Runtime Governance SDKIn-process orchestration

Runtime Governance Guide

Reference guide for governed runtime calls, governance gates, compliance lifecycle, and runtime-platform interoperability.

When to choose which surface
Pick one surface per integration path and avoid mixing semantics in the same snippet.

Platform API Client: use when you need `/api/v1/*` wrappers for existing platform resources (events, policies, risk, proofs, replay, exports).

Runtime Governance SDK: use when your service executes governed model/tool calls in-process and needs runtime policy gates, evaluation hooks, and compliance orchestration.

withGovernanceGate
Pre-invocation gate for policy + PII checks.
gate.tsTypeScript
import { withGovernanceGate } from "@arelis-ai/arelis-governance-sdk";

const gate = await withGovernanceGate(
  runtimeClient,
  {
    prompt: "Summarize this support ticket.",
    model: "gemini-2.5-flash",
    actor: { type: "agent", id: "support-bot" },
    context: { environment: "production", purpose: "customer-support" },
  },
  async () => model.generate(prompt),
  { denyMode: "return" },
);

if (!gate.invoked) {
  throw new Error(gate.decision.reasons.join(", "));
}
scanPromptForPii
Inline prompt scanning before model invocation.
pii.tsTypeScript
import { scanPromptForPii } from "@arelis-ai/arelis-governance-sdk";

const scan = scanPromptForPii("Customer SSN: 123-45-6789", {
  redactorConfig: { redactEmail: true, redactPhone: true, redactCreditCard: true },
});

if (scan.hasPii) {
  console.log(scan.findings);
}
Governed model generation
Register providers, enforce policy runtime context, and run `models.generate`.
runtime-generate.tsTypeScript
import {
  createArelisClient,
  createModelRegistry,
  createAllowAllEngine,
  createConsoleSink,
  BaseModelProvider,
} from "@arelis-ai/arelis-governance-sdk";

const registry = createModelRegistry();
registry.register(new MyProvider(process.env.PROVIDER_API_KEY));

const runtimeClient = createArelisClient({
  modelRegistry: registry,
  policyEngine: createAllowAllEngine(),
  auditSink: createConsoleSink({ pretty: true }),
});

const result = await runtimeClient.models.generate({
  model: "gemini-2.5-flash",
  request: {
    model: "gemini-2.5-flash",
    messages: [{ role: "user", content: "Explain SOC 2 AI controls." }],
  },
  context: {
    org: { id: "org_123" },
    actor: { type: "agent", id: "risk-assistant" },
    purpose: "compliance-review",
    environment: "production",
  },
});

console.log(result.runId, result.output.content);
Runtime compliance operations
Request artifacts, verify proofs, and replay runs from runtime execution context.
runtime-compliance.tsTypeScript
const artifact = await runtimeClient.compliance.requestArtifact({
  runId: result.runId,
  schemaVersion: "v2",
  async: false,
});

const verification = await runtimeClient.compliance.verifyArtifact({ artifact });

const replay = await runtimeClient.compliance.replayRun({
  runId: result.runId,
});

console.log(verification.verified, replay.outcome);
Runtime to platform sync contract
Use `/api/v1/events/batch` for runtime event sync and preserve provenance metadata.
sync-events.tsTypeScript
await fetch("https://api.arelis.digital/api/v1/events/batch", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "x-api-key": process.env.ARELIS_API_KEY,
  },
  body: JSON.stringify({ events: runtimeEvents }),
});

// Expected provenance fields after mapping:
// metadata.sdkEventId
// metadata.sdkSchemaVersion
// metadata.sdkEventType
Policy evaluation routing
Local runtime gate vs managed platform evaluation.

Use local runtime evaluation when invocation latency is critical and policy bundles are already distributed to the service.

Use platform endpoint evaluation when you need centrally managed policy versioning, cross-service consistency, and managed policy audit history.

Replay and proof correlation
Correlate runtime `runId` with platform records for investigation workflows.

Persist runtime `runId` as the primary join key across runtime outputs, synced events, proof artifacts, and replay jobs.

Store proof artifact IDs and replay IDs in run metadata so support and compliance teams can traverse both runtime and platform timelines deterministically.