Governance primitives for AI agent orchestration. Stdlib-only. Contract-driven. Air-gap capable.
AI-generated code is 42% of committed code and ships 2.74x more vulnerabilities than humans write. Insurers are excluding it from coverage. Courts are settling the liability chain. Nobody ships governance as embeddable libraries. We do.
pip install hummbl-governance
20 governance primitives, all Python stdlib-only, all independently importable:
| Primitive | What it does |
|---|---|
| KillSwitch | Emergency halt with 4 graduated modes (DISENGAGED → EMERGENCY) |
| CircuitBreaker | Automatic failure detection + recovery (CLOSED / HALF_OPEN / OPEN) |
| DelegationToken | HMAC-SHA256 signed capability tokens for agent scope authorization |
| AuditLog | Append-only JSONL governance trail with rotation and retention |
| AgentRegistry | Identity management with aliases and trust tiers |
| SchemaValidator | JSON Schema Draft 2020-12 validation (stdlib, no jsonschema dep) |
| CostGovernor | Budget tracking with soft/hard caps and ALLOW/WARN/DENY decisions |
| BusWriter | Append-only TSV coordination bus with flock locking |
| ComplianceMapper | Map governance traces to SOC 2, GDPR, and OWASP controls |
| HealthCollector | Composable health probes with latency tracking |
| + 10 more | OutputValidator, CapabilityFence, StrideMapper, ReasoningEngine, ... |
from hummbl_governance import KillSwitch, CircuitBreaker, DelegationToken
ks = KillSwitch(state_dir=Path("./governance"))
cb = CircuitBreaker(failure_threshold=5, recovery_timeout=60)
token = DelegationToken.create(agent="codex", scope=["read", "write"], ttl=3600)Every AI governance vendor (Qodo, Apiiro, Factory, Aikido, Cycode) ships a SaaS platform. Each requires sending code or telemetry to their cloud.
HUMMBL ships libraries you embed inline in your agent's execution path. No cloud dependency. No vendor lock-in. Deployable wherever your workloads deploy — including air-gapped, classified, and regulated environments.
"A signed delegation token is not a vendor pitch. It is a Caremark affirmative defense, a NIST AI RMF conformance record, and a reasonable-care evidence pack — generated at runtime, not reconstructed after the breach."
Read the full thesis: Why Libraries, Not Platforms
Our positioning is backed by a 24-document evidence corpus with 50+ primary-source citations, verified:
Start here:
- Top 10 cite-ready findings
- The Observability Argument — why AI governance is the Datadog moment
- The 22 Incidents — cataloged AI code failures (2023-2026)
- Reasonable Care in the Age of AI Agents — what courts will look for
Role-specific: CISO | CAIO | GC/Legal | CTO | AppSec | Compliance | Platform Eng | Risk Manager | Defense/Federal | AI Governance Lead
| Metric | Value |
|---|---|
| Governance primitives | 20 (stdlib-only, zero runtime deps) |
Tests (hummbl-governance) |
476 passing |
Tests (founder-mode reference impl) |
15,000+ |
| CI workflows | 11 active |
| Research corpus | 60 documents, 50+ primary sources |
| Published on PyPI | hummbl-governance v0.3.0 |
| Project | Purpose |
|---|---|
hummbl-governance |
Governance primitives — PyPI |
arbiter |
Code quality scoring engine (ruff + complexity + security + dead code + duplication) |
base120 |
Base120 mental model reference implementation + validation CLI |
mcp-server |
MCP server exposing Base120 models and governance skills |
hummbl-agent |
Deterministic agent infrastructure (registry-first, policy-bounded) |
hummbl-assurance |
Governance assurance — verification, contract compatibility, compliance |
HUMMBL Slop Tracker — monthly digest of AI code governance incidents, regulations, lawsuits, and the governance gap nobody is filling. Free.
Read Issue #1: 5 Things Every CISO Should Know About AI-Generated Code Right Now
pip install hummbl-governance- Self-assess: hummbl.io/readiness — 20-question governance posture check
- Subscribe: hummbl.io/tracker — monthly intelligence digest
- Talk to us: reuben@hummbl.io
HUMMBL, LLC | hummbl.io | Atlanta, GA Apache 2.0 Licensed