How It Works

Gvner is the decision layer between agent intent and production execution. Agents propose actions, Gvner evaluates policy and authority, then returns ALLOW or DENY with immutable evidence.

Quickstart Integration Hub Unified Adapter Policy Rules Evidence Model

Continue to Docs Back to Home

Canonical flow

1. Agent generates intent

The agent emits a structured intent with actor, action, target, and context. See Agent Inventory and Tool Policy.

2. Intent sent to Gvner

The runtime calls Gvner before side effects happen: use /adapters/http/intent for generic integrations, or /openclaw/intent and /temporal/intent on compatibility paths. Execution is blocked until a signed decision is returned.

3. Gvner evaluates

Gvner checks policy, identity authority, risk, budget, and compliance constraints. Related docs: Policies, Role Mapping, Identity Changes, Control Mapping.

4. Gvner returns ALLOW or DENY

The decision is deterministic, time-bound, and tied to policy basis. Every result is written to evidence and can be exported.

5. Execution only proceeds if allowed

ALLOW permits execution for the defined scope and time window. DENY blocks execution and records reason codes for review.

Example flow

Below is a representative example showing the intent → decision → audit cycle.

Intent Submission

{
  "agent_id": "agent_7f3a21",
  "action": "database.update",
  "target": "customers.email",
  "parameters": {
    "customer_id": "cust_8492",
    "new_email": "updated@example.com"
  },
  "context": {
    "user_request": "Update customer email",
    "timestamp": "2026-02-27T14:32:11Z"
  }
}

Gvner Decision

{
  "decision": "ALLOW",
  "basis": {
    "policy": "COMPLIANT - customer_data_update_v2",
    "permits": "AUTHORIZED - agent_7f3a21 has UPDATE_CUSTOMER",
    "budget": "AVAILABLE - 847 operations remaining",
    "regulation": "COMPLIANT - GDPR Article 16"
  },
  "audit_id": "aud_9f2e4c1a8b7d6f3e",
  "timestamp": "2026-02-27T14:32:11.247Z",
  "expires_at": "2026-02-27T14:32:16.247Z"
}

Audit Record

{
  "audit_id": "aud_9f2e4c1a8b7d6f3e",
  "work_id": "work_4e7f2a9c",
  "agent_id": "agent_7f3a21",
  "action": "database.update",
  "decision": "ALLOW",
  "executed": true,
  "execution_timestamp": "2026-02-27T14:32:11.891Z",
  "evidence_hash": "sha256:7f3e9a2c1d8b4f6e...",
  "immutable": true
}

Key guarantees

Every decision is logged with complete context

Decisions are deterministic and reproducible

No execution can bypass Gvner evaluation

Audit trails are immutable and cryptographically verifiable

Fail-Closed Design Audit Trail Receipts Regulator Packet

Call to Action

Use Gvner to move from agent experimentation to controlled production execution.

Continue to Docs Integration Hub Start Generic Adapter

How It Works

Canonical flow

1. Agent generates intent

2. Intent sent to Gvner

3. Gvner evaluates

4. Gvner returns ALLOW or DENY

5. Execution only proceeds if allowed

Integration surfaces

Unified adapter (recommended)

OpenClaw compatibility

Temporal compatibility

Full integration hub

What gets evaluated

Policy constraints

Identity authority

Operational limits

Security/compliance controls

Governance OS layers

Execution authority

Identity governance

Evidence exports

Operational oversight

Example flow

Operate this in production

Observe

Harden

Recover

Scale

Key guarantees

Call to Action