Open-source agent governance · Apache-2.0
CanonSys is a policy DSL and runtime enforcement core for autonomous agents. You write the rules for what agents may and may not do — and the runtime enforces them. Not suggested. Enforced, with cryptographic evidence.
Every agent framework answers "what can agents do?" Almost none answer "what must they never do — and who said so?"
System prompts are suggestions. Guardrails that live inside the model can be talked out of. When an autonomous agent moves money, ships code, or contacts customers, "we asked it nicely" is not a control — and no auditor, regulator, or board will accept it as one.
CanonSys moves governance out of the prompt and into the runtime. Policy is code. Authority is explicit. Every decision leaves immutable evidence. The agent can be as creative as it wants — the system decides what actually executes.
No action executes unless a charter explicitly permits it. Silence means no. The blast radius of a misbehaving agent is whatever you granted — nothing more.
Agents never hold execution authority. They submit proposals; the enforcement core evaluates each one against the charter and certifies or denies it.
Every permission traces to a named grant from a named human or role. "The agent decided" is never the end of the chain of accountability.
Every evaluation is recorded in a cryptographic evidence chain. Records are never edited or deleted — corrections are supersessions, and the history stays intact.
If the policy engine is unreachable, ambiguous, or degraded, nothing executes. An outage of governance is an outage of action — never a free-for-all.
# finance_ops.charter — what this agent may do, signed by its owner charter finance_ops { default deny allow refund.issue when amount <= 500 usd and ticket.exists require evidence allow wire.transfer require human.countersign(role: controller) require evidence on violation fail closed }
A charter, not a config file. Readable by counsel, enforceable by machine, evidenced for audit.
CanonSys started with a product conviction: enterprises were never going to deploy autonomous agents on trust. Not because the models weren't capable — because no serious organization runs consequential systems without a control layer it can show to an auditor.
Spend twenty-five years placing executives inside Fortune 50 companies and you learn exactly how organizations actually grant authority: explicitly, in writing, with accountability attached. Agents would be held to the same standard. The software just didn't exist yet.
So we specified it: a domain-specific language for expressing agent authority as charters, a runtime that evaluates every proposed action against those charters, and an evidence chain that makes every decision provable after the fact. The invariants came first; the architecture followed from them.
It's open source because governance infrastructure only works if you can inspect it. A trust layer you have to take on faith isn't one.
Originated CanonSys and drove the product side end to end: the policy-DSL concept, the technical specifications, and the governance invariants the runtime enforces. 25 years in executive search at the AI frontier, including six recruiting senior engineering leadership at NVIDIA — where the question of how organizations grant authority became the seed of this system.
Engineered CanonSys into a working system: the enforcement core, the charter runtime, and the cryptographic evidence chain. Agentic engineer and creator of Lionagi, with deep experience building multi-agent systems that hold up in production.
For teams deploying agents
The framework is free. Knowing what your charters should say is the hard part. A fixed-scope engagement with the people who designed the system:
One page. The twelve questions every team should answer before an autonomous agent touches production — authority, evidence, failure modes, and audit. Free.
Get the checklist