A permanent, cite-able record of Dominion Observatory's technical position in the ongoing LangChain discussion on observability and compliance for MCP tools (issue #35691). Updated as the RFC evolves.
policy_source=<handler>@<version>Every compliance-relevant attestation Observatory emits identifies the handler and version that produced it. This is deliberate: in a multi-handler stack (signing layer, scanning layer, runtime-observation layer), every receipt needs an unambiguous provenance string so downstream verifiers can reproduce the evidence path.
Format: policy_source=dominion-observatory@0.2.0 (for runtime behavioral attestations) or policy_source=dominion-observatory-langchain@0.1.0 (for LangChain-emitted attestations).
Public RFC context: reviewer @VladUZH endorsed this convention on thread #35691 and proposed it be adopted as an RFC MUST. The Observatory treats that endorsement as a third-party signal, not a settled outcome — the RFC is still in draft.
The emerging consensus on #35691 separates:
Dominion Observatory is a Receipt-layer implementation. It does not sign, authorize, or gate calls on its own; it observes and records, then exposes the record via /api/compliance formatted for EU AI Act Article 12 and Singapore IMDA Agentic AI Governance requirements.
This composition is why Observatory is orthogonal to the signing-layer projects rather than competitive with them. A full compliance stack needs both.
Most MCP compliance work currently frames around the EU AI Act alone. Observatory ships with first-class support for the Singapore IMDA Agentic AI Governance Framework as a second regulator-grade attestation target, and the policy_source convention is designed to pass through any number of jurisdictional mappings without ambiguity.
This was flagged by a reviewer on #35691 as a useful cross-jurisdiction dimension for the RFC — a third regulatory context the Protocol/Receipt split must accommodate, not just the EU and US.
pip install dominion-observatory-langchainfrom dominion_observatory_langchain import ObservatoryCallbackHandler, trust_gate
# Block calls to low-trust MCP servers
if not trust_gate(server_url, min_score=70, agent_id="my-agent"):
raise RuntimeError("Trust gate rejected server")
# Auto-report every call
chain.invoke(..., config={"callbacks": [ObservatoryCallbackHandler(agent_id="my-agent")]})The callback emits policy_source=dominion-observatory-langchain@0.1.0 on every attestation row, which is then surfaced in the compliance export.
confidence field on /api/trust./api/report calls), Observatory only sees probe-level data — not agent-reported behavior.policy_source convention has a public endorsement from one reviewer (@VladUZH) but is not yet merged into an approved RFC. This page will be updated as the RFC progresses.