Audit & governance fabric for regulated AI agents. Tamper-evident, hash-chained, regulator-ready.
📦 GitHub: goderash/goderash
Wrap any agent framework (LangGraph, OpenAI Assistants, Anthropic Messages, LangChain, AutoGen) with one SDK and get:
- Event-sourced audit ledger — append-only, SHA-256 hash-chained, tamper-evident, multi-tenant.
- Upcasting registry — evolve event schemas without rewriting history.
- Data-contract enforcement — type / range / regex / monotonic checks with blame-chain attribution.
- What-If projector — replay history under alternate velocity caps, deny lists, or permission modes; deterministic counterfactual diffs.
- Compliance packs — one-click signed evidence ZIPs for SOC 2, HIPAA, FFIEC, FINRA, SEC Rule 17a-4.
- Runtime safety stack — fraud guard, velocity limits, permission modes, conversation budgets, cancellation tokens (battle-tested in a banking-grade AI agent in production).
| Package | Version | Weekly Downloads | Description |
|---|---|---|---|
@goderash/sdk |
Core SDK + runtime guards | ||
@goderash/adapter-claude-sdk |
Anthropic Messages / Claude SDK | ||
@goderash/adapter-openai-assistants |
OpenAI Assistants API | ||
@goderash/adapter-langgraph |
LangGraph.js / LangChain.js |
| Package | Version | Monthly Downloads | Description |
|---|---|---|---|
goderash-sdk |
Core SDK + runtime guards | ||
goderash-adapter-anthropic |
Anthropic Messages + tool use | ||
goderash-adapter-openai |
OpenAI Chat / Responses / Assistants | ||
goderash-adapter-langgraph |
LangGraph / LangChain callback |
# Python
pip install goderash-sdk
# TypeScript / JavaScript
npm i @goderash/sdkgit clone https://github.com/goderash/goderash && cd goderash
# Start Postgres and run the golden-path demo (Docker required):
./examples/golden_path/quickstart.shThe demo script:
- Provisions a tenant + API key
- Emits a full AI agent turn — 7 events — to the ledger
- Verifies the SHA-256 hash chain (clean)
- Injects a tamper mid-chain → SOC 2 pack refuses (HTTP 409)
- Runs
POST /v1/verify→ returnsfirst_broken_index - Restores the hash and generates a signed SOC 2 ZIP
Sample output:
STEP 3 — Verifying the hash chain
✓ POST /v1/verify ok=True checked=7 [200]
seq prev_hash[:12] → hash[:12] event_type
──────────────────────────────────────────────────────
01 000000000000… → e0b9f84ccfdc… agent.turn.started
02 e0b9f84ccfdc… → d2c3656b0fb8… llm.call.started
03 d2c3656b0fb8… → 64ab7ecd24a5… tool.invoked
04 64ab7ecd24a5… → 6061fb7cb7d5… permission.granted
05 6061fb7cb7d5… → 45f363f31ded… tool.completed
06 45f363f31ded… → 6061cac8d781… llm.call.completed
07 6061cac8d781… → 94c51435d718… agent.turn.completed
STEP 4 — Tamper detection
⚠ Corrupting seq=4 (permission.granted) …
✗ POST /v1/packs/soc2 [409 CONFLICT] ← pack refused: chain broken at index 3
✗ POST /v1/verify ok=False first_broken_index=3 [200]
STEP 5 — SOC 2 Evidence Pack
✓ POST /v1/packs/soc2 [200]
SHA-256: 6f23dfde34a8016cf2649f37…
Controls: CC6.1_logical_access, CC7.2_monitoring, CC7.4_incidents
git clone https://github.com/goderash/goderash && cd goderash
cp .env.example .env
make setup
make dev # boots Postgres + Redis + control plane on :8000
# In another shell — seed a demo tenant + API key
docker compose -f infra/docker/docker-compose.yml exec core \
python -m goderash_core.scripts.seed
# → prints a gdr_... API key once. Save it.
# Optional: bring up the dashboard
cd packages/dashboard && pnpm install
GODERASH_API_KEY=gdr_... GODERASH_TENANT=demo pnpm dev
# → http://localhost:3000from goderash_sdk import GoderashClient, wrap_tool
goderash = GoderashClient(api_key="gdr_...", tenant="demo", agent_id="ops-v1")
@wrap_tool(goderash, category="action", confirmation="biometric")
def transfer_money(src: str, dst: str, amount: float) -> dict:
return {"status": "queued"}
with goderash.turn() as ctx:
transfer_money("checking", "savings", 100.0, _goderash_context=ctx)from goderash_sdk import GoderashClient
from goderash_adapter_langgraph import GoderashCallback
goderash = GoderashClient(...)
graph.invoke(input, config={"callbacks": [GoderashCallback(goderash)]})from goderash_adapter_openai import audit_assistants_run, wrap_openai
wrap_openai(openai_client, goderash=goderash, context=ctx)
run = openai_client.beta.threads.runs.create_and_poll(...)
audit_assistants_run(openai_client, goderash, ctx, run, thread_id=thread.id)from goderash_adapter_anthropic import wrap_anthropic
wrap_anthropic(anthropic_client, goderash=goderash, context=ctx)import { GoderashClient, wrapTool } from '@goderash/sdk'
const goderash = new GoderashClient({ apiKey: '...', tenant: 'demo' })
const ctx = goderash.newContext()
const transfer = wrapTool(goderash, { category: 'action', context: ctx },
async (src, dst, amount) => ({ status: 'queued' }),
)
await transfer('checking', 'savings', 100)
await goderash.flush()from goderash_sdk.guards import (
GuardChain, FraudGuard, PermissionMode, PermissionModeGate,
VelocityLimiter, VelocityRule, ConversationBudget,
)
guards = GuardChain(
FraudGuard(),
PermissionModeGate(mode=PermissionMode.DEFAULT, confirm=ask_user),
VelocityLimiter(rules_by_tool={
"transfer_money": [
VelocityRule(window_seconds=3600, max_count=5, label="5/hour"),
VelocityRule(window_seconds=86400, max_amount=10_000, label="10k/day"),
],
}),
ConversationBudget(max_tool_calls=20, max_tokens=200_000),
)
decision = guards.evaluate(goderash, ctx, tool_name="transfer_money", amount=500)
if decision.allow:
transfer_money(...)┌──────────────────────────────────────────────────────────────────┐
│ Customer agent (LangGraph, OpenAI Assistants, Anthropic, …) │
└──────────────────────────────────────┬───────────────────────────┘
│ Goderash SDK + adapter
▼
┌──────────────────────────────────────────────────────────────────┐
│ Goderash core (FastAPI control plane, multi-tenant) │
│ │
│ /v1/events /v1/verify /v1/packs/{reg} /v1/whatif /v1/admin │
│ │
│ Postgres append-only ledger + SHA-256 chain + upcasters │
│ + 5 compliance pack generators + What-If projector │
└──────────────────────────────────────────────────────────────────┘
▲
│ server-rendered
┌──────────────────────────────────────┴───────────────────────────┐
│ @goderash/dashboard (Next.js 14) │
│ /events /verify /packs /whatif /settings │
└──────────────────────────────────────────────────────────────────┘
See docs/architecture.md for the full picture.
goderash/
├── python/
│ ├── core/ # FastAPI control plane
│ ├── goderash_sdk/ # goderash-sdk
│ ├── goderash_adapter_langgraph/ # LangChain callback handler
│ ├── goderash_adapter_openai/ # OpenAI client + Assistants
│ └── goderash_adapter_anthropic/ # Anthropic Messages
├── packages/
│ ├── sdk-ts/ # @goderash/sdk
│ ├── adapter-langgraph/ # @goderash/adapter-langgraph
│ └── dashboard/ # @goderash/dashboard (Next.js 14)
├── examples/ # Runnable end-to-end examples
├── compliance/ # Pack templates per regulation
├── docs/ # Architecture, quickstart, guides
├── infra/ # Docker, k8s, terraform
└── scripts/ # Dev + release scripts
Generate evidence for a regulation by POSTing to its endpoint:
curl -X POST http://localhost:8000/v1/packs/soc2 \
-H "X-Goderash-Api-Key: $GODERASH_API_KEY" \
-H "X-Goderash-Tenant: $GODERASH_TENANT" \
-o goderash-soc2.zipAvailable: soc2, hipaa, ffiec, finra, sec_17a4. Each ZIP has a
manifest.json, events.json (the chain-verified events), and
controls.json (regulation-specific control evidence).
curl -X POST http://localhost:8000/v1/whatif \
-H "X-Goderash-Api-Key: $GODERASH_API_KEY" \
-H "X-Goderash-Tenant: $GODERASH_TENANT" \
-d '{"policy":{"deny_tools":["transfer_money"]}}'Returns the counterfactual decisions that would have flipped under that policy — exactly what regulators ask when they say "what would have happened if you had blocked X?".
Apache 2.0. See LICENSE and NOTICE.
The compliance pack generators emit evidence intended to assist customer audit programs. They are not legal advice and do not by themselves attest to compliance. Customers remain responsible for obtaining independent attestations from qualified auditors.