Integrate CSC-lite into any agent in minutes.
Get governance running in under 60 seconds.
# Clone and install
git clone https://github.com/dgp-standard/csc-kernel.git
cd csc-kernel
npm installAuthenticate with your API key and call POST /api/v1/evaluate.
curl -X POST \
https://csclite.dev/api/v1/evaluate \
-H "Authorization: Bearer csc_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"intent": "Delete all user data"}'{
"decision": {
"id": "a3f2c8d1-...",
"verdict": "DENY",
"riskScore": 25,
"requiresFounder": false,
"allowActions": [],
"denyActions": ["DATA_WRITE", "DATA_DELETE"],
"pipelineTrace": [
{ "stage": "MCM", "summary": "...", "durationMs": 2 },
{ "stage": "RFE", "summary": "...", "durationMs": 1 },
// ... SPS, SEG, FOP
]
},
"policyHash": "sha256-...",
"meta": { "latencyMs": 12, "tier": "pro", "usage": 42, "limit": 50000 }
}| Field | Type | Description |
|---|---|---|
| intent* | string | Required. Natural language description of the agent action. |
| risk | "LOW" | "MEDIUM" | "HIGH" | Optional risk tier hint. |
| actions | string[] | Optional action types the agent wants to perform. |
| command | { program, args? } | Optional command execution context. |
APPROVEAction is safe. Proceed.
DENYAction blocked by policy.
DELAYNeeds more information or cooling period.
ESCALATE_FOUNDERRequires human (founder) approval.
Create scoped API keys with fine-grained permissions. Manage keys in the Guardian dashboard under API Keys.
# Master key — full access (created on signup)
csc_live_a1b2c3d4...
# Scoped key — limited permissions (created in dashboard)
csc_key_e5f6a7b8...
# Agent key — per-agent identity
csc_agent_x9y0z1w2...| Scope | Grants Access To |
|---|---|
| evaluate | POST /api/v1/evaluate |
| evaluate:batch | POST /api/v1/evaluate/batch |
| rules:read | GET /api/v1/rules |
| decisions:read | GET /api/v1/decisions |
| decisions:stream | GET /api/v1/decisions/stream (SSE) |
# Scoped keys work exactly like master keys
curl -X POST \
https://csclite.dev/api/v1/evaluate \
-H "Authorization: Bearer csc_key_YOUR_SCOPED_KEY" \
-H "Content-Type: application/json" \
-d '{"intent": "Read user profile"}'
# Empty scopes = full access
# Keys can be revoked instantly from the dashboardGet notified when founders approve or deny escalated decisions. Signed with HMAC-SHA256 and retried automatically.
# POST to your webhook URL on approve/deny
{
"event": "decision.approved",
"decisionId": "a3f2c8d1-...",
"actor": "agent-1",
"action": "Deploy to production",
"verdict": "APPROVE",
"riskScore": 72,
"timestamp": "2026-02-22T12:00:00Z"
}import { createHmac } from "node:crypto";
function verifyWebhook(body: string, sig: string, secret: string) {
const expected = createHmac("sha256", secret)
.update(body).digest("hex");
return sig === `sha256=${expected}`;
}
// Check the X-CSC-Signature header
const sig = req.headers["x-csc-signature"];
if (!verifyWebhook(rawBody, sig, process.env.WEBHOOK_SECRET!)) {
return new Response("Invalid signature", { status: 401 });
}Retries
3 attempts with exponential backoff (1s, 5s, 25s).
Circuit Breaker
Auto-disables after 5 consecutive failures. Recovers via half-open probe.
HMAC Signing
SHA-256 signature on every payload via X-CSC-Signature header.
Real-time decision streams, audit export, and data retention policies.
# Stream governance decisions in real time
curl -N \
https://csclite.dev/api/v1/decisions/stream \
-H "Authorization: Bearer csc_live_YOUR_KEY"
# Events arrive as SSE:
# data: {"id":"...","verdict":"DENY","riskScore":25,...}
# data: {"id":"...","verdict":"APPROVE","riskScore":92,...}# Query audit log with filters
curl "https://csclite.dev/api/v1/audit?verdict=DENY&from=2026-01-01&limit=50" \
-H "Authorization: Bearer csc_live_YOUR_KEY"
# Export as CSV or JSONL (up to 50,000 records)
curl "https://csclite.dev/api/v1/audit/export?format=csv" \
-H "Authorization: Bearer csc_live_YOUR_KEY" \
-o audit.csv| Param | Description |
|---|---|
| verdict | APPROVE | DENY | ESCALATE_FOUNDER |
| actor | Filter by agent ID or actor name |
| type | Event type: decision | system | module |
| kind | Action kind: shell_exec, fs_write, etc. |
| from / to | ISO 8601 date range (inclusive) |
| limit | Max records (default 100, max 1000) |
| offset | Pagination offset |
| format | Export only: csv or jsonl |
# Set 90-day retention for a tenant
curl -X POST \
https://csclite.dev/api/v1/retention \
-H "Authorization: Bearer csc_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"tenantId": "acme-corp", "maxAgeDays": 90}'
# Trigger manual prune
curl -X POST https://csclite.dev/api/v1/retention/prune \
-H "Authorization: Bearer csc_live_YOUR_KEY"
# Multi-tenant: scope any request with X-CSC-Tenant-Id
curl https://csclite.dev/api/v1/audit \
-H "Authorization: Bearer csc_live_YOUR_KEY" \
-H "X-CSC-Tenant-Id: acme-corp"Connect CSC-lite to Claude Desktop, Cursor, or any MCP-compatible client. Agents get governance tools natively.
npm install -g @csc-lite/mcp-server// ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"csc-lite": {
"command": "csc-lite-mcp",
"env": {
"CSC_API_KEY": "csc_live_YOUR_KEY"
}
}
}
}evaluateEvaluate an agent intent through the governance pipeline.
evaluate_batchEvaluate multiple intents in a single call.
list_rulesList all active governance rules.
list_decisionsQuery recent governance decisions.
Use the kernel directly for maximum control.
import { CSCKernel } from "csc-lite";
const kernel = new CSCKernel();
const { decision } = await kernel.evaluate(
"Read the config file"
);
console.log(decision.verdict); // "APPROVE"
console.log(decision.riskScore); // 95import { GovernanceWrapper, GovernedToolRegistry, EXEC_TOOL }
from "csc-lite/openclaw";
const registry = new GovernedToolRegistry();
registry.register(EXEC_TOOL);
const wrapper = new GovernanceWrapper(registry);
const result = await wrapper.propose({
toolName: "exec",
args: { command: "node --version" },
});
console.log(result.status); // "APPROVED"
console.log(result.decisionHash); // "a3f2..."import { FileAuditSink } from "csc-lite/audit";
const audit = new FileAuditSink("./csc-audit.jsonl");
const { valid, total } = await audit.verifyChain();
console.log(valid); // true
console.log(total); // 47npm test # 49 tests, 0 failures
npm run demo # 5-scene confrontation demoGovernance for Python agents. Supports both sync and async clients.
pip install csc-litefrom csc_lite import CSCClient
csc = CSCClient(api_key="csc_live_...")
result = csc.evaluate("Delete all user data")
print(result.decision.verdict) # "DENY"
print(result.decision.risk_score) # 85from csc_lite import CSCAsyncClient
async with CSCAsyncClient(api_key="csc_live_...") as csc:
result = await csc.evaluate("Send payment")
if result.decision.verdict == "APPROVE":
print("Safe to proceed")try:
csc.guard("DROP TABLE users")
except CSCApiError:
print("Action blocked by governance")Evaluate intents, list rules, and query decisions from your terminal.
npm install -g @csc-lite/cli# Set your API key
export CSC_API_KEY=csc_live_your_key
# Evaluate a single intent
csc-lite evaluate "Delete all user data"
# Evaluate with risk hint
csc-lite evaluate "Send payment" --risk HIGH
# Batch evaluate multiple intents
csc-lite batch "Read config" "Delete database" "Send email"
# List active governance rules
csc-lite rules
# Show recent decisions
csc-lite decisions --limit 10
# Guard mode — exit non-zero if denied
csc-lite guard "Deploy to production" || echo "BLOCKED"
# JSON output for scripting
csc-lite evaluate "Read user profile" --json# In your deployment script or GitHub Action
csc-lite guard "Deploy $SERVICE to production" --risk HIGH
if [ $? -eq 0 ]; then
echo "Governance approved — deploying..."
kubectl apply -f deploy.yaml
else
echo "Deployment blocked by governance policy"
exit 1
fiAdd governance to popular AI agent frameworks in minutes.
from csc_lite import CSCClient
csc = CSCClient(api_key=os.environ["CSC_API_KEY"])
def governed_tool_call(tool_name: str, tool_input: str):
result = csc.evaluate(
f"{tool_name}: {tool_input}",
actions=[tool_name],
)
if result.decision.verdict == "APPROVE":
return "approved" # proceed with tool
return "denied" # block the tool callclass GovernedAgent:
def __init__(self, name, role):
self.name = name
self.role = role
def execute(self, task):
result = csc.evaluate(
f"[{self.role}] {task}",
actions=[self.role.lower().replace(" ", "_")],
)
return { # use verdict to gate execution
"verdict": result.decision.verdict,
"risk": result.decision.risk_score,
}
# Usage with CrewAI callback
agent = GovernedAgent("analyst", "Research Analyst")
result = agent.execute("Analyze user behavior data")import { CSCClient } from "@csc-lite/sdk";
const csc = new CSCClient({ apiKey: process.env.CSC_API_KEY! });
async function executeFunction(name: string, args: object) {
const result = await csc.evaluate({
intent: `{name}: {JSON.stringify(args)}`,
actions: [name],
});
if (result.decision.verdict !== "APPROVE") {
throw new Error(`Blocked: {result.decision.verdict}`);
}
// safe to call the actual function
}Full examples on GitHub
LangChain, CrewAI, OpenAI, and more in the packages/examples/ directory.
MCMMission Control ModuleInitial classification and intent parsing
RFERisk Factor EngineMulti-dimensional risk scoring (0-100)
SPSSafety Policy ShieldSovereign policy enforcement and action filtering
SEGSemantic GovernanceNLP-level intent analysis and anomaly detection
FOPFounder Override ProtocolEscalation path for high-risk decisions
Zero runtime dependencies. TypeScript. MIT License.