René's URL Explorer Experiment


Title: Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module) · Issue #215 · SAP/cloud-sdk-python · GitHub

Open Graph Title: Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module) · Issue #215 · SAP/cloud-sdk-python

X Title: Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module) · Issue #215 · SAP/cloud-sdk-python

Description: Describe the Problem The SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built on the SDK today reaches an LLM and cal...

Open Graph Description: Describe the Problem The SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built...

X Description: Describe the Problem The SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built...

Opengraph URL: https://github.com/SAP/cloud-sdk-python/issues/215

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module)","articleBody":"### Describe the Problem\n\nThe SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry,  but  lacks compliance gate. Every agent built on the SDK today reaches an LLM and calls tools with no deterministic control point between \"model decided to act\" and \"action executes.\"\n  \nConcretely, an SDK-built agent today can:\n  - Invoke a tool the deployer never intended to expose.\n  - Ship to production with no per-decision audit record traceable to an operator-authored rule.\n  - Ship with no technical documentation artifact that maps to EU AI Act Article 11 (Annex IV) obligations.\n\nThe above cited is a missing layer. Under the EU AI Act, any agent classified Annex III (essential services, employment, credit, law enforcement, education) is high-risk. High-risk\nSystems need: Article 9 risk management, Article 10 data governance, Article 12 automatic logging of decisions, Article 14 human oversight,\nArticle 15 accuracy + robustness + cybersecurity, and Article 11 technical documentation before market entry. \n\nThe SDK has no primitive to help teams meet any of those obligations, so every agent development team have to re-implements the same middleware from scratch.\n\nRegulators require the policy that gated a decision to be inspectable, versionable, and reproducible against the same input. Only rule-based, deterministic evaluation clears that bar.\n  \nWithout this primitive in the SDK, every team building an agent on top faces a choice: ship ungated, or invent their own compliance stack. \n\n### Propose a Solution\n\n## Summary\n\nIntroduce a **Compliance** module in the SAP Cloud SDK, shipped as an **optional extra** so the base installation remains lightweight.\n\nThe module would provide a single, deterministic middleware for evaluating agent actions against deployer-defined compliance policies.\n\n## Proposed API\n\n```python\nfrom sap_cloud_sdk.compliance import SAPComplianceMiddleware\n\nmiddleware = SAPComplianceMiddleware.from_paths(\n    agent_name=\"my-agent\",\n    policy_file=\"policies/my-agent.yaml\",\n    profile_file=\"policies/profile-my-agent.yaml\",\n    fail_closed=True,\n)\n\ndecision = middleware.evaluate(\n    prompt,\n    action=\"tool:x\",\n    tool_args={...},\n)\n\nif not decision.allowed:\n    raise PermissionError(decision.reason)\n```\n\n## Key Capabilities\n\n- Deterministic policy evaluation using deployer-authored YAML rules.\n- Author-time policy definition, runtime deterministic enforcement.\n- Per-decision audit records integrated into the SDK's existing telemetry and audit pipeline.\n- Deployer-authored Agent Profile (YAML) that can be used to generate Annex IV Technical Documentation.\n- CI-friendly, byte-deterministic artifacts to support drift detection and governance.\n\n## Why Determinism Matters\n\nFor compliance-sensitive AI systems, the same:\n\n- Prompt\n- Action\n- Tool arguments\n\n**must always produce the same decision**, regardless of runtime instance or deployment replica.\n\nWhen auditors ask:\n\n\u003e \"Why did the agent perform action X on Tuesday?\"\n\nthe answer should always be:\n\n- Policy Version\n- Rule ID\n- Audit Record\n\n—not:\n\n\u003e \"The model decided differently.\"\n\nDeterministic enforcement makes regulatory investigations reproducible, explainable, and auditable.\n\n---\n\n### Describe Alternatives\n\n# Alternatives Considered\n\n## 1. Keep compliance middleware outside the SDK\n\n**Current approach**\n\nEvery Line of Business implements its own compliance middleware.\n\n### Drawbacks\n\n- Multiple incompatible implementations\n- No shared audit integration\n- No shared telemetry integration\n- No standard Annex IV artifact generation\n- Increased maintenance across teams\n\n---\n\n## 2. Ship as a separate SAP package\n\nExample:\n\n```\nsap-agent-compliance\n```\n\n### Rejected\n\nAgents already depend on the SDK for:\n\n- AI Core\n- Telemetry\n- Authentication\n- Common infrastructure\n\nIntroducing a second SAP package for the mandatory compliance layer creates unnecessary dependency and adoption friction.\n\nOptional SDK extras are a more natural fit.\n\n---\n\n## 3. Use non-deterministic policy gates\n\nExamples:\n\n- LLM-as-a-Judge\n- Learned classifiers\n- AI moderation models\n\n### Rejected\n\nCompliance decisions must be reproducible.\n\nA policy engine whose output changes for identical inputs cannot reliably support auditability or regulatory investigations.\n\nFor regulated AI systems, deterministic policy evaluation provides a stronger foundation for reconstructable decision-making and consistent governance.\n\n### Affected Development Phase\n\nDevelopment\n\n### Impact\n\nInconvenience\n\n### Timeline\n\nI already have a working implementation for a mock-agent that demonstrates this approach.\n\nThe implementation includes:\n\n- SDK Module Registry integration\n- `@record_metrics` integration\n- Audit log integration following the existing `auditlog_ng` shape\n- `py.typed` support\n- Per-module documentation (`user-guide.md`)\n- 40 automated tests\n- 93% test coverage\n- Ruff clean\n- Ty clean\n- pytest-bdd integration scenarios\n- DCO signed\n---","author":{"url":"https://github.com/Thilaknath","@type":"Person","name":"Thilaknath"},"datePublished":"2026-07-08T13:15:52.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/215/cloud-sdk-python/issues/215"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:9f50d608-706c-5867-c1f4-151110fdfce1
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-id9A2E:20853D:49DF91D:660DAC2:6A4F5E18
html-safe-noncec96904ac55338470974a591c90e978d8bc7baf1070ccb0e17c45ac7581793e25
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5QTJFOjIwODUzRDo0OURGOTFEOjY2MERBQzI6NkE0RjVFMTgiLCJ2aXNpdG9yX2lkIjoiODA0Mzg0ODc2NTAyNTUwODg4OCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmac245c0a6a04ae95284b3aa1ae714eb6589d4cf98f817ef5cfcdd0fd25a5e4b1b3
hovercard-subject-tagissue:4837800450
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/SAP/cloud-sdk-python/215/issue_layout
twitter:imagehttps://opengraph.githubassets.com/8bacc60ad4e772b98bd72e22a5b64db0d611b9f87aeec4492b9ab3f9e1f0dfe3/SAP/cloud-sdk-python/issues/215
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/8bacc60ad4e772b98bd72e22a5b64db0d611b9f87aeec4492b9ab3f9e1f0dfe3/SAP/cloud-sdk-python/issues/215
og:image:altDescribe the Problem The SAP Cloud SDK for Python ships the building blocks for AI agents, agent_decorators, agentgateway, AI Core auth, OTLP telemetry, but lacks compliance gate. Every agent built...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameThilaknath
hostnamegithub.com
expected-hostnamegithub.com
Noneb92d11c0aa4a77d54ef4af1078b6a15fb5a70a215b30c4ecf28889d5a8e656d9
turbo-cache-controlno-preview
go-importgithub.com/SAP/cloud-sdk-python git https://github.com/SAP/cloud-sdk-python.git
octolytics-dimension-user_id2531208
octolytics-dimension-user_loginSAP
octolytics-dimension-repository_id1187276298
octolytics-dimension-repository_nwoSAP/cloud-sdk-python
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id1187276298
octolytics-dimension-repository_network_root_nwoSAP/cloud-sdk-python
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release4b249b445842943ed31549e027f57a8ade9881ed
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/SAP/cloud-sdk-python/issues/215#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2FSAP%2Fcloud-sdk-python%2Fissues%2F215
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/open-source/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/open-source/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/enterprise/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2FSAP%2Fcloud-sdk-python%2Fissues%2F215
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=SAP%2Fcloud-sdk-python
Reloadhttps://github.com/SAP/cloud-sdk-python/issues/215
Reloadhttps://github.com/SAP/cloud-sdk-python/issues/215
Reloadhttps://github.com/SAP/cloud-sdk-python/issues/215
Please reload this pagehttps://github.com/SAP/cloud-sdk-python/issues/215
SAP https://github.com/SAP
cloud-sdk-pythonhttps://github.com/SAP/cloud-sdk-python
Notifications https://github.com/login?return_to=%2FSAP%2Fcloud-sdk-python
Fork 33 https://github.com/login?return_to=%2FSAP%2Fcloud-sdk-python
Star 18 https://github.com/login?return_to=%2FSAP%2Fcloud-sdk-python
Code https://github.com/SAP/cloud-sdk-python
Issues 6 https://github.com/SAP/cloud-sdk-python/issues
Pull requests 16 https://github.com/SAP/cloud-sdk-python/pulls
Actions https://github.com/SAP/cloud-sdk-python/actions
Projects https://github.com/SAP/cloud-sdk-python/projects
Security and quality 0 https://github.com/SAP/cloud-sdk-python/security
Insights https://github.com/SAP/cloud-sdk-python/pulse
Code https://github.com/SAP/cloud-sdk-python
Issues https://github.com/SAP/cloud-sdk-python/issues
Pull requests https://github.com/SAP/cloud-sdk-python/pulls
Actions https://github.com/SAP/cloud-sdk-python/actions
Projects https://github.com/SAP/cloud-sdk-python/projects
Security and quality https://github.com/SAP/cloud-sdk-python/security
Insights https://github.com/SAP/cloud-sdk-python/pulse
Deterministic Compliance Middleware for SAP Cloud SDK (Optional Module)https://github.com/SAP/cloud-sdk-python/issues/215#top
https://github.com/Thilaknath
Thilaknathhttps://github.com/Thilaknath
on Jul 8, 2026https://github.com/SAP/cloud-sdk-python/issues/215#issue-4837800450
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.