Enterprise

Multi-tenant governance, RBAC, fleet analytics, policy templates, and compliance reporting for enterprise deployments.

@lua-ai-global/governance-enterprise is a separate package that extends the core SDK with multi-tenant isolation, RBAC, fleet analytics, policy templates, and compliance reporting. 585 tests across 29 modules.

Info: Separate package. Enterprise features are not included in governance-sdk. Install @lua-ai-global/governance-enterprise alongside the core SDK.

Install

npm install @lua-ai-global/governance-enterprise
# Requires governance-sdk as a peer dependency

Multi-Tenant Isolation

Each tenant gets a fully isolated governance instance with its own agents, policies, audit trails, and scores. No data leaks between organizations.

import { createTenantGovernance } from '@lua-ai-global/governance-enterprise';

const tenantGov = await createTenantGovernance({
  tenantId: 'org_acme',
  namespace: 'acme-corp',
  storage: postgresStorage,
  rules: [
    blockTools(['shell_exec', 'db_drop']),
    requireApproval(['payment']),
  ],
});

const agent = await tenantGov.register({
  name: 'support-agent',
  framework: 'mastra',
  owner: 'cx-team',
  tools: ['ticket_update', 'knowledge_search'],
});

Role-Based Access Control

Three built-in roles with granular permissions. Assign users to roles and check permissions before governance operations.

import { createRbacManager } from '@lua-ai-global/governance-enterprise';

const rbac = createRbacManager(tenantGov);

await rbac.assignRole('user_alice', 'admin');
await rbac.assignRole('user_bob', 'operator');
await rbac.assignRole('user_carol', 'viewer');

const canKill = rbac.hasPermission('user_bob', 'kill_switch');
// → false (operator cannot use kill switch)

const canEnforce = rbac.hasPermission('user_bob', 'enforce');
// → true

Role	Capabilities
admin	Everything: policies, kill switch, audit export, RBAC management
operator	Register agents, enforce policies, view audit, score agents
viewer	Read-only: view agents, scores, audit trail, compliance reports

Fleet Analytics

import { createFleetAnalytics } from '@lua-ai-global/governance-enterprise';

const analytics = createFleetAnalytics(tenantGov);

// Enforcement rate over time
const rates = await analytics.enforcementRates({
  period: '7d',
  groupBy: 'day',
});

// Score distribution across the fleet
const distribution = await analytics.scoreDistribution();
// { L0: 0, L1: 2, L2: 4, L3: 8, L4: 3 }

// Top blocked tools
const topBlocked = await analytics.topBlockedTools({ limit: 5 });
// [{ tool: "shell_exec", count: 89 }, { tool: "db_drop", count: 23 }, ...]

Policy Templates

Start with industry-specific policy sets instead of building from scratch. Templates encode best practices for compliance with industry-specific regulations.

import { getPolicyTemplate, listTemplates } from '@lua-ai-global/governance-enterprise';

const templates = listTemplates();
// ["fintech", "healthcare", "saas", "government", "custom"]

const fintechRules = getPolicyTemplate('fintech');
// Includes: PCI-DSS tool restrictions, SOX audit requirements,
// transaction approval workflows, data classification rules

const healthcareRules = getPolicyTemplate('healthcare');
// Includes: HIPAA data handling, PHI access controls,
// audit retention policies, minimum governance levels

const gov = createGovernance({
  rules: [...fintechRules, ...myCustomRules],
});

Compliance Report Export

import { exportComplianceReport } from '@lua-ai-global/governance-enterprise';

const report = await exportComplianceReport(tenantGov, {
  format: 'json',   // or 'csv'
  articles: ['9', '12', '14'],
  includeEvidence: true,
  includeRemediation: true,
});

Note: Compliance reports can be generated on demand for auditors or scheduled as part of your CI/CD pipeline. The JSON format is machine-readable for integration with GRC platforms.

All 29 Modules

Module	Description
Multi-tenant isolation	Namespace per org. Complete data isolation for agents, policies, audit trails, and scores.
RBAC	Admin, operator, viewer roles. Permission checks for all governance operations.
Fleet analytics	Enforcement rates, score distributions, top blocked tools, trend analysis.
Policy templates	Pre-built rule sets for fintech, healthcare, SaaS, and government verticals.
Compliance report export	Generate structured compliance reports with evidence and remediation steps.
Anomaly detection	Detect unusual enforcement patterns, score drops, or suspicious agent behavior.
Incident manager	Track and manage security incidents with severity, status, and audit linkage.
Approval queue	Asynchronous human-in-the-loop approval workflows for sensitive operations.
Policy deployment	Staged policy rollouts with canary testing and rollback.
Policy snapshots & diff	Version policy sets and compare changes over time.
Credential vault	Secure storage for API keys and secrets used by governed agents.
Health monitor	Real-time health checks for governance infrastructure and storage backends.
Webhooks	Push governance events to external systems (Slack, PagerDuty, SIEM).
Score history	Track governance score changes over time per agent and per fleet.
Agent graph	Visualize agent dependencies, handoffs, and communication patterns.