Governance Overview¶
MeshFlow's governance kernel is the StepRuntime — every agent step passes through 15 sequential checks before execution completes.
The 15-Step Governance Kernel¶
- Identity verification — agent token validation (zero-trust)
- Tenant scoping — isolate data by tenant
- Rate limiting — per-agent and per-team token-bucket
- Budget check — cost quota enforcement before execution
- Policy evaluation — policy-as-code rules (DENY wins)
- Compliance profile — framework-specific rules (HIPAA/SOX/GDPR/PCI/NERC)
- Input guardrails — PII block, injection detection, keyword filter
- Sensitive data scan — 23 PHI/PII + credential patterns
- Risk classification — AutoRiskClassifier (4 tiers, EMA failure rate)
- Taint propagation — information flow control (DASC)
- Tool permission check — GovernedToolRegistry audit
- Execution — actual LLM call
- Output guardrails — length, toxicity, JSON schema, regex
- Audit ledger — SHA-256 hash chain append
- SLA record — latency sample recorded for p50/p95/p99
Applying a Compliance Profile¶
from meshflow import Agent, compliance_profile
agent = Agent(
name="clinical-assistant",
role="You answer clinical questions.",
policy=compliance_profile("hipaa"),
)
Built-in profiles:
| Profile | Key rules |
|---|---|
hipaa |
PHI masking, minimum necessary access, audit trail required |
sox |
Financial data immutability, dual control, audit export |
gdpr |
PII detection, data minimization, right-to-erasure hooks |
pci |
PAN masking, no card data in logs, encrypted vault required |
nerc |
Critical infrastructure isolation, strict rate limits |
Compliance Snapshots¶
Export a full compliance artifact bundle (GDPR Art.30, HIPAA §164.312) at any time:
The bundle includes: audit trail, policy definitions, tenant list, SLA stats, and a signed manifest — all in one ZIP.