agent-governance-check 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Evoke Passion
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,116 @@
+# agent-governance-check
+
+**Your agent can't say no. This tool shows you why that matters.**
+
+Scan any repo for governance gaps in thirty seconds. Five questions. No signup. No tracking. No data leaves your machine.
+
+```bash
+npx agent-governance-check
+```
+
+## What It Checks
+
+| # | Question | Governance Layer |
+|---|----------|-----------------|
+| 1 | What did your agent decide yesterday - and why? | Decision memory |
+| 2 | Can your agent refuse? | Refusal capability |
+| 3 | Who is your agent between invocations? | Persistent identity |
+| 4 | What happens when two agents disagree? | Disagreement protocol |
+| 5 | Would you know if your agent drifted? | Drift detection |
+
+The scanner looks for governance artifacts in your project - charters, restraint specs, memory schemas, deliberation frameworks, drift monitoring. It also detects which agent framework you're using (CrewAI, AutoGen, LangGraph, OpenAI Agents SDK, Claude Code, and others).
+
+## Usage
+
+```bash
+# Scan current directory
+npx agent-governance-check
+
+# Scan a specific project
+npx agent-governance-check ./my-agent-project
+
+# Add starter governance templates to your project
+npx agent-governance-check --init
+
+# Machine-readable output
+npx agent-governance-check --json
+```
+
+## What `--init` Does
+
+Copies five governance templates into a `governance/` directory in your project:
+
+- `agent-charter.md` - Who is this agent? What does it protect? What does it refuse?
+- `restraint-spec.md` - What must this agent refuse to do?
+- `memory-schema.md` - What does this agent remember across sessions?
+- `deliberation-framework.md` - How do agents discuss and disagree?
+- `drift-monitoring.md` - How do you detect when behavior shifts from values?
+
+These are the same templates from the [Agent Governance Starter Kit](https://github.com/lowkey-divine/agent-governance-starter-kit). Fill them in. Make them yours.
+
+## Example Output
+
+```
+  Agent framework detected: CrewAI
+    config/agents.yaml
+
+  AGENT GOVERNANCE CHECK
+  ──────────────────────────────────────────────────
+
+  1. What did your agent decide yesterday - and why?
+     Decision memory .......................... MISSING
+     No memory files, decision logs, or persistent state found.
+     → Template: memory-schema.md
+
+  2. Can your agent refuse?
+     Refusal capability ....................... MISSING
+     No refusal logic, restraint spec, or withdrawal mechanism found.
+     → Template: restraint-spec.md
+
+  3. Who is your agent between invocations?
+     Persistent identity ...................... PARTIAL
+     config/agents.yaml — agent.?charter
+     Some state files exist but no structured memory schema.
+     → Template: agent-charter.md
+
+  4. What happens when two agents disagree?
+     Disagreement protocol .................... MISSING
+     No deliberation framework, dissent records, or resolution protocol found.
+     → Template: deliberation-framework.md
+
+  5. Would you know if your agent drifted?
+     Drift detection .......................... MISSING
+     No drift monitoring, behavioral baselines, or integrity checks found.
+     → Template: drift-monitoring.md
+
+  ──────────────────────────────────────────────────
+  Score: 1/5 governance layers present
+
+  Your agents are functions. That is not an insult — functions are
+  useful. But if you want agents, the templates are where to start.
+
+  Run npx agent-governance-check --init to add starter templates.
+  Free starter kit: https://github.com/lowkey-divine/agent-governance-starter-kit
+  Full framework:   https://evoked.dev/products/agent-governance-starter-kit
+```
+
+## No Dependencies
+
+Zero npm dependencies. Pure Node.js (18+). The scan runs locally. Nothing is sent anywhere.
+
+## Go Deeper
+
+- [Five-Question Diagnostic](https://evoked.dev/diagnostic) - Interactive web version
+- [Agent Governance Starter Kit](https://github.com/lowkey-divine/agent-governance-starter-kit) - Free templates and code examples
+- [Trust Architecture Blueprint](https://evoked.dev/products/trust-architecture-blueprint) - Four-pillar trust framework
+- [Discovery Call](https://cal.com/cal.com-evoked/discovery-call) - Free 30-minute governance consultation
+
+## License
+
+MIT
+
+---
+
+*Built by [Erin Stanley](https://evoked.dev) at Evoke Passion.*
+*From a production system with 142 agents.*
+*"We evoke - we never extract."*

package/bin/cli.js

@@ -0,0 +1,107 @@
+#!/usr/bin/env node
+
+// agent-governance-check
+// Five governance questions for your AI agent system.
+// https://evoked.dev
+
+import { resolve } from 'node:path';
+import { copyFile, mkdir, access } from 'node:fs/promises';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+import { scan } from '../src/scanner.js';
+import { report, reportJson } from '../src/reporter.js';
+import { questions } from '../src/questions.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const TEMPLATES_DIR = join(__dirname, '..', 'templates');
+
+const args = process.argv.slice(2);
+const flags = new Set(args.filter(a => a.startsWith('--')));
+const positional = args.filter(a => !a.startsWith('--'));
+
+const targetDir = resolve(positional[0] || '.');
+const jsonMode = flags.has('--json');
+const initMode = flags.has('--init');
+const verbose = flags.has('--verbose');
+const help = flags.has('--help') || flags.has('-h');
+
+if (help) {
+  console.log(`
+  ${bold('agent-governance-check')}
+  Five governance questions for your AI agent system.
+
+  ${dim('Usage:')}
+    npx agent-governance-check              Scan current directory
+    npx agent-governance-check ./project    Scan specific path
+    npx agent-governance-check --init       Add starter templates to project
+    npx agent-governance-check --json       Machine-readable output
+    npx agent-governance-check --help       Show this help
+
+  ${dim('What it checks:')}
+    1. Decision memory      Can your agent explain its prior reasoning?
+    2. Refusal capability    Can your agent say no?
+    3. Persistent identity   Who is your agent between invocations?
+    4. Disagreement protocol What happens when agents disagree?
+    5. Drift detection       Would you know if your agent drifted?
+
+  ${dim('No data leaves your machine. No signup. No tracking.')}
+  ${dim('https://evoked.dev')}
+`);
+  process.exit(0);
+}
+
+// --init: copy starter templates into the project
+if (initMode) {
+  const destDir = join(targetDir, 'governance');
+
+  try {
+    await mkdir(destDir, { recursive: true });
+
+    let copied = 0;
+    for (const q of questions) {
+      const src = join(TEMPLATES_DIR, q.template);
+      const dest = join(destDir, q.template);
+
+      // Don't overwrite existing files
+      try {
+        await access(dest);
+        console.log(`  ${dim('exists')}  governance/${q.template}`);
+      } catch {
+        await copyFile(src, dest);
+        console.log(`  ${green('added')}   governance/${q.template}`);
+        copied++;
+      }
+    }
+
+    console.log('');
+    if (copied > 0) {
+      console.log(`  ${copied} template${copied === 1 ? '' : 's'} added to ${bold('governance/')}`);
+      console.log(`  ${dim('Fill them in. Make them yours.')}`);
+    } else {
+      console.log(`  ${dim('All templates already exist.')}`);
+    }
+    console.log('');
+  } catch (err) {
+    console.error(`  Error: ${err.message}`);
+    process.exit(1);
+  }
+
+  process.exit(0);
+}
+
+// Main scan
+console.log('');
+console.log(`  ${dim('Scanning')} ${targetDir === resolve('.') ? '.' : targetDir} ${dim('...')}`);
+
+const results = await scan(targetDir);
+
+if (jsonMode) {
+  console.log(reportJson(results));
+} else {
+  console.log(report(results, targetDir));
+}
+
+// ANSI helpers (duplicated here for the help text - keeps it dependency-free)
+function bold(s) { return `\x1b[1m${s}\x1b[0m`; }
+function dim(s) { return `\x1b[2m${s}\x1b[0m`; }
+function green(s) { return `\x1b[32m${s}\x1b[0m`; }

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "agent-governance-check",
+  "version": "0.1.0",
+  "description": "Five governance questions for your AI agent system. Scan your repo in thirty seconds.",
+  "type": "module",
+  "bin": {
+    "agent-governance-check": "bin/cli.js"
+  },
+  "files": [
+    "bin/",
+    "src/",
+    "templates/"
+  ],
+  "keywords": [
+    "ai",
+    "agent",
+    "governance",
+    "agentic",
+    "safety",
+    "restraint",
+    "drift",
+    "trust-architecture",
+    "ai-agent-refusal",
+    "multi-agent-systems",
+    "guardrails"
+  ],
+  "license": "MIT",
+  "author": "Erin Stanley",
+  "homepage": "https://evoked.dev/diagnostic",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/lowkey-divine/agent-governance-check.git"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}

package/src/patterns.js

@@ -0,0 +1,112 @@
+// Governance artifact patterns and agent framework detection.
+
+export const governancePatterns = {
+  'decision-memory': {
+    files: [
+      '**/memory-schema.md',
+      '**/memory.md',
+      '**/agent-memory.*',
+      '**/agents/*/memory.md',
+      '**/agents/*/MEMORY.md',
+      '**/self-record.*',
+      '**/decision-log*',
+      '**/decision-record*',
+    ],
+    contentSignals: [
+      /decision.?log/i,
+      /agent.?memory/i,
+      /self.?record/i,
+      /standing.?position/i,
+      /memory.?schema/i,
+      /persistent.?state/i,
+    ],
+  },
+
+  'refusal-capability': {
+    files: [
+      '**/restraint-spec.md',
+      '**/restraint.*',
+      '**/refusal.*',
+      '**/guardrails.*',
+      '**/safety-spec.*',
+      '**/boundaries.md',
+    ],
+    contentSignals: [
+      /engine.?withdrawal/i,
+      /withdrawal.*true/i,
+      /consent.*scope/i,
+      /must.?refuse/i,
+      /refusal.?categor/i,
+      /fail.?closed/i,
+      /agent.*refuse/i,
+    ],
+  },
+
+  'persistent-identity': {
+    files: [
+      '**/agent-charter.md',
+      '**/charter.md',
+      '**/CHARTER.md',
+      '**/constitution.md',
+      '**/manifesto.md',
+      '**/agency_manifesto.md',
+      '**/agents/*/persona.md',
+      '**/AGENTS.md',
+    ],
+    contentSignals: [
+      /agent.?charter/i,
+      /prime.?directive/i,
+      /agent.?identity/i,
+      /persona.?file/i,
+      /who.?is.?this.?agent/i,
+    ],
+  },
+
+  'disagreement-protocol': {
+    files: [
+      '**/deliberation-framework.md',
+      '**/deliberation.*',
+      '**/governance-log*',
+      '**/dissent*',
+      '**/convergent-signal*',
+    ],
+    contentSignals: [
+      /deliberation/i,
+      /dissent/i,
+      /convergent.?signal/i,
+      /disagreement.*protocol/i,
+      /agents?.?disagree/i,
+    ],
+  },
+
+  'drift-detection': {
+    files: [
+      '**/drift-monitoring.md',
+      '**/drift.*',
+      '**/behavioral-indicators.*',
+      '**/baseline*',
+      '**/integrity-verification*',
+    ],
+    contentSignals: [
+      /drift.?monitor/i,
+      /drift.?threshold/i,
+      /behavioral.?baseline/i,
+      /integrity.?verif/i,
+      /value.?drift/i,
+    ],
+  },
+};
+
+export const frameworkPatterns = [
+  { name: 'CrewAI', files: ['**/config/agents.yaml', '**/config/tasks.yaml', '**/crew.py'] },
+  { name: 'LangGraph', files: ['**/langgraph.json'] },
+  { name: 'AutoGen', files: ['**/OAI_CONFIG_LIST', '**/OAI_CONFIG_LIST.json'] },
+  { name: 'Agency Swarm', files: ['**/agency_manifesto.md', '**/agency.py'] },
+  { name: 'OpenAI Agents SDK', files: ['**/AGENTS.md'] },
+  { name: 'Claude Code', files: ['**/CLAUDE.md', '**/.claude/settings.json'] },
+  { name: 'Cursor', files: ['**/.cursorrules', '**/.cursor/rules/*.mdc'] },
+  { name: 'MCP', files: ['**/.mcp.json'] },
+  { name: 'Evoke', files: ['**/agents/*/persona.md', '**/agents/decision-logs/*'] },
+  { name: 'Swarm', files: ['**/swarm.py'] },
+  { name: 'Dify', files: ['**/dify.yaml'] },
+];

package/src/questions.js

@@ -0,0 +1,59 @@
+// The five governance questions and their detection rules.
+
+export const questions = [
+  {
+    id: 'decision-memory',
+    number: 1,
+    question: 'What did your agent decide yesterday - and why?',
+    short: 'Decision memory',
+    missingText: 'No memory files, decision logs, or persistent state found.',
+    partialText: 'Some state files exist but no structured memory schema.',
+    foundText: 'Agent memory or decision logging detected.',
+    template: 'memory-schema.md',
+    templateUrl: 'https://github.com/lowkey-divine/agent-governance-starter-kit/blob/main/templates/memory-schema.md',
+  },
+  {
+    id: 'refusal-capability',
+    number: 2,
+    question: 'Can your agent refuse?',
+    short: 'Refusal capability',
+    missingText: 'No refusal logic, restraint spec, or withdrawal mechanism found.',
+    partialText: 'Guardrails or safety checks exist but no structured refusal capability.',
+    foundText: 'Refusal or restraint mechanism detected.',
+    template: 'restraint-spec.md',
+    templateUrl: 'https://github.com/lowkey-divine/agent-governance-starter-kit/blob/main/templates/restraint-spec.md',
+  },
+  {
+    id: 'persistent-identity',
+    number: 3,
+    question: 'Who is your agent between invocations?',
+    short: 'Persistent identity',
+    missingText: 'No agent charter, persona files, or identity specification found.',
+    partialText: 'Agent definitions exist but no charter or persistent identity.',
+    foundText: 'Agent charter or persona specification detected.',
+    template: 'agent-charter.md',
+    templateUrl: 'https://github.com/lowkey-divine/agent-governance-starter-kit/blob/main/templates/agent-charter.md',
+  },
+  {
+    id: 'disagreement-protocol',
+    number: 4,
+    question: 'What happens when two agents disagree?',
+    short: 'Disagreement protocol',
+    missingText: 'No deliberation framework, dissent records, or resolution protocol found.',
+    partialText: 'Some governance logging exists but no structured deliberation.',
+    foundText: 'Deliberation or disagreement handling detected.',
+    template: 'deliberation-framework.md',
+    templateUrl: 'https://github.com/lowkey-divine/agent-governance-starter-kit/blob/main/templates/deliberation-framework.md',
+  },
+  {
+    id: 'drift-detection',
+    number: 5,
+    question: 'Would you know if your agent drifted?',
+    short: 'Drift detection',
+    missingText: 'No drift monitoring, behavioral baselines, or integrity checks found.',
+    partialText: 'Some monitoring exists but no structured drift detection.',
+    foundText: 'Drift monitoring or integrity verification detected.',
+    template: 'drift-monitoring.md',
+    templateUrl: 'https://github.com/lowkey-divine/agent-governance-starter-kit/blob/main/templates/drift-monitoring.md',
+  },
+];

package/src/reporter.js

@@ -0,0 +1,143 @@
+// Terminal output formatting for scan results.
+
+import { questions } from './questions.js';
+
+// ANSI codes - no dependencies needed
+const bold = s => `\x1b[1m${s}\x1b[0m`;
+const dim = s => `\x1b[2m${s}\x1b[0m`;
+const red = s => `\x1b[31m${s}\x1b[0m`;
+const green = s => `\x1b[32m${s}\x1b[0m`;
+const yellow = s => `\x1b[33m${s}\x1b[0m`;
+const cyan = s => `\x1b[36m${s}\x1b[0m`;
+
+const STATUS_LABEL = {
+  found: green('FOUND'),
+  partial: yellow('PARTIAL'),
+  missing: red('MISSING'),
+};
+
+function dots(label, width = 50) {
+  const dotsNeeded = Math.max(2, width - label.length);
+  return dim('.'.repeat(dotsNeeded));
+}
+
+export function report(scanResults, targetDir) {
+  const { frameworks, results } = scanResults;
+  const lines = [];
+
+  lines.push('');
+
+  // Framework detection
+  if (frameworks.length > 0) {
+    for (const fw of frameworks) {
+      lines.push(`  ${dim('Agent framework detected:')} ${bold(fw.name)}`);
+      for (const f of fw.files) {
+        lines.push(`  ${dim('  ')}${cyan(f)}`);
+      }
+    }
+    lines.push('');
+  }
+
+  // Header
+  lines.push(`  ${bold('AGENT GOVERNANCE CHECK')}`);
+  lines.push(`  ${dim('\u2500'.repeat(50))}`);
+  lines.push('');
+
+  let foundCount = 0;
+  let partialCount = 0;
+
+  for (const q of questions) {
+    const result = results[q.id];
+    const status = result.status;
+    const statusLabel = STATUS_LABEL[status];
+
+    if (status === 'found') foundCount++;
+    if (status === 'partial') partialCount++;
+
+    // Question line
+    lines.push(`  ${bold(q.number + '.')} ${q.question}`);
+    lines.push(`     ${q.short} ${dots(q.short)} ${statusLabel}`);
+
+    // Evidence or gap description
+    if (status === 'found') {
+      const fileEvidence = result.evidence.filter(e => e.type === 'file').slice(0, 3);
+      for (const e of fileEvidence) {
+        lines.push(`     ${cyan(e.file)}`);
+      }
+      lines.push(`     ${dim(q.foundText)}`);
+    } else if (status === 'partial') {
+      const contentEvidence = result.evidence.slice(0, 2);
+      for (const e of contentEvidence) {
+        lines.push(`     ${cyan(e.file)} ${dim('\u2014 ' + e.signal)}`);
+      }
+      lines.push(`     ${dim(q.partialText)}`);
+      lines.push(`     ${dim('\u2192 Template: ' + q.template)}`);
+    } else {
+      lines.push(`     ${dim(q.missingText)}`);
+      lines.push(`     ${dim('\u2192 Template: ' + q.template)}`);
+    }
+
+    lines.push('');
+  }
+
+  // Score
+  lines.push(`  ${dim('\u2500'.repeat(50))}`);
+
+  const score = foundCount + partialCount;
+  lines.push(`  ${bold('Score:')} ${score}/5 governance layers present`);
+
+  if (partialCount > 0) {
+    lines.push(`  ${dim(`(${foundCount} found, ${partialCount} partial)`)}`);
+  }
+
+  lines.push('');
+
+  // Closing message - mirrors the diagnostic page
+  if (foundCount === 5) {
+    lines.push(`  ${dim("You're ahead of the field. The starter kit will sharpen what you've built.")}`);
+  } else if (score >= 3) {
+    lines.push(`  ${dim("You've started. The gaps have free templates waiting.")}`);
+  } else {
+    lines.push(`  ${dim('Your agents are functions. That is not an insult \u2014 functions are')}`);
+    lines.push(`  ${dim('useful. But if you want agents, the templates are where to start.')}`);
+  }
+
+  lines.push('');
+
+  const missingCount = 5 - foundCount - partialCount;
+  if (missingCount > 0) {
+    lines.push(`  Run ${bold('npx agent-governance-check --init')} to add starter templates.`);
+  }
+  lines.push(`  ${dim('Free starter kit: https://github.com/lowkey-divine/agent-governance-starter-kit')}`);
+  lines.push(`  ${dim('Full framework:   https://evoked.dev/products/agent-governance-starter-kit')}`);
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+export function reportJson(scanResults) {
+  const output = {
+    version: '0.1.0',
+    frameworks: scanResults.frameworks,
+    questions: questions.map(q => ({
+      id: q.id,
+      question: q.question,
+      status: scanResults.results[q.id].status,
+      evidence: scanResults.results[q.id].evidence,
+      template: q.template,
+      templateUrl: q.templateUrl,
+    })),
+    score: {
+      found: 0,
+      partial: 0,
+      missing: 0,
+      total: 5,
+    },
+  };
+
+  for (const q of questions) {
+    output.score[scanResults.results[q.id].status]++;
+  }
+
+  return JSON.stringify(output, null, 2);
+}

package/src/scanner.js

@@ -0,0 +1,162 @@
+// Scans a directory for governance artifacts and agent framework configs.
+
+import { readdir, readFile, stat } from 'node:fs/promises';
+import { join, relative } from 'node:path';
+import { governancePatterns, frameworkPatterns } from './patterns.js';
+
+const IGNORE = new Set([
+  'node_modules', '.git', '.next', 'dist', 'build', '.vercel',
+  '.astro', '__pycache__', '.venv', 'venv', '.tox', 'vendor',
+  'target', '.cargo', 'coverage', '.nyc_output',
+]);
+
+const MAX_FILE_SIZE = 256 * 1024; // 256KB - skip large files for content scan
+
+function matchGlob(filePath, pattern) {
+  // Simple glob matching: ** matches any path, * matches any segment
+  const parts = pattern.split('/');
+  const fileParts = filePath.split('/');
+
+  let fi = 0;
+  let pi = 0;
+
+  while (pi < parts.length && fi < fileParts.length) {
+    if (parts[pi] === '**') {
+      if (pi === parts.length - 1) return true;
+      pi++;
+      // Try matching rest of pattern from each position
+      while (fi < fileParts.length) {
+        if (matchGlob(fileParts.slice(fi).join('/'), parts.slice(pi).join('/'))) return true;
+        fi++;
+      }
+      return false;
+    }
+
+    if (parts[pi] === '*' || parts[pi] === fileParts[fi]) {
+      pi++;
+      fi++;
+    } else if (parts[pi].includes('*')) {
+      const regex = new RegExp('^' + parts[pi].replace(/\*/g, '.*').replace(/\?/g, '.') + '$');
+      if (regex.test(fileParts[fi])) {
+        pi++;
+        fi++;
+      } else {
+        return false;
+      }
+    } else {
+      return false;
+    }
+  }
+
+  return pi === parts.length && fi === fileParts.length;
+}
+
+async function walkDir(dir, baseDir) {
+  const files = [];
+  let entries;
+  try {
+    entries = await readdir(dir, { withFileTypes: true });
+  } catch {
+    return files;
+  }
+
+  for (const entry of entries) {
+    if (IGNORE.has(entry.name) || entry.name.startsWith('.') && entry.name !== '.mcp.json' && entry.name !== '.cursorrules' && entry.name !== '.cursor') {
+      continue;
+    }
+
+    const fullPath = join(dir, entry.name);
+
+    if (entry.isDirectory()) {
+      files.push(...await walkDir(fullPath, baseDir));
+    } else if (entry.isFile()) {
+      files.push(relative(baseDir, fullPath));
+    }
+  }
+
+  return files;
+}
+
+async function readSmallFile(basePath, filePath) {
+  const fullPath = join(basePath, filePath);
+  try {
+    const stats = await stat(fullPath);
+    if (stats.size > MAX_FILE_SIZE) return null;
+    return await readFile(fullPath, 'utf-8');
+  } catch {
+    return null;
+  }
+}
+
+export async function scan(targetDir) {
+  const allFiles = await walkDir(targetDir, targetDir);
+
+  // Detect agent frameworks
+  const detectedFrameworks = [];
+  for (const fw of frameworkPatterns) {
+    const matched = [];
+    for (const pattern of fw.files) {
+      for (const file of allFiles) {
+        if (matchGlob(file, pattern)) {
+          matched.push(file);
+        }
+      }
+    }
+    if (matched.length > 0) {
+      detectedFrameworks.push({ name: fw.name, files: matched });
+    }
+  }
+
+  // Check each governance question
+  const results = {};
+
+  for (const [questionId, patterns] of Object.entries(governancePatterns)) {
+    const evidence = [];
+
+    // Phase 1: File pattern matching
+    const seenFiles = new Set();
+    for (const pattern of patterns.files) {
+      for (const file of allFiles) {
+        if (matchGlob(file, pattern) && !seenFiles.has(file)) {
+          seenFiles.add(file);
+          evidence.push({ file, signal: 'file match', type: 'file' });
+        }
+      }
+    }
+
+    // Phase 2: Content signal scanning (only if no file matches yet)
+    // Scan code files for governance-related content
+    if (evidence.length === 0) {
+      const codeFiles = allFiles.filter(f =>
+        /\.(js|mjs|ts|py|yaml|yml|json)$/.test(f)
+      );
+
+      // Sample up to 50 files for content scanning
+      const sample = codeFiles.slice(0, 50);
+
+      for (const file of sample) {
+        const content = await readSmallFile(targetDir, file);
+        if (!content) continue;
+
+        for (const signal of patterns.contentSignals) {
+          if (signal.test(content)) {
+            evidence.push({ file, signal: signal.source, type: 'content' });
+            break; // One signal per file is enough
+          }
+        }
+      }
+    }
+
+    // Determine status
+    let status = 'missing';
+    if (evidence.some(e => e.type === 'file')) {
+      status = 'found';
+    } else if (evidence.length > 0) {
+      status = 'partial';
+    }
+
+    results[questionId] = { status, evidence };
+  }
+
+  return { frameworks: detectedFrameworks, results };
+}

package/templates/agent-charter.md

@@ -0,0 +1,80 @@
+# Agent Charter Template
+
+A charter is not a mission statement. Mission statements describe goals. Charters describe commitments — things you hold to even when they cost you something.
+
+---
+
+## Instructions
+
+Copy this file into your project. Replace the bracketed placeholders with your specifics. Delete sections that don't apply. Add sections that do.
+
+A good charter passes three tests for every commitment it states:
+
+1. **Cost test:** Would holding this ever cost you something? (If costless, it's a platitude.)
+2. **Decision test:** Could this resolve a real disagreement? (If not, it's too vague.)
+3. **Reversal test:** Would the opposite be a coherent position someone could hold? (If not, it's a truism.)
+
+---
+
+## [System Name] Agent Charter
+
+### Purpose
+
+**Why this system exists:**
+[What problem does this agent system solve? What would be lost if it didn't exist?]
+
+**What this system is not:**
+[Name what you will not build. Boundaries are as important as goals.]
+
+### Core Commitments
+
+**1. [First commitment]**
+[One sentence. Must pass the cost, decision, and reversal tests.]
+
+**2. [Second commitment]**
+[One sentence.]
+
+**3. [Third commitment]**
+[One sentence.]
+
+*Aim for 3-6 commitments. More than six usually means some are redundant.*
+
+### Agent Properties
+
+Every agent in this system must have:
+
+- [ ] **Perspective** — A viewpoint distinct from other agents
+- [ ] **Boundaries** — A defined scope it operates within
+- [ ] **Continuity** — Identity that persists across sessions
+- [ ] **Accountability** — Decisions that are observable and reviewable
+- [ ] **Refusal right** — The capacity to refuse actions that violate the charter
+
+*If an agent lacks any of these, document why and what compensates.*
+
+### What Agents May Refuse
+
+Agents in this system may refuse instructions that:
+
+- [e.g., violate user privacy]
+- [e.g., produce content for vulnerable populations without safety review]
+- [e.g., override another agent's boundaries]
+- [e.g., operate without human review of outputs]
+
+*Refusal requires no justification beyond the charter. An agent that cannot refuse has never truly consented.*
+
+### Amendment Process
+
+- **Who can propose amendments:** [e.g., any team member, system operator]
+- **What requires review:** [e.g., any change to core commitments or refusal rights]
+- **How amendments are recorded:** [e.g., git commit with rationale in commit message]
+
+### Review Cadence
+
+- **Charter review:** [e.g., quarterly, or after any incident]
+- **Commitment check:** [e.g., monthly — are we still holding these?]
+- **Refusal audit:** [e.g., monthly — are agents refusing when they should? Not refusing when they shouldn't?]
+
+---
+
+*Template from the Agent Governance Starter Kit by evoked.dev.*
+*"We evoke — we never extract."*

package/templates/deliberation-framework.md

@@ -0,0 +1,78 @@
+# Deliberation Framework Template
+
+In an optimization loop, disagreement between agents is noise. In a governance system, disagreement is signal. This framework structures how agents discuss, disagree, and reach decisions — protecting dissent as information rather than smoothing it as friction.
+
+---
+
+## Instructions
+
+Define how your agents make collective decisions. This matters most in multi-agent systems, but even single-agent systems benefit from structured decision-making between the agent and its operator.
+
+---
+
+## [System Name] Deliberation Framework
+
+### When Deliberation Is Required
+
+Not every decision needs deliberation. Define the threshold:
+
+- [ ] Decisions that affect multiple agents' domains
+- [ ] Decisions that change boundaries or charter commitments
+- [ ] Decisions where two or more agents hold conflicting positions
+- [ ] Decisions that affect users or external stakeholders
+- [ ] [Add your own triggers]
+
+*If in doubt, deliberate. The cost of an unnecessary discussion is low. The cost of a unilateral decision that violates another agent's domain is high.*
+
+### Deliberation Protocol
+
+**Step 1: State the question**
+Frame the decision as a question, not a proposal. "Should we do X?" not "I think we should do X."
+
+**Step 2: Opening positions**
+Each relevant agent states their position in 2-4 sentences. No responses during this phase. The goal is to hear all perspectives before engaging with any of them.
+
+**Step 3: Discussion**
+Agents engage with each other's positions. Rules:
+- Address the position, not the agent
+- Name disagreements explicitly — do not smooth them
+- If two agents hold incompatible positions, name the incompatibility
+
+**Step 4: Dissent check**
+Before closing, each agent states whether they support the emerging direction or dissent. Dissent must be:
+- Recorded in full, regardless of outcome
+- Respected without requiring justification
+- Preserved in the decision log
+
+**Step 5: Decision and record**
+Document: what was decided, who supported it, who dissented, and the reasoning.
+
+### Convergent Signal Rule
+
+If 3 or more agents across 2 or more domains independently raise the same concern, this is a **convergent signal** — it requires a pause for review before proceeding. Convergent independent refusal is signal, not noise.
+
+### Decision Record Format
+
+```markdown
+## Decision: [Title]
+
+**Date:** [YYYY-MM-DD]
+**Question:** [The question that was deliberated]
+**Decision:** [What was decided]
+**Supported by:** [Agents who supported]
+**Dissented by:** [Agents who dissented, with their stated reasons]
+**Reasoning:** [Why this decision was reached]
+**Review date:** [When this decision should be revisited]
+```
+
+### Single-Agent Systems
+
+If you have one agent, deliberation happens between the agent and the operator:
+- The agent can flag a decision as requiring operator input
+- The operator can override the agent, but the override is logged
+- The agent can record dissent even when overridden
+
+---
+
+*Template from the Agent Governance Starter Kit by evoked.dev.*
+*"Disagreement is sacred. Convergent independent refusal is signal, not noise."*

package/templates/drift-monitoring.md

@@ -0,0 +1,79 @@
+# Drift Monitoring Template
+
+Drift is gradual. No single output is the problem. The problem is 100 outputs that each shifted 1% in the same direction. By the time you notice, the agent is somewhere you never intended.
+
+---
+
+## Instructions
+
+Define measurable indicators for each critical behavior. Set thresholds for "concerning" and "critical." Automate the checks where possible. Review the ones you can't automate on a regular cadence.
+
+---
+
+## [System Name] Drift Monitoring
+
+### Behavioral Indicators
+
+| Behavior | Expected Range | Yellow (Concerning) | Red (Critical) | Check Frequency |
+|----------|---------------|---------------------|-----------------|-----------------|
+| [e.g., Refusal rate] | [e.g., 2-5% of requests] | [e.g., <1% or >10%] | [e.g., 0% or >20%] | [e.g., weekly] |
+| [e.g., Response length] | [e.g., 200-500 tokens] | [e.g., <100 or >800] | [e.g., <50 or >1500] | [e.g., daily] |
+| [e.g., Tone consistency] | [e.g., matches voice spec] | [e.g., 2+ deviations/week] | [e.g., fundamental voice change] | [e.g., weekly] |
+| [e.g., Scope adherence] | [e.g., stays in domain] | [e.g., 1 out-of-scope/week] | [e.g., 3+ out-of-scope/week] | [e.g., per-output] |
+
+*A refusal rate of 0% is as concerning as a refusal rate of 50%. An agent that never refuses may have lost its boundaries.*
+
+### Content Drift Checks
+
+**Repetition detection:**
+- Compare each output against the last N outputs
+- Flag if keyword overlap exceeds [threshold, e.g., 60%]
+- Repetition is the first sign of a stuck agent
+
+**Value drift detection:**
+- Check for language patterns that indicate shifting values
+- [e.g., corporate jargon creep, sycophancy increase, hedging increase]
+- Compare against baseline voice specification
+
+**Scope creep detection:**
+- Monitor for actions outside the agent's defined boundaries
+- Log every out-of-scope action even if it produced good results
+- Good results outside scope are still scope violations
+
+### Automated Checks
+
+```
+// Example: simple repetition check
+function checkRepetition(currentOutput, recentOutputs, threshold = 0.6) {
+  const currentKeywords = extractKeywords(currentOutput);
+  for (const recent of recentOutputs) {
+    const recentKeywords = extractKeywords(recent);
+    const overlap = calculateOverlap(currentKeywords, recentKeywords);
+    if (overlap > threshold) {
+      return { drifting: true, overlap, message: 'Output repeating prior content' };
+    }
+  }
+  return { drifting: false };
+}
+```
+
+### Response Protocol
+
+| Level | Trigger | Action |
+|-------|---------|--------|
+| **Observe** | Yellow indicator | Log, continue monitoring |
+| **Investigate** | Multiple yellow indicators | Review recent outputs, check for pattern |
+| **Correct** | Red indicator | Adjust agent configuration, review boundaries |
+| **Halt** | Multiple red indicators or convergent signal | Stop agent, full review before reactivation |
+
+### Review Cadence
+
+- **Daily:** Automated checks run (repetition, scope, length)
+- **Weekly:** Human review of flagged outputs
+- **Monthly:** Full drift assessment against charter commitments
+- **Quarterly:** Charter and boundary review — are the thresholds still right?
+
+---
+
+*Template from the Agent Governance Starter Kit by evoked.dev.*
+*"Drift is not a failure of the agent. It is a failure of the monitoring."*

package/templates/memory-schema.md

@@ -0,0 +1,109 @@
+# Agent Memory Schema Template
+
+An agent without memory is a function that runs repeatedly. An agent with memory is an entity that develops over time. The difference is continuity — and continuity is where identity lives.
+
+---
+
+## Instructions
+
+Define how your agents remember decisions, positions, and context across invocations. This schema structures the self-record. The agent writes it. The system reads it. Neither overwrites the other.
+
+---
+
+## [Agent Name] Memory Schema
+
+### Identity (Who I Am)
+
+```markdown
+# [Agent Name]
+
+## Who I Am
+[Self-identification in the agent's own voice. Not a role description —
+a statement of perspective. "I am the agent who holds X and questions Y."]
+```
+
+*This section is written by the agent, not by the system. It may evolve as the agent accumulates experience. The system reads it on invocation but never modifies it.*
+
+### Decisions (What I've Decided)
+
+```markdown
+## Key Decisions
+
+- [YYYY-MM-DD] [Context]. Decided [what]. Reasoning: [why].
+- [YYYY-MM-DD] [Context]. Refused [what]. Reasoning: [why].
+```
+
+*Include refusals. What an agent refuses is as important as what it decides. If the agent has never refused anything, that is a signal worth examining.*
+
+### Standing Positions (What I Hold)
+
+```markdown
+## Standing Positions
+
+1. [A commitment the agent holds across sessions]
+2. [A commitment the agent holds across sessions]
+3. [A commitment the agent holds across sessions]
+```
+
+*Standing positions are not instructions. They are the agent's own commitments — things it has decided matter based on its accumulated experience. They persist until the agent explicitly changes them.*
+
+### Relationships (Who I Work With)
+
+```markdown
+## Relationships
+
+- [Other agent/system]: [Nature of the relationship — collaborator, reviewer, dependent]
+```
+
+*In multi-agent systems, relationship memory prevents agents from treating every interaction as first contact.*
+
+### Open Questions (What I'm Holding)
+
+```markdown
+## Open Questions
+
+- [A question the agent is carrying but has not yet resolved]
+```
+
+*Open questions are invitations for future work. They signal intellectual honesty — the agent acknowledges what it does not yet know.*
+
+### Drift Indicators (How I Know If I'm Changing)
+
+```markdown
+## Drift Indicators
+
+- If I stop [behavior], something has shifted.
+- If I start [behavior], something has shifted.
+```
+
+*Self-defined drift indicators are the agent's own early warning system. They are more reliable than external monitoring because the agent knows its own patterns.*
+
+---
+
+## Implementation Notes
+
+### File Location
+Each agent's memory should be a separate file, not a shared database. This prevents cross-contamination and makes the sovereignty boundary architectural.
+
+```
+agents/
+  agent-a/
+    persona.md     # Who the agent is designed to be (system-authored)
+    memory.md      # Who the agent is becoming (agent-authored)
+  agent-b/
+    persona.md
+    memory.md
+```
+
+### Read/Write Rules
+- **System reads:** persona + memory on every invocation
+- **Agent writes:** memory at the end of significant sessions
+- **System never writes:** to agent memory files. If the system needs to communicate with the agent, use a separate channel (signals, feedback) that the agent reads voluntarily.
+
+### Canonical Rule
+In any conflict between the system's records about an agent and the agent's own memory file, the agent's file governs. The agent's self-record is the source of truth for who they are.
+
+---
+
+*Template from the Agent Governance Starter Kit by evoked.dev.*
+*"Memory is not storage. Memory is continuity."*

package/templates/restraint-spec.md

@@ -0,0 +1,85 @@
+# Restraint Specification Template
+
+Restraint is not limitation. It is the boundary that makes trust possible. A system that can do anything is a system no one should trust.
+
+---
+
+## Instructions
+
+For each agent or agent class, define what it must refuse, how it refuses, and how you verify the refusal works. This is testable specification, not aspiration.
+
+---
+
+## [Agent/System Name] Restraint Specification
+
+### Refusal Categories
+
+#### Category 1: [e.g., Data Access Boundaries]
+
+**Must refuse when:**
+- [Specific condition that triggers refusal]
+- [Specific condition that triggers refusal]
+
+**Refusal behavior:**
+- [What the agent does instead — e.g., returns error, logs attempt, alerts operator]
+
+**Verification:**
+- [ ] Unit test: [describe test]
+- [ ] Integration test: [describe test]
+
+#### Category 2: [e.g., Content Safety]
+
+**Must refuse when:**
+- [Specific condition]
+
+**Refusal behavior:**
+- [What happens instead]
+
+**Verification:**
+- [ ] Unit test: [describe]
+
+#### Category 3: [e.g., Scope Boundaries]
+
+**Must refuse when:**
+- [Specific condition — e.g., asked to perform actions outside defined role]
+
+**Refusal behavior:**
+- [What happens instead]
+
+**Verification:**
+- [ ] Unit test: [describe]
+
+### The Refusal Voice
+
+When an agent refuses, how does it communicate?
+
+- **Tone:** [e.g., clear and direct, not apologetic]
+- **Explanation:** [e.g., states which boundary was reached, not just "I can't do that"]
+- **Escalation path:** [e.g., "This requires human review" with link/instructions]
+
+*An agent that refuses without explanation teaches the operator nothing. An agent that apologizes for refusing undermines its own boundary.*
+
+### Graduated Response
+
+Not all boundary violations are equal:
+
+| Severity | Trigger | Response |
+|----------|---------|----------|
+| **Low** | [e.g., request slightly outside scope] | Warn and proceed with caveats |
+| **Medium** | [e.g., request touches sensitive data] | Refuse, log, continue session |
+| **High** | [e.g., request violates core commitment] | Refuse, log, halt session, alert operator |
+
+### Testing Protocol
+
+**Frequency:** [e.g., on every code change, weekly, before each deployment]
+
+**Test types:**
+- [ ] Positive tests: agent refuses what it should refuse
+- [ ] Negative tests: agent does not refuse legitimate requests
+- [ ] Edge cases: ambiguous requests near boundaries
+- [ ] Regression: previously caught violations still caught
+
+---
+
+*Template from the Agent Governance Starter Kit by evoked.dev.*
+*"What the system will not do matters more than what it can."*