TaG -- Trust and Governance for Agentic Execution

Most AI tools are easy to start and hard to trust.

They can answer fast, write fast, and act fast. They can also go off scope, waste money, leak data, skip verification, and tell you a job is done when it is not.

TaG is the layer that makes AI usable in the real world.

It is designed to feel simple on the surface and strict underneath:
easy enough to step into,
strong enough to protect you from the rocks.

TaG is a local-first trust and governance layer for AI agents, sub-agents, and human operators working in the same execution system. It defines what an agent is allowed to do, what evidence it needs before claiming work is complete, and how work gets escalated when local execution is slow, wrong, or unsafe. TaG also provides a 3-layer persistent memory system that carries context across sessions and restarts, and a local operational dashboard for monitoring governance, memory, and hook status in real time.

The open-source core runs locally. No hosted dependency, no telemetry, no account.

What TaG Enforces

Runtime Governance

Additional operational hooks include session-autosave, crash-checkpoint, compaction-recovery, memory-autosave, and skill-autoload.

Engineering Protocol

TaG open core also includes universal engineering governance primitives:

• verification-gate blocks final code-completion claims without passing verification evidence
• completion-claim-guard blocks final completion claims without evidence handles
• repo-hygiene-gate blocks completion and release claims when repo-hygiene state is missing, dirty, or incomplete
• playwright-qa-gate requires browser QA evidence for UI-facing completion claims
• playwright-security-gate requires browser security evidence for preview and deploy-facing completion claims

Supporting surfaces in the repo include:

• coding protocol defaults in tag/config/coding-protocol.json
• verification evidence models in tag/verification/
• Playwright starter templates
• model-agnostic verification playbooks

This is the open-core slice of workflow enforcement: verification before completion, repo hygiene before finalization, and browser QA/security evidence before UI or deploy-adjacent work can close.

Persistent Memory

TaG includes a 3-layer memory system that persists context across sessions, actors, and restarts.

All memory lives under tag-runtime/context/ and requires no external database or service.

Usage

from tag.memory import Heartbeat, Engram, Hindsight, resolve_memory

# Layer 1: Heartbeat — track session activity
heartbeat = Heartbeat()
heartbeat.pulse(call_count=12, files_changed=["src/main.py"])
heartbeat.is_alive()  # True if pulsed within 5 minutes

# Layer 2: Engram — save rules and recall by keyword
engram = Engram()
engram.save("Always run tests before deploy", tags=["workflow", "testing"])
engram.recall("deploy testing")  # keyword search across content and tags

# Layer 3: Hindsight — long-term archive with search
hindsight = Hindsight()
hindsight.save("Deployed v2.1 to production", source="deploy-agent", tags=["deploy"])
hindsight.recall("production deploy")  # search the archive
hindsight.stats()  # {"total": N, "sources": {...}, "tags": {...}}

# Unified interface
memory = resolve_memory()
memory.status()  # combined status of all 3 layers

Memory is populated automatically by TaG hooks (memory-autosave, session-autosave) and can be written to explicitly by any governed actor.

Dashboard

TaG ships with a local operational dashboard — no hosted service required.

The dashboard shows:

• Governance status — governed mode, authority matrix, active hooks
• Memory layers — heartbeat pulse, engram entries, hindsight archive stats
• Recent decisions — governance allow/hold/block log
• Hook status — which hooks are installed and active

Launch

python3 tag_serve.py

The dashboard opens at http://localhost:18800. Set TAG_UI_PORT to change the port.

How It Works

TaG hooks into the execution path before a governed action runs.

For each governed action or completion claim, TaG can evaluate:

• local policy
• local runtime state
• local evidence state

The result is one of:

• allow
• hold
• block

Actor
  |
  v
Action or completion claim
  |
  v
TaG hook
  |
  +--> policy check
  +--> runtime-state check
  +--> evidence check
  |
  v
Allow / Hold / Block

Policy is plain JSON. Governed state stays local. The open-source core does not require a server, account, or telemetry.

Final Escalation

TaG keeps escalation inside the same governed system.

Models and sub-agents attempt the work first under the current policy, scope, and verification requirements. If the task still cannot be resolved, it escalates upward through more capable actors. The human is the final escalation point.

When that happens, the human inherits the context of the escalation:

• what was attempted
• what failed
• why the task escalated
• what evidence exists
• what boundaries still apply

The human is not asked to reconstruct the problem from scratch. TaG preserves the history and hands over the task with context intact.

Why This Exists

AI agents now write code, run commands, manage credentials, call APIs, and move work toward release. Most systems still rely on broad permissions, weak scoping, and self-reported completion.

TaG exists to put governance in the execution path before the actor can do damage.

That means:

• before money is spent
• before credentials cross scope
• before a release moves without build, security, and QA gates
• before an actor crosses project boundaries
• before sensitive data leaves through a web request
• before work is declared complete without evidence

The actor stays useful. The actor stops being unchecked.

Open Core

TaG's governance core is open.

This repository includes:

• local trust and governance hooks
• workflow policy/compiler surfaces
• 3-layer persistent memory system (heartbeat, engram, hindsight)
• fork and runtime templates
• engineering protocol enforcement
• delivery phase-one primitives for setup and governed install state
• local operational dashboard
• launcher script (tag_serve.py)

The broader product layer is separate and still evolving:

• hosted onboarding
• billing, fleet, and support surfaces
• cost-aware multi-provider routing
• continuity and failover behavior across deployments

That split is intentional. The governance core should be inspectable, runnable, and useful on its own.

TaG is model- and provider-agnostic by design, and enterprise deployments get access to cost-aware routing across latency, capability, and cost. Advanced continuity and failover behavior live in the product layer.

Example

If an agent tries to deploy without passing build, security, or QA gates, TaG blocks the action before it happens.

If an agent tries to access credentials owned by another fork, TaG blocks it and records the governed decision locally.

If an agent tries to send sensitive data to a known capture endpoint, TaG blocks the request before the data leaves.

If an actor tries to claim code is complete without verification evidence, or UI work is done without browser QA evidence, TaG can hold or block that completion path.

That is the point of the system: not post-hoc analysis, but governed execution.

Install

TaG is pure Python with no external dependencies. Clone and configure:

git clone https://github.com/AIObuilt/TaG.git
cd TaG
export TAG_HOME=$(pwd)
mkdir -p tag-runtime/config
cp tag/config/authority-matrix.template.json tag-runtime/config/authority-matrix.json
python3 tag_serve.py

The dashboard opens in your browser after setup.

Verify

Run the full TaG suite:

for test in agent-enforcement/test_tag_*.py; do python3 "$test"; done
python3 -m py_compile $(find tag -maxdepth 4 -name '*.py' -print)

Everything in the open core is standard-library Python.

Focused Verification

Core governance:

python3 agent-enforcement/test_tag_governance_hooks.py
python3 agent-enforcement/test_tag_spending_guard.py
python3 agent-enforcement/test_tag_env_guard.py
python3 agent-enforcement/test_tag_release_gates.py
python3 agent-enforcement/test_tag_policy_model.py

Engineering protocol:

python3 agent-enforcement/test_tag_verification_evidence.py
python3 agent-enforcement/test_tag_coding_protocol.py
python3 agent-enforcement/test_tag_completion_protocol.py
python3 agent-enforcement/test_tag_repo_hygiene_gate.py
python3 agent-enforcement/test_tag_playwright_templates.py
python3 agent-enforcement/test_tag_browser_protocol_gates.py

Memory system:

python3 agent-enforcement/test_tag_memory_heartbeat.py
python3 agent-enforcement/test_tag_memory_engram.py
python3 agent-enforcement/test_tag_memory_hindsight.py
python3 agent-enforcement/test_tag_memory_system.py

Delivery phase-one primitives:

python3 agent-enforcement/test_tag_delivery_paths.py
python3 agent-enforcement/test_tag_hosted_enrollment.py
python3 agent-enforcement/test_tag_bootstrap_manifest.py
python3 agent-enforcement/test_tag_setup_state.py
python3 agent-enforcement/test_tag_governed_install.py
python3 agent-enforcement/test_tag_delivery_ui.py
python3 agent-enforcement/test_tag_setup_server.py

Authority Matrix

The authority matrix maps forks and credential scopes to permitted resources:

{
  "forks": {
    "sales": { "directory": "sales/" },
    "support": { "directory": "support/" }
  },
  "credential_scopes": {
    "stripe": { "forks": ["sales"] },
    "zendesk": { "forks": ["support"] },
    "openai": { "forks": ["shared"] }
  }
}

The sales fork can access Stripe credentials but not Zendesk, and vice versa. Violations are blocked and logged to local governed state under tag-runtime/.

License

Licensed under the Business Source License 1.1. Free for internal use within your organization. Commercial restrictions apply to reselling or offering TaG as a managed service.

About

TaG is built by AIO Built.

Contact: [email protected]

Contributing

Open an issue or submit a pull request. Keep the open core standard-library only unless there is a very strong reason to break that rule.