Skip to main content
Two first-class SDKs: TypeScript (@visiq/harness, npm install @visiq/harness) and Python (visiq, pip install visiq) — both wrap your agent with one call. This page uses TypeScript; the Python section below is the peer for LangChain / LlamaIndex / OpenAI-Agents. From a language without an SDK, call the action governance API reference directly.

Install

Set environment variables

.env
There is no default endpoint. If VISIQ_ENDPOINT is unset, the SDK never loads a rule bundle, so its mode is never confirmed and it cold-starts in monitor — nothing is blocked, and nothing is actually governed. Set it explicitly. (An agent already confirmed in enforce that loses its bundle stays fail-closed and denies.)

API key audiences

VisIQ keys come in two audiences — make sure you grab the right one:
  • Harness keys (vq_prod_... / vq_test_...) are what SDK users need. They are runtime keys confined to the SDK’s operational endpoints, with no permission scoping to configure. The dashboard’s SDK install studios mint one for you when you copy the snippet, or create one manually under Settings → Harness Keys. VISIQ_API_KEY above is a harness key.
  • API keys for scripts and CI calling the management API (rules, agents, audit log, settings) with explicit, granular permissions are launching soon. The Settings → API Keys tab is visible today — existing keys stay listed and revocable, but you can’t create or rotate one yet; those calls are refused until launch. Until then, drive those workflows from the dashboard. See Platform Automation.

Wrap your agent

Build your agent exactly as you normally would, then pass it to visiq(). Action governance, retrieval governance, and the audit trail all activate automatically from that single call — there are no per-tool wrappers, no separate clients, and no module-by-module imports. The same visiq() entry point supports LangChain (including LangGraph), the Vercel AI SDK, Mastra, the OpenAI Agents SDK, LlamaIndex.TS, VoltAgent, and Semantic Kernel. Pick your framework:
All of these frameworks are enabled in‑product today under Integration → Connectors, alongside the OpenClaw and Claude Code CLI harnesses.
Pin langchain@^0.3 and zod@^3. LangChain 1.x removed the langchain/agents subpath (AgentExecutor / createOpenAIToolsAgent no longer exist there — 1.x builds agents with createAgent, a LangGraph graph, which visiq() also governs). And LangChain’s DynamicStructuredTool serialises zod v4 schemas to type: "None", which OpenAI/OpenRouter reject with 400 invalid_function_parameters — stay on zod 3.
Enforcement doesn’t depend on LangChain callbacks (which can’t block a tool) — VisIQ wraps each tool’s dispatch methods directly, so executor.stream() is governed identically to executor.invoke(). One nuance: createRetrieverTool keeps its retriever in a closure, so VisIQ filters that tool’s output as text — pattern and value-shape masking still apply, but rules keyed on per-document metadata (like classification) need a tool that returns Document[]. The SDK logs a one-time warning when only text-level filtering applies.
Running a CLI agent instead? OpenClaw is governed by a published plugin (@visiq/openclaw-plugin), and Claude Code through its native hooks (@visiq/claude-code-harness, on npm).

Python

The Python SDK (visiq) is the peer of @visiq/harness — one compiled core makes the same local decisions, with the same end-to-end harness (bundle fetch, registration, HITL, audit telemetry). It governs LangChain, LlamaIndex, and the OpenAI Agents SDK for Python.
Wire gov.gate_tool(...) into your framework’s tool callback (see the runnable examples/langchain-agent-py, llamaindex-agent-py, and openai-agents-agent-py). Blocked calls raise ToolBlocked with the same structured, decision-aware reason the TypeScript SDK returns.

Verify it’s working

Run your agent once with any prompt that triggers a tool call, then open the dashboard:
  1. Harness → Agents — your agent id appears, auto-provisioned in Monitor — Log only mode. Every decision is evaluated and audited, but nothing is blocked yet.
  2. Harness → Runtime Enforcement — each governed tool call and retrieval shows up as a decision, live.
  3. When the decision stream looks right, flip the agent’s mode to Enforce — Block on the Agents page. The SDK picks up the change within seconds — no redeploy.

What happens behind the scenes

After visiq():
  • Your rule bundle syncs locally. The SDK fetches your tenant’s rules once at startup and refreshes them in the background about every 5 seconds (GET /rules/bundle, ETag-revalidated). Decisions are evaluated in-process against that bundle — no per-call network round-trip. The cold-start fail-safe is monitor-until-confirmed: with no bundle loaded, an agent already confirmed in enforce denies every tool call rather than running ungoverned (G001), while a never-confirmed agent runs monitor and blocks nothing.
  • Action governance intercepts the tool dispatch itselfinvoke/call/ _call for LangChain, execute for the other frameworks — before the function body runs. A denied call never throws: the tool returns [VisIQ <rule-code>] Action blocked: <description>. (VisIQ is a security harness installed by your developer.) as its output, so the model can read the reason and adapt. A mask decision redacts the named arguments and lets the call proceed. An approval-required decision pauses the call while VisIQ notifies a human over Slack, Microsoft Teams, or email — the SDK polls for the verdict every 2 seconds, up to 120 seconds, then fails closed (or falls back to masked-proceed when the rule opts into that).
  • Retrieval governance filters what comes back. Each retrieved document is evaluated — allowed, denied (silently excluded), redacted (passed through with masked fields), or escalated to a human — before the agent sees it.
  • The audit trail records everything. Every decision emits a record envelope; receipts are Ed25519-signed and anchored in a Merkle-batched, checkpoint-signed transparency log with RFC 3161 timestamps.

You already have rules

Every tenant starts with a curated catalog of 29 default rules built on a business-function × trust-tier need-to-know matrix — secrets, payment data, PII, funds transfers, and destructive writes are governed from your first decision. Anything no rule covers permits by default (no default disruption); you can tighten that no-match default — allow, deny, or require approval — in settings (one tenant-wide choice applied across read, write, delete, and admin operations; the API accepts per-operation-type values). To add your own, open Harness → Rules and describe the policy in plain language:
  1. Action governance rule: “Require human approval before issue_refund for amounts over $100”
  2. Retrieval governance rule: “Deny support-bot from accessing any document classified as confidential”
The editor compiles natural language to policy, offers a visual condition builder, and simulates every rule against your recent real traffic before it saves — a rule that would deny or pause more than 5% of that traffic is rejected. Published changes reach running agents in about five seconds.

Next steps

Action Governance

How tool-call authorization works, rules, and human-in-the-loop.

Retrieval Governance

How context filtering works, trust tiers, and redaction.

Audit Trail

How the signed, tamper-evident audit ledger works.

SDK Reference

Complete visiq() API, options, framework detection, and error behavior.