sdcgovernance
W3C standards-based governance advisory engine for SDC data instances. Deterministic validation at machine speed.
What It Does
sdcgovernance validates governance content in XML data instances against governance components defined in SDC data models. If the model defines governance (workflow, attestation, party/role, provenance/audit), the instance must carry that governance content - and this library validates it.
Returns decisions using OASIS XACML semantics: PERMIT, DENY, or INDETERMINATE.
Governance travels with the data because the governance IS in the data. No middleware. No platform dependency. No probabilistic inference. Deterministic, structural, and produces a verifiable receipt on every decision.
Standards Implemented
| Standard | Usage |
|---|---|
| OASIS XACML | Decision semantics (PERMIT/DENY/INDETERMINATE) |
| W3C PROV-O / PROV-DM | Provenance/audit records, RDF/Turtle export |
| W3C SCXML (vocabulary) | Workflow state labels on native SDC ordinal structures |
| W3C VC Data Model 2.0 | Attestation authority (issuer/holder/verifier pattern) |
| W3C SHACL | Cross-entity constraint validation |
| W3C Activity Streams 2.0 | Activity type vocabulary for provenance |
| W3C Data Privacy Vocabulary | Provenance retention policy |
| OMG DMN | Conditional decision tables for complex governance rules |
Two Interfaces, One Engine
Python API
For direct integration in generated apps, custom code, or any Python application.
from sdcgovernance import validate_governance
result = validate_governance("model.xsd", "instance.xml")
print(result.decision) # PERMIT, DENY, INDETERMINATEMCP Server
JSON-RPC 2.0 over stdio. Any agent framework can consume governance tools. No SDK dependency.
$ sdcgovernance serve --mcp
# 6 tools: get_governance_status,
# get_allowed_transitions, evaluate_transition,
# validate_governance, record_provenance,
# evaluate_decisionKey Properties
Independent from sdcvalidator
No hook, no chaining. Agents call each library separately at different workflow points.
Conversational, not single-pass
Agents query multiple times: check transitions, evaluate, record provenance.
Deterministic
Same inputs always produce the same decision. Required for Web3 settlement verification.
Tamper-evident receipts
Every decision produces a SHA-256 hash-chained receipt in W3C PROV format.
No external MCP SDK
Raw JSON-RPC 2.0 implementation. No third-party serialization surprises.
225 tests, 0.22 seconds
Comprehensive test suite covering all governance dimensions and MCP tools.