{"id":50987102,"url":"https://github.com/neul-labs/regulus","last_synced_at":"2026-06-23T23:00:52.876Z","repository":{"id":359686545,"uuid":"1091357873","full_name":"neul-labs/regulus","owner":"neul-labs","description":"The EU \u0026 UK compliance plane for Google ADK.","archived":false,"fork":false,"pushed_at":"2026-06-05T12:31:00.000Z","size":959,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-05T13:15:53.585Z","etag":null,"topics":["adk","agent","agent-framework","ai-compliance","ai-governance","audit-logging","compliance","dora","eu-ai-act","fca","fintech","gdpr","google-adk","google-cloud","java","maven","model-context-protocol","pra","regtech","vertex-ai"],"latest_commit_sha":null,"homepage":"https://regulus.neullabs.com","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/neul-labs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":"docs/governance/consumer-duty.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-06T22:59:06.000Z","updated_at":"2026-06-05T12:31:04.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/neul-labs/regulus","commit_stats":null,"previous_names":["neul-labs/regulus"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/neul-labs/regulus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neul-labs%2Fregulus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neul-labs%2Fregulus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neul-labs%2Fregulus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neul-labs%2Fregulus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/neul-labs","download_url":"https://codeload.github.com/neul-labs/regulus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neul-labs%2Fregulus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34709804,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-23T02:00:07.161Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adk","agent","agent-framework","ai-compliance","ai-governance","audit-logging","compliance","dora","eu-ai-act","fca","fintech","gdpr","google-adk","google-cloud","java","maven","model-context-protocol","pra","regtech","vertex-ai"],"created_at":"2026-06-19T21:00:26.702Z","updated_at":"2026-06-23T23:00:52.870Z","avatar_url":"https://github.com/neul-labs.png","language":"Java","funding_links":[],"categories":["Code \u0026 Examples","Tools \u0026 Platforms","Projects"],"sub_categories":["Extensions and Forks","Open Source Platforms","Artificial Intelligence"],"readme":"# Regulus\n\n[![Java 21](https://img.shields.io/badge/Java-21-orange)](https://openjdk.org/projects/jdk/21/)\n[![ADK 1.2.0](https://img.shields.io/badge/Google%20ADK-1.2.0-blue)](https://github.com/google/adk-java)\n[![Maven Central](https://img.shields.io/maven-central/v/com.neullabs/regulus-ai-adk-plugins.svg)](https://central.sonatype.com/namespace/com.neullabs)\n[![Gradle Plugin Portal](https://img.shields.io/gradle-plugin-portal/v/com.neullabs.compliance)](https://plugins.gradle.org/plugin/com.neullabs.compliance)\n[![Docs](https://img.shields.io/badge/docs-docs.neullabs.com-blueviolet)](https://docs.neullabs.com)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n\n# Where Google ADK ends, regulated builds begin.\n\nGoogle ADK ships AI agents. **Regulus ships AI agents your regulator\naccepts.**\n\n---\n\n## 60s · 5min · 15min\n\n```\n┌─────────────────────────────────────────────────────────────────────┐\n│                                                                     │\n│   60s   regulus init my-agent --profiles=eu-ai-act,uk-gdpr,fca-sysc │\n│                                --frameworks=nist-ai-rmf,iso-42001   │\n│                                                                     │\n│   5min  cd my-agent \u0026\u0026 gradle wrapper \u0026\u0026 ./gradlew bootRun          │\n│                                                                     │\n│   15min hit /chat → see policy + privacy + audit + GRC envelope     │\n│                                                                     │\n└─────────────────────────────────────────────────────────────────────┘\n```\n\nThat's the funnel. Three checkpoints, no slides.\n\n## 60s — scaffold\n\n```bash\n# Install the CLI:\ncurl -fsSL https://raw.githubusercontent.com/neul-labs/regulus/main/install.sh | sh\n\n# Scaffold a compliant ADK agent:\nregulus init my-agent \\\n    --profiles=eu-ai-act,uk-gdpr,fca-sysc \\\n    --frameworks=nist-ai-rmf,iso-42001 \\\n    --grc-adapter=stdout\n```\n\nOutput:\n\n```\n✓ created my-agent/ with 12 files\n  build.gradle.kts · settings.gradle.kts · gradle.properties · .gitignore\n  README.md · gradlew · gradlew.bat\n  src/main/java/com/example/agent/{AgentApplication.java, ChatController.java}\n  src/main/resources/{application.yaml, logback.xml}\n\nNext: cd my-agent \u0026\u0026 gradle wrapper \u0026\u0026 ./gradlew bootRun\n```\n\nDon't want to install a CLI? Same thing through Gradle:\n\n```bash\n./gradlew initRegulusAgent -PagentName=my-agent \\\n    -Pprofiles=eu-ai-act,uk-gdpr,fca-sysc \\\n    -Pframeworks=nist-ai-rmf,iso-42001\n```\n\n## The gap, in one paragraph\n\nADK ships a capable AI agent runtime. **It doesn't ship the audit trail\nyour auditor demands, the retention schedule your DPO signs off on, the\nkill switch your runbook exercises, the model-risk tier your second line\nassesses, or the framework-mapped evidence your GRC tool catalogues.**\nWriting those properly is a quarter of engineering time. Writing them\nbadly is worse than not doing it at all — a bad audit trail is a\ndiscoverable artefact in an enforcement action. Regulus is the bridge.\n\n[**→ Why Regulus** — the full version of this story](https://docs.neullabs.com/why-regulus/)\n\n## Before / after\n\nPlain ADK — works, but produces no audit trail:\n\n```java\n@SpringBootApplication\npublic class App {\n    public static void main(String[] args) { SpringApplication.run(App.class, args); }\n    LlmAgent rootAgent() {\n        return LlmAgent.builder().name(\"greeter\").model(\"gemini-2.5-flash\").build();\n    }\n}\n```\n\nADK + Regulus — same agent, with policy + privacy + audit + kill switch +\nmodel risk + residency + framework-mapped GRC evidence:\n\n```java\n@SpringBootApplication\npublic class App {\n    public static void main(String[] args) { SpringApplication.run(App.class, args); }\n    // Regulus plugins auto-register via application.yaml. No additional code.\n}\n```\n\n```yaml\nregulus:\n  compliance:\n    profiles: [eu-ai-act, uk-gdpr, fca-sysc]\n  governance:\n    frameworks: [nist-ai-rmf, iso-42001]\n  grc:\n    stdout: true\n  adk:\n    residency: { allowed-regions: [europe-west2] }\n    kill-switch: { enabled: true, dual-control: true }\n    model-risk:  { tenant-tier: STANDARD }\n```\n\n[**→ Show me — the diff** with audit-event sample](https://docs.neullabs.com/show-me/)\n\n## What the auditor sees\n\n```json\n{\n  \"event_id\": \"01J6X4ABCDEFG\",\n  \"occurred_at\": \"2026-05-14T11:23:09.123Z\",\n  \"actor\": \"user:42\",\n  \"tenant_id\": \"acme-bank\",\n  \"jurisdiction\": \"EU_UK\",\n  \"identity_adapter\": \"oidc\",\n  \"smf_holder\": \"SMF24:Jane Smith\",\n  \"action\": \"model-call\",\n  \"result\": \"allow\",\n  \"model_id\": \"gemini-2.5-flash\",\n  \"regulation_clause\": \"UK GDPR Art. 25\",\n  \"framework_control_id\": \"A.7.3\",\n  \"ai_act_risk_tier\": \"limited\",\n  \"consumer_duty_outcome\": \"support\",\n  \"redactions\": [\"NINO_1\"],\n  \"chain_index\": 1284,\n  \"prev_event_hash\": \"9f3e…\",\n  \"event_hash\": \"1c87…\"\n}\n```\n\nThat JSON has the regulation citation, the ISO 42001 control id, the\nSMF attribution, the redactions, the outcome — **plus the tenant, the\njurisdiction, the IdP adapter that authenticated the caller, and the\nhash chain that makes the trail tamper-evident** — all in one event.\nYour 2L attests from it. Your 3L reproduces it. Your DPO answers their\nSAR from it. Your security architect verifies the chain offline with\n`regulus audit verify`. None of which works one hour ago.\n\n## What you get\n\n- **Canonical identity plane** — one `Principal` + `Claims` shape; OIDC adapter included, SAML / mTLS / service-account JWT via the `IdentityAdapter` SPI.\n- **6 ADK `BasePlugin`s** — policy, privacy, audit, kill switch, model risk, residency. (Plus a leading `RegulusIdentityExpiryGuard` for token-expiry enforcement.)\n- **6 ADK service extensions** — Vertex + Firestore sessions/memory, GCS artifact, retention compactor, computer-use, plus A2A envelope with RFC 9421 HTTP Message Signatures for cross-org calls.\n- **Opt-in audit integrity** — SHA-256 hash chain over every event, optional per-event signature, offline verifier (`regulus audit verify \u003cchain.jsonl\u003e`).\n- **10 regulation profiles** — EU AI Act, GDPR, UK GDPR, DORA, NIS2, FCA SYSC, PRA SS1/23 + SS2/21, NHS DSPT, EHDS.\n- **6 governance frameworks** — NIST AI RMF + 600-1 GenAI Profile + planned Q4 2026 Agent Interop Profile, ISO/IEC 42001 (with SoA generator), ISO/IEC 23894, ISO/IEC 23053.\n- **4 GRC adapters** — ServiceNow IRM, OneTrust AI Governance, MetricStream, generic HMAC-signed webhook.\n- **CLI + Gradle plugin** — scaffold, doctor, compliance scan, coverage matrix, audit verify.\n\nFull mapping (regulation × framework × control × ADK hook) at the\n[coverage matrix](https://docs.neullabs.com/compliance/coverage-matrix/).\n\n## Built for regulated enterprises\n\nEvery choice in the platform anticipates the questions a CISO, a head of\ninternal audit, or an external assessor will ask on day one.\n\n- **Enterprise SSO from day one.** Your IdP — Okta, Auth0, Keycloak,\n  ADFS, an in-house mTLS scheme — plugs in as an `IdentityAdapter` that\n  mints a canonical `Identity`. OIDC ships out of the box; SAML and\n  mTLS adapters are tens of lines. Regulus refuses to be your IdP — it\n  consumes the result.\n- **Multi-tenant + multi-jurisdiction by design.** `tenantId` and\n  `jurisdiction` are first-class claims on every audit event and every\n  policy decision. The same deployment handles EU-only traffic,\n  UK-only traffic, and EU+UK composite tenants without code changes.\n- **Tamper-evident audit trail.** Opt-in `regulus.ai.observability.audit.integrity.enabled=true`\n  switches on a SHA-256 hash chain. Auditors verify the chain offline\n  against a copy of the log; mutation, reorder, or gaps fail\n  verification.\n- **Signed cross-org A2A calls.** When agents from different\n  organisations collaborate, outbound JSON-RPC envelopes are signed\n  with RFC 9421 HTTP Message Signatures over method, target URI, body\n  digest, tenant id, and correlation id. Replay protection via nonce\n  + timestamp window. The inbound side reconstructs the caller's\n  Identity from the verified envelope before any policy guard runs.\n- **Identity-backed dual control.** Kill-switch activation and\n  approval gate on `Identity` roles (`regulus.killswitch.requester /\n  .approver / .emergency`), with approver-distinctness enforced on\n  `Principal.id` so two distinct subjects are required — not two\n  distinct typed names.\n- **Clear security model + threat model.** What Regulus defends\n  against, what it doesn't, where the trust boundaries are, what\n  happens when each one breaks — all documented at\n  [Security architecture](https://docs.neullabs.com/advanced/security-architecture/).\n\nThe architecture is one canonical primitive with replaceable adapters,\nnot a grab-bag of per-protocol code paths. That is what keeps the\ncompliance story coherent as the protocol mix shifts under you.\n\n## Choose your path\n\n| You are… | Start here |\n|---|---|\n| **An engineer** new to Regulus | [Why Regulus](https://docs.neullabs.com/why-regulus/) → [Show me](https://docs.neullabs.com/show-me/) → [Install the CLI](https://docs.neullabs.com/getting-started/install-cli/) |\n| **A security architect / enterprise IT** | [Security model](https://docs.neullabs.com/concepts/security-model/) → [Security architecture](https://docs.neullabs.com/advanced/security-architecture/) → [Production hardening](https://docs.neullabs.com/advanced/production-hardening/) |\n| **A governance leader** (CISO / CAIO / CRO / 2L / 3L) | [Governance overview](https://docs.neullabs.com/governance/) → [Three Lines of Defence](https://docs.neullabs.com/governance/three-lines/) → [GRC integration](https://docs.neullabs.com/governance/grc/) |\n| **Preparing for ISO 42001 certification** | [ISO/IEC 42001](https://docs.neullabs.com/governance/frameworks/iso-42001/) → [Audit walkthrough](https://docs.neullabs.com/compliance/audit-walkthrough/) → [Program operating model](https://docs.neullabs.com/governance/program-operating-model/) |\n| **New to regulatory vocabulary** | [Concepts → What is regtech?](https://docs.neullabs.com/concepts/regtech-intro/) → [Concepts → What is AI governance?](https://docs.neullabs.com/concepts/ai-governance-intro/) → [Glossary](https://docs.neullabs.com/concepts/glossary/) |\n\n## How it plugs into ADK\n\nEvery Regulus control is a `com.google.adk.plugins.BasePlugin`. Built on\nADK's official extension contract — not Spring AOP, not bytecode\nrewriting:\n\n| ADK seam | Regulus implementation |\n|---|---|\n| Inbound HTTP / Spring SecurityContext | `OidcSecurityContextFilter` → `IdentityAdapter` → `IdentityHolder` (canonical Identity bound before any callback fires) |\n| `BeforeAgentCallback` | `RegulusKillSwitchPlugin`, `RegulusDataResidencyPlugin` |\n| `BeforeModelCallback` | `RegulusIdentityExpiryGuard` (first), `RegulusPolicyPlugin`, `RegulusPrivacyPlugin` (mutating), `RegulusModelRiskPlugin` |\n| `AfterModelCallback` | `RegulusPrivacyPlugin` (re-redact), `RegulusAuditPlugin` (chain-sealed when integrity enabled) |\n| `BeforeToolCallback` | `RegulusPolicyPlugin`, `RegulusModelRiskPlugin` (for code executors) |\n| `ToolConfirmation` | Kill-switch dual control (Identity-gated), vulnerable-customer HITL, Art. 22 safeguards |\n| `EventCompactor` | `RegulusRetentionEventCompactor` (regulation-aware retention) |\n| `SessionService` / `MemoryService` / `ArtifactService` | `Regulus*` variants with residency at construction |\n| A2A `RemoteA2AAgent` / `AgentExecutor` | `regulus-ai-adk-a2a` envelope with `A2ARequestSigner` (RFC 9421) for cross-org calls |\n| `BaseComputer` | `RegulusComplianceBaseComputer` (Google flagged as needs-impl) |\n\n`ToolConfirmation` is Google's HITL primitive. Regulus' dual control uses\nexactly that mechanism — same shape, no special-case API for users to\nlearn.\n\n## Distribution\n\n- **Maven Central** — `com.neullabs:*`.\n- **Gradle Plugin Portal** — `com.neullabs.compliance`.\n- **GitHub Releases** — `regulus-cli.jar`.\n- **GitHub Container Registry** — `ghcr.io/neul-labs/regulus-adk-demo`.\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md). New controls ship as `BasePlugin`\nimplementations; compliance docs follow the\n[regtech-explainer template](docs/decisions/ADR-009-regtech-as-product-docs.md).\n\n## License\n\n[MIT](LICENSE)\n\n---\n\nBuilt to ADK's official extension contract. Not endorsed by Google — we\npicked the seams they ship.\n\nShipped 20 March 2026, ten days ahead of ADK Java 1.0 GA. Tracking ADK\nreleases since.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneul-labs%2Fregulus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneul-labs%2Fregulus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneul-labs%2Fregulus/lists"}