Zero-Config Governance

Zero-config is the server-backed learning and review path for replay(). Add an API key, run your agent, and Vesanor builds a governance plan from tool schemas, descriptions, and observed traffic without local YAML.

Today this path is review-first. It captures and syncs governance state, but it does not yet enforce the approved compiled_session locally inside the SDK.

One line of code

import OpenAI from "openai";
import { replay } from "@vesanor/replay";

const client = new OpenAI();

const session = replay(client, {
  apiKey: process.env.VESANOR_API_KEY,
});

const response = await session.client.chat.completions.create({
  model: "gpt-4o-mini",
  messages: [{ role: "user", content: "Process this order" }],
  tools: myToolDefinitions,
});

No contractsDir. No local session.yaml. No per-tool YAML files.

Anthropic works the same way. Pass an Anthropic client instead of OpenAI and Vesanor will capture the same governance inputs.

What Happens Today

1. Calls pass through and get captured

When you use replay(client, { apiKey }) with no local contracts, the SDK fetches governance state for the agent and then runs in pass-through capture mode. Your calls are not blocked in this mode today.

2. Vesanor builds a typed review plan on the server

The server turns captured requests and responses into a canonical GovernanceReviewPlan using:

Schema-only inference for structural argument invariants
Deterministic description parsing for side effects, bounds, regex hints, and preconditions
Conditional semantic extraction for unresolved tool-level ambiguity only
Session inference for workflow placement, limits, bindings, aggregates, envelopes, and checkpoint suggestions

3. You review the draft in the dashboard

The governance page shows the current draft review plan, including:

Tool classifications and argument rules
Preconditions, forbids-after rules, and workflow placement
Session limits and accepted workflow phases
Binding, aggregate, and envelope candidates
Checkpoint suggestions
Governance gaps the system cannot infer safely
Warnings, dry-run traces, and plan-health findings

4. Approval freezes a server-side snapshot

When you click Approve, Vesanor stores immutable compiled_plan and compiled_session snapshots for that version. New captures do not silently rewrite the approved version.

5. Post-approval drift becomes review work

After approval, new evidence is audited against the approved snapshot. Vesanor raises targeted pending_review findings such as:

Newly observed tools not covered by the approved plan
Side-effect drift or under-classification
Argument invariant violations
Broken preconditions or forbids-after assumptions

Accepting a finding reopens a draft snapshot for explicit re-approval. Dismissing it leaves the approved snapshot unchanged.

What Zero-Config Surfaces

Area	What you see today
Tool rules	Side effect, confidence, argument invariants, preconditions, forbids-after, phase placement
Session review	Phases, transitions, session limits, bindings, aggregates, envelopes
Human review	Checkpoint suggestions, governance gaps, warnings, dry-run evidence
Drift	`pending_review` findings keyed to approved decisions

Vesanor only compiles accepted, typed decisions into the canonical review plan. Unsupported or ambiguous values are left as review_required instead of being silently normalized away.

Important Boundaries

Zero-config today is a governance learning and review flow. It is not local runtime blocking.
Approval stores the server-side snapshot, but the current zero-config SDK path still passes tool calls through.
Customer-triggered semantic re-analysis is still deferred. The current post-approval audit path is deterministic.
The dashboard action is Export as YAML. It exports a YAML snapshot of the governance plan; it is not a generated contract-pack zip.

Move To Enforcement

If you need tool-call blocking today, use manual contracts with contractsDir:

const session = replay(client, {
  contractsDir: "./contracts",
  agent: "orders-bot",
  mode: "enforce",
  apiKey: process.env.VESANOR_API_KEY,
});

That path uses the full contract compiler and enforcement pipeline. See Replay Quickstart and Protection Levels.

Next Steps

Replay Quickstart for zero-config review and contract-based enforcement
Protection Levels for Monitor, Protect, and Govern
Replay Overview for the full replay() model

One line of code​

What Happens Today​

1. Calls pass through and get captured​

2. Vesanor builds a typed review plan on the server​

3. You review the draft in the dashboard​

4. Approval freezes a server-side snapshot​

5. Post-approval drift becomes review work​

What Zero-Config Surfaces​

Important Boundaries​

Move To Enforcement​

Next Steps​