Skip to content


Assay Logo
Assay

Policy-as-Code for AI Agents

Assay is a Policy-as-Code engine for the Model Context Protocol (MCP). End-to-end governance pipeline: trace capture → policy generation → deterministic CI replay gating → verifiable evidence bundles → signed compliance packs.

Install

curl -fsSL https://getassay.dev/install.sh | sh

Core Capabilities

  • Policy Enforcement

    Validate tool calls against JSON Schema constraints, sequence rules, and allowlists. No LLM calls in CI.

    Policy Reference

  • Evidence Bundles

    Tamper-evident audit trails with content-addressed IDs. CloudEvents v1.0 format. SARIF output for GitHub Security. Combine with BYOS append-only storage for audit-grade completeness.

    Evidence Guide

  • Compliance Packs

    Built-in rule packs that structure engineering evidence for EU AI Act, SOC 2, and custom policies. Article-referenced findings for auditors. Packs do not constitute legal compliance on their own.

    Pack Engine

  • Tool Signing

    Ed25519 signatures for tool definitions. DSSE envelope format. Trust policies for supply chain security.

    Signing Spec

Quick Start

1. Capture Traces

assay import --format inspector session.json --out-trace trace.jsonl

2. Validate

assay validate --trace-file trace.jsonl --format sarif

3. Export Evidence

assay profile init --output assay-profile.yaml --name quickstart
assay evidence export --profile assay-profile.yaml --out bundle.tar.gz
assay evidence verify bundle.tar.gz

4. Lint with Compliance Pack

assay evidence lint --pack eu-ai-act-baseline bundle.tar.gz
Result Exit Code Output
Pass 0 Summary
Fail 1 SARIF with findings
Error 2 Config/Schema validation

GitHub Action

- uses: Rul1an/assay-action@v2

Zero-config. Discovers evidence bundles, verifies integrity, uploads SARIF to GitHub Security.

GitHub Action Guide

Defense in Depth: Runtime Enforcement (Linux, Optional)

Optional kernel-level hardening for Linux deployments.

# Landlock sandbox (rootless)
assay sandbox --policy policy.yaml -- python agent.py

# eBPF/LSM kernel-level enforcement
sudo assay monitor --policy policy.yaml --pid <agent-pid>

Standards Alignment

Standard Integration
CloudEvents v1.0 Evidence envelope format
W3C Trace Context traceparent correlation
SARIF 2.1.0 GitHub Code Scanning
EU AI Act Article 12 Compliance pack mapping

Next Steps