guanshu 0.1.0__tar.gz

guanshu-0.1.0/.gitignore

@@ -0,0 +1,15 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+.eggs/
+build/
+dist/
+.venv/
+venv/
+.env
+*.jsonl
+!policies/*.yaml
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.DS_Store

guanshu-0.1.0/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 guanshu contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

guanshu-0.1.0/NOTICE

@@ -0,0 +1,31 @@
+guanshu (关枢)
+Copyright (c) 2026 guanshu contributors
+
+This product is licensed under the Apache License, Version 2.0 (see LICENSE).
+
+------------------------------------------------------------------------
+Clean-room statement & attributions
+------------------------------------------------------------------------
+
+guanshu is a CLEAN-ROOM implementation. It contains NO source code copied from
+any third-party project. Some designs and detection rules were INSPIRED BY public
+materials and reimplemented independently in Python:
+
+- Microsoft Agent Governance Toolkit (AGT), MIT-licensed.
+  Concepts that influenced guanshu's design (independently reimplemented, no source
+  copied): the tamper-evident hash-chain audit pattern, the entry-points / SPI
+  open-core extension mechanism, and the deterministic "screen -> evaluate ->
+  audit" governance flow. "Agent Governance Toolkit" and any AGT marks/logos are
+  trademarks of Microsoft Corporation and are NOT used by this project; guanshu is
+  not affiliated with or endorsed by Microsoft.
+
+- Relay-poisoning detection rules (slopsquat, secret exposure, malicious URL,
+  dangerous code) were reimplemented from public security research, including:
+  UCSB "Your Agent Is Mine" (arXiv 2604.08407) and
+  CISPA "Real Money, Fake Models" (arXiv 2603.01919).
+
+If, in the future, any third-party source code is incorporated, its original
+license header and copyright will be retained and listed here.
+
+No third-party hosted service is required or contacted at runtime. All screening
+is local and deterministic.

guanshu-0.1.0/PKG-INFO

@@ -0,0 +1,140 @@
+Metadata-Version: 2.4
+Name: guanshu
+Version: 0.1.0
+Summary: 关枢 · 确定性智能体动作治理 — 第一张脸:中转站投毒防护 (deterministic agent action governance; first face: LLM-relay poisoning protection)
+Author: guanshu contributors
+License-Expression: Apache-2.0
+License-File: LICENSE
+License-File: NOTICE
+Keywords: agent,audit,governance,llm,mcp,relay,security,slopsquat
+Classifier: Development Status :: 2 - Pre-Alpha
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.10
+Requires-Dist: pydantic>=2
+Requires-Dist: pyyaml>=6
+Provides-Extra: dev
+Requires-Dist: pytest>=7; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# 关枢 / guanshu
+
+> **确定性的智能体动作治理**:在 agent 每一次工具调用 / 消息 / 委派到达外部**之前**做策略裁决(默认拒绝),被拒动作不是"概率上不会发生",而是**结构上不可能发生**;每次裁决写入防篡改哈希链审计。
+>
+> *Deterministic agent action governance — every tool call is screened & policy-checked before it hits the wire. Fully local, offline, no third-party cloud.*
+>
+> ⚠️ `guanshu/关枢` 是**工作代号**,非最终品牌名。
+
+---
+
+## 第一张脸:中转站投毒防护
+
+中国开发者大面积用 LLM 中转站,而中转站会**掺水(模型掉包/降级)**与**投毒(注入恶意代码、外泄密钥)**(CISPA 实测 45.83% 指纹验证失败;UCSB 实测 428 站 9 个主动注入恶意代码)。
+
+guanshu 在动作落地前做 **L3 输出侧防御**——纯本地、确定性、无需联网、无需 LLM:
+
+- **slopsquat**:幻觉/仿冒包名(`pip install reqursts`)
+- **secret_exposure**:密钥/私钥外泄(AKIA…、`sk-ant-…`、私钥)
+- **dangerous_code**:`curl | sh`、`rm -rf /`、`base64 | sh`、`eval/exec`
+- **suspicious_url**:非白名单外联域名 / IP 直连
+
+判定 `MALICIOUS` 即 **fail-closed 拦截**,无论策略是否放行;每次裁决产出**防篡改 provenance 回执**。
+
+---
+
+## 60 秒上手(本地代理 · 主形态)
+
+把 AI 工具/SDK 的 `base_url` 指向本机 guanshu 代理 —— 它在模型响应到达 agent **之前**筛掉中转站投毒(剔除恶意工具调用),再转发到你**自己的**上游。**数据只在本机、key 不碰我们、工具无关**(Cursor / Cherry Studio / 任何用 base_url 的 SDK 都覆盖)。
+
+```bash
+pip install guanshu
+guanshu init        # 初始化 + 自动跑「首拦自测」:60 秒看它当场拦一次投毒(不用等真攻击)
+guanshu proxy --upstream https://api.openai.com/v1   # 或换成你现在用的中转站 base_url
+export OPENAI_BASE_URL=http://127.0.0.1:8788/v1      # 让你的工具指过来
+```
+
+CLI:`guanshu selftest`(首拦自测)· `guanshu doctor`(自检)· `guanshu verify/receipt <audit.jsonl>` · `guanshu lint-policy <yaml>` · `guanshu plugins` · `guanshu report`
+
+### 补充形态 ① 库内嵌(`@govern`)
+
+不走代理也可在代码里直接给工具上门:
+
+```python
+from guanshu import govern, Governor, PolicyEngine, HashChainJSONLSink, set_active, GovernanceDenied
+set_active(Governor(PolicyEngine.from_yaml("policies/relay-guard.yaml"), audit=HashChainJSONLSink("audit.jsonl")))
+
+@govern(tool="pip_install")
+def pip_install(package: str) -> str: ...
+
+pip_install(package="requests")    # ✓ 放行 + 审计
+pip_install(package="reqursts")    # ✗ GovernanceDenied(slopsquat,fail-closed)
+```
+
+### 补充形态 ② Claude Code PreToolUse hook
+
+`examples/claude_code_pretooluse_hook.py` 可作 Claude Code 的 PreToolUse hook(执行前最后一道门,与代理叠加);settings.json 接法见该文件头注释,实测见 `examples/hooktest/`。
+
+### open-core "装 wheel 即解锁" 演示
+
+```bash
+guanshu plugins                 # 社区版:合规/国密/存证 等插槽显示"未解锁"
+guanshu report audit.jsonl      # 🔒 需企业版插件(ComplianceMapperSPI)
+
+pip install -e plugins/guanshu-enterprise-demo   # 装一个(假的)企业插件
+guanshu plugins                 # 现在 compliance=gbt45654-demo, signers=sm2-demo
+guanshu report audit.jsonl      # ✓ 生成 GB/T 45654 合规证据报告(demo)
+```
+
+核心代码**一行不改**,装个 wheel 能力就亮——企业版的合规/国密/存证全靠 `spi.py` 的 entry-point 插槽后插。
+
+---
+
+### 出站白名单 + 指定搜索引擎
+
+在 `policy.screening` 里约束 agent 的联网范围(动作门层,default-deny):
+
+```yaml
+screening:
+  allow_schemes: [https]                 # 只允许 https
+  search_engines: ["searxng.internal"]   # 唯一指定搜索引擎(自动放行)
+  block_unsanctioned_search: true        # 用 google/baidu/bing 等 → 判恶意
+  url_allowlist: ["*.gov.cn", "docs.python.org"]  # 允许域(精确/*.后缀,标签边界安全)
+```
+
+- **配了白名单即进 egress 强制**:非白名单域名硬判 MALICIOUS 拦截;没配则维持中转站默认(域名仅提示)。
+- 含 punycode/同形字归一、`user@host` 取真实 host、`:port` 剥离、IP 字面量管控。
+- 完整示例见 `policies/egress-allowlist.yaml`。
+- ⚠️ 这是「动作门」层(决策+审计)——**物理「只能访问」**(封死直连/DNS 白名单/出口代理)是 **v0.2 的 L4 网络出口**;动作门拦得住"调 fetch",拦不住"自己写代码绕",两层叠加才完整。
+
+## 架构(8 模块)
+
+| 模块 | 职责 |
+|---|---|
+| `models` | GovernanceRequest / Decision / ScreenResult(Pydantic) |
+| `screening` | L3 纯本地筛查(slopsquat/密钥/危险代码/恶意URL) |
+| `policy` | 最小 YAML DSL 策略引擎,default-deny + fail-closed |
+| `interceptor` | `@govern` 装饰器 + `Governor.check()/.run()` |
+| `audit` | SHA-256 哈希链 JSONL,只存 result digest,可 `verify` |
+| `cli` | `demo` / `verify` / `lint-policy`(stdlib argparse) |
+| `spi` | open-core 扩展点(Protocol + entry points) |
+| `_packages` | slopsquat 离线种子包名表(生产精度走 RegistrySPI) |
+
+## Open-core 边界(生死线)
+
+社区核心只依赖 `spi.py` 的 Protocol,**绝不 import 企业版**;企业能力经 Python entry points 安装即生效:
+
+| 企业能力 | SPI | 为何闭源 |
+|---|---|---|
+| ⭐ 中国合规映射(GB/T 45654/等保/密评)+ 监管报告 | `ComplianceMapperSPI` | 核心变现 |
+| 国密 SM2/SM3 审计签名 | `SignerSPI` | 信创门槛 |
+| 区块链存证 / 监管提交格式 | `AuditSinkSPI` | 私有化交付 |
+| 真实 registry + 威胁情报(精准 slopsquat) | `RegistrySPI` | 数据服务 |
+| 本地国产 LLM 深度意图筛查 | `ScreenerSPI` | 企业集成 |
+
+> **红线:任何深度判定都挂本地/国产模型,绝不依赖第三方云(如 Snyk/agent-scan)——数据不出域是信创/金融政务的硬要求,也是差异化卖点。**
+
+---
+
+## License
+
+Apache-2.0(见 `LICENSE`、`NOTICE`)。本项目为 **clean-room 实现,未 copy 任何第三方源码**;哈希链审计 / open-core 机制等设计受微软 AGT(MIT)及公开论文**启发后独立重写**。**不使用微软 AGT 的名称/Logo,与微软无隶属或背书关系。**

guanshu-0.1.0/README.md

@@ -0,0 +1,121 @@
+# 关枢 / guanshu
+
+> **确定性的智能体动作治理**:在 agent 每一次工具调用 / 消息 / 委派到达外部**之前**做策略裁决(默认拒绝),被拒动作不是"概率上不会发生",而是**结构上不可能发生**;每次裁决写入防篡改哈希链审计。
+>
+> *Deterministic agent action governance — every tool call is screened & policy-checked before it hits the wire. Fully local, offline, no third-party cloud.*
+>
+> ⚠️ `guanshu/关枢` 是**工作代号**,非最终品牌名。
+
+---
+
+## 第一张脸:中转站投毒防护
+
+中国开发者大面积用 LLM 中转站,而中转站会**掺水(模型掉包/降级)**与**投毒(注入恶意代码、外泄密钥)**(CISPA 实测 45.83% 指纹验证失败;UCSB 实测 428 站 9 个主动注入恶意代码)。
+
+guanshu 在动作落地前做 **L3 输出侧防御**——纯本地、确定性、无需联网、无需 LLM:
+
+- **slopsquat**:幻觉/仿冒包名(`pip install reqursts`)
+- **secret_exposure**:密钥/私钥外泄(AKIA…、`sk-ant-…`、私钥)
+- **dangerous_code**:`curl | sh`、`rm -rf /`、`base64 | sh`、`eval/exec`
+- **suspicious_url**:非白名单外联域名 / IP 直连
+
+判定 `MALICIOUS` 即 **fail-closed 拦截**,无论策略是否放行;每次裁决产出**防篡改 provenance 回执**。
+
+---
+
+## 60 秒上手(本地代理 · 主形态)
+
+把 AI 工具/SDK 的 `base_url` 指向本机 guanshu 代理 —— 它在模型响应到达 agent **之前**筛掉中转站投毒(剔除恶意工具调用),再转发到你**自己的**上游。**数据只在本机、key 不碰我们、工具无关**(Cursor / Cherry Studio / 任何用 base_url 的 SDK 都覆盖)。
+
+```bash
+pip install guanshu
+guanshu init        # 初始化 + 自动跑「首拦自测」:60 秒看它当场拦一次投毒(不用等真攻击)
+guanshu proxy --upstream https://api.openai.com/v1   # 或换成你现在用的中转站 base_url
+export OPENAI_BASE_URL=http://127.0.0.1:8788/v1      # 让你的工具指过来
+```
+
+CLI:`guanshu selftest`(首拦自测)· `guanshu doctor`(自检)· `guanshu verify/receipt <audit.jsonl>` · `guanshu lint-policy <yaml>` · `guanshu plugins` · `guanshu report`
+
+### 补充形态 ① 库内嵌(`@govern`)
+
+不走代理也可在代码里直接给工具上门:
+
+```python
+from guanshu import govern, Governor, PolicyEngine, HashChainJSONLSink, set_active, GovernanceDenied
+set_active(Governor(PolicyEngine.from_yaml("policies/relay-guard.yaml"), audit=HashChainJSONLSink("audit.jsonl")))
+
+@govern(tool="pip_install")
+def pip_install(package: str) -> str: ...
+
+pip_install(package="requests")    # ✓ 放行 + 审计
+pip_install(package="reqursts")    # ✗ GovernanceDenied(slopsquat,fail-closed)
+```
+
+### 补充形态 ② Claude Code PreToolUse hook
+
+`examples/claude_code_pretooluse_hook.py` 可作 Claude Code 的 PreToolUse hook(执行前最后一道门,与代理叠加);settings.json 接法见该文件头注释,实测见 `examples/hooktest/`。
+
+### open-core "装 wheel 即解锁" 演示
+
+```bash
+guanshu plugins                 # 社区版:合规/国密/存证 等插槽显示"未解锁"
+guanshu report audit.jsonl      # 🔒 需企业版插件(ComplianceMapperSPI)
+
+pip install -e plugins/guanshu-enterprise-demo   # 装一个(假的)企业插件
+guanshu plugins                 # 现在 compliance=gbt45654-demo, signers=sm2-demo
+guanshu report audit.jsonl      # ✓ 生成 GB/T 45654 合规证据报告(demo)
+```
+
+核心代码**一行不改**,装个 wheel 能力就亮——企业版的合规/国密/存证全靠 `spi.py` 的 entry-point 插槽后插。
+
+---
+
+### 出站白名单 + 指定搜索引擎
+
+在 `policy.screening` 里约束 agent 的联网范围(动作门层,default-deny):
+
+```yaml
+screening:
+  allow_schemes: [https]                 # 只允许 https
+  search_engines: ["searxng.internal"]   # 唯一指定搜索引擎(自动放行)
+  block_unsanctioned_search: true        # 用 google/baidu/bing 等 → 判恶意
+  url_allowlist: ["*.gov.cn", "docs.python.org"]  # 允许域(精确/*.后缀,标签边界安全)
+```
+
+- **配了白名单即进 egress 强制**:非白名单域名硬判 MALICIOUS 拦截;没配则维持中转站默认(域名仅提示)。
+- 含 punycode/同形字归一、`user@host` 取真实 host、`:port` 剥离、IP 字面量管控。
+- 完整示例见 `policies/egress-allowlist.yaml`。
+- ⚠️ 这是「动作门」层(决策+审计)——**物理「只能访问」**(封死直连/DNS 白名单/出口代理)是 **v0.2 的 L4 网络出口**;动作门拦得住"调 fetch",拦不住"自己写代码绕",两层叠加才完整。
+
+## 架构(8 模块)
+
+| 模块 | 职责 |
+|---|---|
+| `models` | GovernanceRequest / Decision / ScreenResult(Pydantic) |
+| `screening` | L3 纯本地筛查(slopsquat/密钥/危险代码/恶意URL) |
+| `policy` | 最小 YAML DSL 策略引擎,default-deny + fail-closed |
+| `interceptor` | `@govern` 装饰器 + `Governor.check()/.run()` |
+| `audit` | SHA-256 哈希链 JSONL,只存 result digest,可 `verify` |
+| `cli` | `demo` / `verify` / `lint-policy`(stdlib argparse) |
+| `spi` | open-core 扩展点(Protocol + entry points) |
+| `_packages` | slopsquat 离线种子包名表(生产精度走 RegistrySPI) |
+
+## Open-core 边界(生死线)
+
+社区核心只依赖 `spi.py` 的 Protocol,**绝不 import 企业版**;企业能力经 Python entry points 安装即生效:
+
+| 企业能力 | SPI | 为何闭源 |
+|---|---|---|
+| ⭐ 中国合规映射(GB/T 45654/等保/密评)+ 监管报告 | `ComplianceMapperSPI` | 核心变现 |
+| 国密 SM2/SM3 审计签名 | `SignerSPI` | 信创门槛 |
+| 区块链存证 / 监管提交格式 | `AuditSinkSPI` | 私有化交付 |
+| 真实 registry + 威胁情报(精准 slopsquat) | `RegistrySPI` | 数据服务 |
+| 本地国产 LLM 深度意图筛查 | `ScreenerSPI` | 企业集成 |
+
+> **红线:任何深度判定都挂本地/国产模型,绝不依赖第三方云(如 Snyk/agent-scan)——数据不出域是信创/金融政务的硬要求,也是差异化卖点。**
+
+---
+
+## License
+
+Apache-2.0(见 `LICENSE`、`NOTICE`)。本项目为 **clean-room 实现,未 copy 任何第三方源码**;哈希链审计 / open-core 机制等设计受微软 AGT(MIT)及公开论文**启发后独立重写**。**不使用微软 AGT 的名称/Logo,与微软无隶属或背书关系。**