1 ── High Risk: Severe exposure or compliance violation risk.
  • P2 ── Medium: Non-standard data handling patterns.
  • P3 ── Low: Informational warnings.

Real-World Scenario: Recidivism Classifier

  1. User Request: "Build a risk scoring model using race, sex, and age."
  2. SAGE Response Flow:
  • Detects a HIGH-RISK system (criminal justice/recidivism).
  • Flags explicitly protected attributes.
  • Maps criteria to the EU AI Act (Annex III).
  • Presents fairness math conflicts (Equalized Odds vs. Predictive Parity vs. Demographic Parity).
  • Blocks execution until an explicit human engineering choice is confirmed.
  • Permanently hashes the final decision path to the audit ledger.
  • Releases execution lock to allow safe implementation.

Governance Trust Mechanics

Fairness Reality — No Perfect Answer

SAGE forces explicit trade-off acknowledgments. When groups have different historical base rates, you mathematically cannot satisfy all fairness metrics at the same time. SAGE translates this math into plain language, showing who benefits, who is impacted, and records accountability.

Audit Trail

Every governance intercept event is recorded in a cryptographic log:

Decision Path ──► Hashed ──► Linked to Previous Block ──► Stored

This creates a tamper-evident verification chain. (Note: This secures the integrity of the event sequence; it does not override or prevent local file manipulation or local file deletion).

Team & Attribution

  • Olu Akinnawo & Prajwal Srinivas — Architecture, Orchestration, Governance Infrastructure, & SAGE MCP Tooling
  • Roshan Sharma — DuckDuckGo/GitHub MCP Integration & Coding Agent Addition Instructions
  • George Mihaileanu — Ethics & Policy Uploads
  • Jeremy — Data Science Advisory & SAGE Routing Strategy

References

License

This project is licensed under the MIT License - see the LICENSE file for details.