Docs

Quickstart

Local developer quickstart (≤5 minutes)

If you are integrating with a hosted GovAI backend, start here instead (canonical):

Goal: create an API key, send your first evidence event, run a compliance check, and interpret the result.

This guide uses the core v1 HTTP API (api/govai-http-v1.openapi.yaml) and the shipped govai CLI (python/aigov_py/cli.py).

CLI command catalog

Search commands — click copy to use in your terminal.

govai

CI gates

Commands used in release and compliance pipelines.

3
  • govai checkGET /compliance-summary — exit 0 only on VALID.
  • govai verify-evidence-packDigest + optional export cross-check against hosted ledger.
  • govai submit-evidence-packReplay CI evidence JSON to POST /evidence.

Evidence packs

2
  • govai evidence-pack initStarter run JSON + digest manifest.
  • govai preflightLocal validation before submit.

Read APIs via CLI

2
  • govai compliance-summaryPrint authoritative verdict JSON.
  • govai export-runExport run artefacts for audit review.

Evidence lifecycle

How an evidence event moves from emission to an auditable ledger record.

Record evidence

Emit a lifecycle event to the audit ledger (read-only preview — no live call).

Preview
GovAI try console
local
Try thisCopy and run in your environment

POST /evidence

Command
curl -sS -X POST "$GOVAI_AUDIT_BASE_URL/evidence" \
  -H "Authorization: Bearer $GOVAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"event_type":"evaluation_reported","run_id":"demo-run","payload":{"passed":true}}'
Expected output
View expected output
{ "status": "recorded", "event_id": "…" }

Prereqs#

  • Rust toolchain
  • Python ≥ 3.10
  • PostgreSQL reachable via DATABASE_URL

0) Install the CLI (local editable)#

cd python
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"
cd ..
govai --version

1) Create an API key (shared secret)#

GovAI audit API keys are configured on the audit service via GOVAI_API_KEYS (comma-separated). When set, audit routes require Authorization: Bearer <secret>.

Note (local/dev vs hosted): This quickstart uses GOVAI_API_KEYS for simple local/dev setups. Hosted / staging / production deployments MUST define GOVAI_API_KEYS_JSON so each API key is mapped to a tenant id and ledger isolation is enforced correctly. Dev mode without API keys is not suitable for pilots: hosted pilots must run with real key → tenant mapping.

  • Ledger tenant isolation is derived from the API key → tenant mapping (not from request headers).
  • X-GovAI-Project is optional metadata (usage/billing label) and does not isolate ledger tenant.

Generate a local key:

export GOVAI_API_KEY="$(python3 - <<'PY'
import secrets
print(secrets.token_urlsafe(32))
PY
)"

2) Start the audit service with that key#

export DATABASE_URL='postgresql://USER:PASSWORD@127.0.0.1:5432/DBNAME'
export GOVAI_API_KEYS="$GOVAI_API_KEY"

make audit_bg
curl -sS http://127.0.0.1:8088/status

3) Send your first evidence event (HTTP)#

Pick a run_id (GOVAI_RUN_ID), then append one data_registered event.

Register evidence for a new run

  1. 1Set run_id
    export GOVAI_RUN_ID="$(python3 - <<'PY'
    import uuid
    print(uuid.uuid4())
    PY
    )"
  2. 2Set event_id
    export EVENT_ID="$(python3 - <<'PY'
    import uuid
    print(uuid.uuid4())
    PY
    )"
  3. 3POST evidence
    curl -sS http://127.0.0.1:8088/evidence \
      -H "content-type: application/json" \
      -H "authorization: Bearer $GOVAI_API_KEY" \
      -d "$(python3 - <<PY
    import json, os
    from datetime import datetime, timezone
    print(json.dumps({
      "event_id": os.environ["EVENT_ID"],
      "event_type": "data_registered",
      "ts_utc": datetime.now(timezone.utc).isoformat().replace("+00:00","Z"),
      "actor": "quickstart",
      "system": "quickstart",
      "run_id": os.environ["GOVAI_RUN_ID"],
      "payload": {
        "ai_system_id": "expense-ai",
        "dataset_id": "expense_dataset_v1",
        "dataset": "customer_expense_records",
        "dataset_version": "v1",
        "dataset_fingerprint": "sha256:demo",
        "dataset_governance_id": "gov_expense_v1",
        "dataset_governance_commitment": "basic_compliance",
        "source": "internal",
        "intended_use": "expense classification",
        "limitations": "demo dataset",
        "quality_summary": "validated sample",
        "governance_status": "registered",
      },
    }))
    PY
    )"
    Expected output
    '{"ok":true,"record_hash":"...","policy_version":"...","environment":"..."}'

4) Run a compliance check (HTTP + CLI)#

[!summary] After one evidence event, compliance-summary should return BLOCKED until the full promotion sequence is recorded.

Read the authoritative decision

  1. 1HTTP compliance-summary

    Query the immutable ledger verdict for your run_id using your API key.

    curl -sS "http://127.0.0.1:8088/compliance-summary?run_id=$GOVAI_RUN_ID" \
      -H "authorization: Bearer $GOVAI_API_KEY"
    Expected output
    '{"verdict":"BLOCKED",...}'
  2. 2CLI gate check

    The CLI prints the verdict and exits non-zero when the run is not VALID.

    govai check --audit-base-url "http://127.0.0.1:8088" --api-key "$GOVAI_API_KEY" --run-id "$GOVAI_RUN_ID"
    echo $?
    Expected output
    stdout BLOCKED; exit code 2

At this point (only 1 event), the expected verdict is BLOCKED.

  • The server only returns VALID when evaluation passed, risk reviewed (approve), human approved (approve), and promotion executed for the run.
  • With only data_registered, those prerequisites are missing, so the run is intentionally blocked.

Get a full end-to-end VALID run (CLI)#

The fastest path to a complete, policy-satisfying sequence is the built-in scripted demo flow.

export GOVAI_AUDIT_BASE_URL="http://127.0.0.1:8088"
export GOVAI_API_KEY="$GOVAI_API_KEY"

govai run demo

Expected stdout:

VALID

Note: govai run demo generates its own run_id internally. It is a separate path from the API-only steps above (which use your $GOVAI_RUN_ID).

Optional: minimal VALID evidence sequence (API-only)#

If you want to reach VALID using only the HTTP API, append the remaining required evidence for the same $GOVAI_RUN_ID (in this order):

  1. model_trained
  2. evaluation_reported (with "passed": true)
  3. risk_recorded
  4. risk_mitigated
  5. risk_reviewed (with "decision": "approve")
  6. human_approved (with "scope":"model_promoted" and "decision":"approve")
  7. model_promoted

Copy/paste (uses deterministic IDs derived from $GOVAI_RUN_ID):

export MODEL_VERSION_ID="mv_$GOVAI_RUN_ID"
export ASSESSMENT_ID="asmt_$GOVAI_RUN_ID"
export RISK_ID="risk_$GOVAI_RUN_ID"
export ARTIFACT_PATH="python/artifacts/model_${GOVAI_RUN_ID}.joblib"

post_ev () {
  local event_type="$1"
  python3 - "$event_type" <<'PY' | curl -sS http://127.0.0.1:8088/evidence \
    -H "content-type: application/json" \
    -H "authorization: Bearer $GOVAI_API_KEY" \
    -d @-
import json, os, sys

Now the expected verdict is VALID:

curl -sS "http://127.0.0.1:8088/compliance-summary?run_id=$GOVAI_RUN_ID" \
  -H "authorization: Bearer $GOVAI_API_KEY"

govai check --audit-base-url "http://127.0.0.1:8088" --api-key "$GOVAI_API_KEY" --run-id "$GOVAI_RUN_ID"
echo $?

Expected:

  • GET /compliance-summary: "verdict":"VALID"
  • govai check: stdout VALID, exit code 0

5) Interpret the result#

GET /compliance-summary returns:

  • verdict: one of VALID, INVALID, BLOCKED
  • current_state: the projected state derived from the evidence log
  • policy_version and deployment environment metadata

Minimal, machine-friendly check (exit code 0 only if VALID):

govai check --audit-base-url "http://127.0.0.1:8088" --api-key "$GOVAI_API_KEY" --run-id "$GOVAI_RUN_ID"

6) Export the run (machine-readable JSON)#

Use the dedicated export endpoint to fetch a stable JSON document that includes:

  • decision extracts (evaluation / approval / promotion)
  • hashes (canonical bundle SHA-256 + append-only chain hashes)

CLI:

govai export-run \
  --audit-base-url "http://127.0.0.1:8088" \
  --api-key "$GOVAI_API_KEY" \
  --run-id "$GOVAI_RUN_ID"

HTTP:

curl -sS "http://127.0.0.1:8088/api/export/$GOVAI_RUN_ID" \
  -H "authorization: Bearer $GOVAI_API_KEY"

Appendix: single-line compliance summary (CLI)#

govai compliance-summary \
  --audit-base-url "http://127.0.0.1:8088" \
  --api-key "$GOVAI_API_KEY" \
  --run-id "$GOVAI_RUN_ID" \
  --compact-json

← Back to home