Observe your agents in minutes. Enforce when you're ready.
Install the CLI, point it at your workspace, and start capturing governance decisions — no changes to your existing agent framework required.
Initial setup
3 stepsInstall the CLI
npm install -g @spctre/cliConnect to your Spctre workspace
A browser tab opens for one-time approval. Access tokens rotate automatically — no manual intervention needed for long-running agents.
spctre init \
--url https://app.spctre.dev \
--agent my-agent
# Verify the connection and token
spctre status --checkStart the policy watcher
The watcher keeps your local policy bundle in sync with your workspace and sends regular heartbeats. Without it, agents run against a stale bundle. Then choose your integration below.
spctre watch --heartbeatAgent CLI integrations
Claude · Codex · AntigravityInstall governance hooks and policy skills for your AI agent CLI. Hooks capture audit logs and check policy on every tool call. Skills give agents policy-aware operating instructions.
# Governance hook — captures audit logs, warns on DENY (observe mode)
spctre install-hook --claude --mode observe
# Policy skill — gives Claude policy-aware operating instructions
spctre install-skill --claude
# Upgrade to enforce mode to block on DENY (requires human approval)
spctre install-hook --claude --enforce
# Apply globally across all projects
spctre install-hook --claude --mode observe --global
spctre install-skill --claude --global
Writes the PreToolUse hook to .claude/settings.json
and the skill to .claude/skills/spctre/.
# Governance hook — captures audit logs, warns on DENY (observe mode)
spctre install-hook --codex --mode observe
# Policy skill — gives Codex policy-aware operating instructions
spctre install-skill --codex
# Upgrade to enforce mode
spctre install-hook --codex --enforce
# Apply globally
spctre install-hook --codex --mode observe --global
spctre install-skill --codex --global
Writes the PreToolUse hook to .codex/hooks.json
and the skill to .codex/skills/spctre/.
# Governance hook — captures audit logs, warns on DENY (observe mode)
spctre install-hook --antigravity --mode observe
# Policy skill — gives the agent policy-aware operating instructions
spctre install-skill --antigravity
# Zero-code framework watch — wraps Antigravity CLI events directly
spctre watch --framework antigravity-cli
# Upgrade to enforce mode
spctre install-hook --antigravity --enforce
# Apply globally
spctre install-hook --antigravity --mode observe --global
spctre install-skill --antigravity --global
Writes the BeforeTool hook to .agy/settings.json
and the skill to .agy/skills/spctre/.
Agent framework integrations
Stack-neutral
Send governance decisions from any agent framework using the SDK or REST API. Set
runtimeTarget.stack
to identify the source runtime — it's recorded with every decision and policy provenance chain.
import { createSpctreClient } from "@spctre/sdk";
const client = createSpctreClient({
baseUrl: "https://app.spctre.dev/api/v1",
token: process.env.SPCTRE_TOKEN!,
});
await client.POST("/evidence", {
body: {
decisionId: "decision-001",
environment: "production",
runtimeTarget: { stack: "OPENAI_AGENTS" },
agentId: "support-agent",
connector: "stripe",
action: "refund.create",
status: "DENY",
reason: "Requires manager approval.",
},
});await client.POST("/evidence", {
body: {
decisionId: "bedrock-decision-001",
environment: "production",
runtimeTarget: { stack: "AWS_BEDROCK", adapter: "agt-bedrock" },
agentId: "bedrock-agent",
connector: "dynamodb",
action: "item.write",
status: "ALLOW",
},
});# Zero-code framework watch — wraps Google ADK events automatically
spctre watch --framework google-adk
# Or ingest decisions directly:
await client.POST("/evidence", {
body: {
decisionId: "adk-decision-001",
environment: "production",
runtimeTarget: { stack: "GOOGLE_ADK" },
agentId: "adk-agent",
action: "tool.call",
status: "ALLOW",
},
});await client.POST("/evidence", {
body: {
decisionId: "lc-decision-001",
environment: "production",
runtimeTarget: { stack: "LANGCHAIN" },
agentId: "langchain-agent",
connector: "postgres",
action: "query.write",
status: "ALLOW",
},
});await client.POST("/evidence", {
body: {
decisionId: "azure-decision-001",
environment: "production",
runtimeTarget: { stack: "AZURE_AI" },
agentId: "azure-agent",
connector: "blob-storage",
action: "blob.write",
status: "DENY",
reason: "Write access not permitted in production.",
},
});await client.POST("/evidence", {
body: {
decisionId: "crew-decision-001",
environment: "production",
runtimeTarget: { stack: "CREWAI" },
agentId: "crew-agent",
connector: "email",
action: "email.send",
status: "DENY",
reason: "External email requires approval.",
},
});await client.POST("/evidence", {
body: {
decisionId: "autogen-decision-001",
environment: "production",
runtimeTarget: { stack: "AUTOGEN" },
agentId: "autogen-agent",
connector: "code-executor",
action: "code.execute",
status: "DENY",
reason: "Code execution blocked by workspace policy.",
},
});
Install: npm install @spctre/sdk. Every decision is recorded with its policy provenance — branch, revision, artifact hash, and runtime target.
Gateway & SDK
TypeScript · Python · REST · MCP
Ingest audit logs, fetch policy bundles, and request real-time gateway decisions via SDK, REST, or MCP server. Every response includes a
traceId
for end-to-end provenance.
import { createSpctreClient } from "@spctre/sdk";
const client = createSpctreClient({
baseUrl: "https://app.spctre.dev/api/v1",
token: process.env.SPCTRE_TOKEN!,
});
// Ingest a governance decision
const { data } = await client.POST("/evidence", {
body: {
decisionId: "decision-001",
environment: "production",
runtimeTarget: { stack: "OPENAI_AGENTS" },
agentId: "support-agent",
connector: "stripe",
action: "refund.create",
status: "DENY",
reason: "Requires manager approval.",
},
});
// Fetch the active policy bundle
const { data: bundle } = await client.GET("/bundle/latest", {});
// Request a gateway decision
const { data: decision } = await client.POST("/gateway/decide", {
body: {
decisionId: "decision-001",
artifactHash: bundle.artifactHash,
policyContext: bundle.policyContext,
},
});
Fully typed against the OpenAPI 3.1 spec. Install:
npm install @spctre/sdk
from spctre_sdk import SpctreClient
import os
client = SpctreClient(
base_url="https://app.spctre.dev/api/v1",
token=os.environ["SPCTRE_TOKEN"],
)
# Ingest a governance decision
client.evidence.create(
decision_id="decision-001",
environment="production",
runtime_target={"stack": "LANGCHAIN"},
agent_id="langchain-agent",
connector="postgres",
action="query.write",
status="ALLOW",
)
# Fetch the active policy bundle
bundle = client.bundle.get_latest()
# Export a compliance packet
report = client.compliance.export(format="csv")
Generated from the OpenAPI 3.1 spec. Run pnpm generate:python-sdk
to regenerate from target/sdk-python/. Compatible with AWS Lambda, GCP Cloud Functions, and Azure Functions.
# Ingest a governance decision
curl -X POST https://app.spctre.dev/api/v1/evidence \
-H "Authorization: Bearer $SPCTRE_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"decisionId": "decision-001",
"environment": "production",
"runtimeTarget": {"stack": "LOCAL"},
"agentId": "my-agent",
"connector": "stripe",
"action": "refund.create",
"status": "DENY",
"reason": "Requires manager approval."
}'
# Fetch the active policy bundle
curl https://app.spctre.dev/api/v1/bundle/latest \
-H "Authorization: Bearer $SPCTRE_TOKEN"
# Export a compliance packet
curl https://app.spctre.dev/api/v1/compliance/export \
-H "Authorization: Bearer $SPCTRE_TOKEN"
OpenAPI 3.1 spec at /api/v1/openapi.json. Required scopes: evidence:write, bundle:read, compliance:read.
{
"mcpServers": {
"spctre": {
"command": "npx",
"args": ["@spctre/mcp-server"],
"env": {
"SPCTRE_API_URL": "https://app.spctre.dev",
"SPCTRE_WORKSPACE_ID": "your-workspace-id",
"SPCTRE_API_TOKEN": "your-access-token",
"SPCTRE_API_REFRESH_TOKEN": "your-refresh-token"
}
}
}
}
Available tools: ingest_evidence, get_bundle, get_compliance_status, ingest_gateway_event. Supports STDIO and HTTP/SSE transport. Token rotation is handled automatically.