Two first-class SDKs: TypeScript (
@visiq/harness,
npm install @visiq/harness) and Python (visiq,
pip install visiq) — both wrap your agent with one call. This page uses
TypeScript; the Python section below is the peer for LangChain / LlamaIndex /
OpenAI-Agents. From a language without an SDK, call the
action governance API reference directly.Install
Set environment variables
.env
API key audiences
VisIQ keys come in two audiences — make sure you grab the right one:- Harness keys (
vq_prod_.../vq_test_...) are what SDK users need. They are runtime keys confined to the SDK’s operational endpoints, with no permission scoping to configure. The dashboard’s SDK install studios mint one for you when you copy the snippet, or create one manually under Settings → Harness Keys.VISIQ_API_KEYabove is a harness key. - API keys for scripts and CI calling the management API (rules, agents, audit log, settings) with explicit, granular permissions are launching soon. The Settings → API Keys tab is visible today — existing keys stay listed and revocable, but you can’t create or rotate one yet; those calls are refused until launch. Until then, drive those workflows from the dashboard. See Platform Automation.
Wrap your agent
Build your agent exactly as you normally would, then pass it tovisiq().
Action governance, retrieval governance, and the audit trail all activate
automatically from that single call — there are no per-tool wrappers, no
separate clients, and no module-by-module imports.
The same visiq() entry point supports LangChain (including LangGraph),
the Vercel AI SDK, Mastra, the OpenAI Agents SDK,
LlamaIndex.TS, VoltAgent, and Semantic Kernel. Pick your framework:
All of these frameworks are enabled in‑product today under Integration →
Connectors, alongside the OpenClaw and
Claude Code CLI harnesses.
- LangChain
- Vercel AI SDK
- Mastra
- OpenAI Agents SDK
- LlamaIndex.TS
- VoltAgent
- Semantic Kernel
Enforcement doesn’t depend on LangChain callbacks (which can’t block a tool) —
VisIQ wraps each tool’s dispatch methods directly, so
executor.stream() is
governed identically to executor.invoke(). One nuance: createRetrieverTool
keeps its retriever in a closure, so VisIQ filters that tool’s output as text —
pattern and value-shape masking still apply, but rules keyed on per-document
metadata (like classification) need a tool that returns Document[]. The SDK
logs a one-time warning when only text-level filtering applies.Running a CLI agent instead? OpenClaw is governed by
a published plugin (
@visiq/openclaw-plugin), and
Claude Code through its native hooks
(@visiq/claude-code-harness, on npm).Python
The Python SDK (visiq) is the peer of
@visiq/harness — one compiled core makes the same local decisions, with the
same end-to-end harness (bundle fetch, registration, HITL, audit telemetry). It
governs LangChain, LlamaIndex, and the OpenAI Agents SDK for Python.
gov.gate_tool(...) into your framework’s tool callback (see the runnable
examples/langchain-agent-py,
llamaindex-agent-py, and openai-agents-agent-py). Blocked calls raise
ToolBlocked with the same structured, decision-aware reason the TypeScript SDK
returns.
Verify it’s working
Run your agent once with any prompt that triggers a tool call, then open the dashboard:- Harness → Agents — your agent id appears, auto-provisioned in Monitor — Log only mode. Every decision is evaluated and audited, but nothing is blocked yet.
- Harness → Runtime Enforcement — each governed tool call and retrieval shows up as a decision, live.
- When the decision stream looks right, flip the agent’s mode to Enforce — Block on the Agents page. The SDK picks up the change within seconds — no redeploy.
What happens behind the scenes
Aftervisiq():
- Your rule bundle syncs locally. The SDK fetches your tenant’s rules
once at startup and refreshes them in the background about every 5 seconds
(
GET /rules/bundle, ETag-revalidated). Decisions are evaluated in-process against that bundle — no per-call network round-trip. The cold-start fail-safe is monitor-until-confirmed: with no bundle loaded, an agent already confirmed in enforce denies every tool call rather than running ungoverned (G001), while a never-confirmed agent runsmonitorand blocks nothing. - Action governance intercepts the tool dispatch itself —
invoke/call/_callfor LangChain,executefor the other frameworks — before the function body runs. A denied call never throws: the tool returns[VisIQ <rule-code>] Action blocked: <description>. (VisIQ is a security harness installed by your developer.)as its output, so the model can read the reason and adapt. A mask decision redacts the named arguments and lets the call proceed. An approval-required decision pauses the call while VisIQ notifies a human over Slack, Microsoft Teams, or email — the SDK polls for the verdict every 2 seconds, up to 120 seconds, then fails closed (or falls back to masked-proceed when the rule opts into that). - Retrieval governance filters what comes back. Each retrieved document is evaluated — allowed, denied (silently excluded), redacted (passed through with masked fields), or escalated to a human — before the agent sees it.
- The audit trail records everything. Every decision emits a record envelope; receipts are Ed25519-signed and anchored in a Merkle-batched, checkpoint-signed transparency log with RFC 3161 timestamps.
You already have rules
Every tenant starts with a curated catalog of 29 default rules built on a business-function × trust-tier need-to-know matrix — secrets, payment data, PII, funds transfers, and destructive writes are governed from your first decision. Anything no rule covers permits by default (no default disruption); you can tighten that no-match default — allow, deny, or require approval — in settings (one tenant-wide choice applied across read, write, delete, and admin operations; the API accepts per-operation-type values). To add your own, open Harness → Rules and describe the policy in plain language:- Action governance rule: “Require human approval before issue_refund for amounts over $100”
- Retrieval governance rule: “Deny support-bot from accessing any document classified as confidential”
Next steps
Action Governance
How tool-call authorization works, rules, and human-in-the-loop.
Retrieval Governance
How context filtering works, trust tiers, and redaction.
Audit Trail
How the signed, tamper-evident audit ledger works.
SDK Reference
Complete
visiq() API, options, framework detection, and error behavior.