visiq() call shown in the Quickstart.
How retrieval governance works
Whenvisiq() wraps your agent, it instruments every retriever it finds. The flow:
- Agent calls a retriever tool (e.g.,
search_knowledgewith query"Q3 revenue") - The retriever fetches raw results from the vector store
- Each returned document is evaluated in-process against a locally cached rule bundle
- Allow — document enters the context window unchanged
- Redact — sensitive fields and patterns are masked before the agent sees the document
- Deny — document is silently suppressed; the agent never sees it
- Escalate — the access is recorded for human review; retrieval is synchronous (it can’t pause on a human), so the rule chooses whether the document passes through or comes back masked in the meantime
ETag/304 caching), so there is no network round-trip in the retrieval hot path. On a cold start with no bundle loaded yet, the mode envelope decides: an agent confirmed in enforce that has lost its bundle stays fail-closed — nothing leaks while rules are unknown — while a never-confirmed agent runs monitor (monitor-until-confirmed), observing without suppressing. Retrieval’s no-match default stays deny (the data-protection floor) wherever enforcement is active.
How retrievers are detected
The harness checks three structural patterns on each object it walks:Retriever-backed tools
Many frameworks wrap the retriever inside a tool function. The harness recognizes a retriever-backed tool structurally (a reachable.retriever property) or by name — names containing retriev, or search/knowledge-style names that carry no mutation verb (knowledge_base_update is treated as an action tool, not a retriever). Two cases follow:
- Retriever reachable — the backing retriever is instrumented directly, so every document is evaluated with its own metadata (
classification,data_categories, …) before the tool joins the results into a string. Full per-document fidelity. - Retriever hidden in a closure — LangChain’s
createRetrieverToolcaptures the retriever in a closure and returns one joined string. The harness wraps the tool’s function and filters that string as a single blob: always-on secret detection, pattern masking, and whole-result rules still apply, but rules keyed on per-document metadata cannot fire on a metadata-less string. The SDK logs a one-time console warning for each such tool. For full per-document governance, pass the retriever tovisiq()directly or use a tool that returns aDocument[].
retrieve_and_archive) is a hybrid: one decision tagged ['retrieval', 'action'] governs both legs — the action side gates the call itself, the retrieval side filters what comes back.
Retrieval governance is not LangChain-only. On execute-based frameworks — Vercel AI SDK, Mastra, OpenAI Agents SDK, LlamaIndex, VoltAgent — the same
visiq() call filters tool results through the retrieval facet.Always-on secret detection
Even with zero authored rules, retrieved content passes a deterministic value-shape floor that masks sensitive values by shape, wherever they appear: private keys, JWTs, cloud and vendor API keys (AWS, GitHub, Slack, Stripe, Google, LLM providers), bearer tokens, connection strings with inline passwords, checksum-validated card numbers and IBANs, SSNs, tax IDs, and email addresses. Detectors with a larger false-positive surface (phone numbers, IP addresses, MAC addresses, bank routing codes) are available opt-in. Manage detectors under Settings → Organization → Security in the dashboard.Key concepts
Rules
Policies over document metadata, trust tiers, and surfaces. Author in natural language, in the visual condition builder, or as policy source directly.
Need-to-know defaults
Every tenant is seeded a curated catalog of 29 default rules combining each agent’s trust tier (
tier1 highest trust → tier3 restricted) with its business function: agents that need a data category get it, medium-trust access escalates or is masked, and agents with no need-to-know never see raw values.Content redaction
Mask SSNs, credentials, and account numbers inside permitted documents. The agent sees the structure but not the sensitive values.
Signed receipts
Decisions — action and retrieval alike — emit record envelopes with asynchronous Ed25519-signed receipts (retrieval envelopes require artifact signing to be enabled for your organization). Tamper-evident proof for compliance audits.
Agent modes
Governance mode is set per agent, is server-authoritative, and is controlled from the Harness → Agents page in the dashboard — not from SDK config:
Agents the harness sees for the first time are auto-provisioned in
monitor mode, so instrumenting an agent never disrupts it. Watch its decision telemetry, tune your rules, then flip that one agent to enforce — no config change or redeploy required.
Operations of one rule engine
Action governance and retrieval governance are not two systems — they are the same rule engine evaluating one event against the operations it carries. An event is tagged with anoperations[] set (action, retrieval, delegation — a hybrid read-then-write tool carries ['retrieval', 'action']), and a rule applies to whatever operations it targets, emitting an outcome from one shared vocabulary. The operations differ only in where the harness intercepts.
Every operation is evaluated by the same engine — they activate together from a single
visiq() call.
Next steps
Rules
The rule model: policy format, trust tiers, surfaces, and masking.
Receipts
Tamper-evident audit trail with Ed25519 signatures.
Emergency Bypass
Suspend one rule during an incident — bounded, audited, auto-expiring.
API Reference
REST API for rules, receipts, and the audit log.