ArcKit + Agent Validator: Two Layers of AI Agent Governance
AI agents are shipping to production faster than governance frameworks can keep up. Two open-source projects — ArcKit and Agent Validator — attack this problem from opposite ends of the lifecycle. One governs the design. The other gates the code. Together, they cover the full arc from architecture decision to deployment approval.
ArcKit: Governance at the Design Table
ArcKit is an enterprise architecture governance toolkit built by tractorjuice. It ships as a Claude Code plugin (with Gemini CLI, GitHub Copilot, and Codex CLI support) and provides 68 structured commands spanning the entire architecture governance workflow:
- Architecture principles — establish and enforce design standards
- Stakeholder analysis — map drivers, goals, and outcomes
- Risk management — aligned to HM Treasury Orange Book frameworks
- Business case justification — Strategic Outline Business Cases via the Green Book
- Wardley Mapping — strategic planning and capability evolution
- Vendor procurement — RFP generation, build-vs-buy analysis, selection workflows
- Design reviews — formal HLD/DLD review processes with traceability
- Data modeling — ERD generation, GDPR compliance, data governance
ArcKit also includes 10 autonomous research agents, 5 automation hooks, and bundled MCP servers for AWS, Microsoft Learn, and Google Developer knowledge bases. It’s a comprehensive system that transforms architecture governance from scattered documents into a repeatable, AI-assisted process.
The target audience is enterprise architects — people making decisions about what gets built, how it integrates, and whether it meets organizational standards. ArcKit ensures those decisions are structured, traceable, and aligned to established frameworks.
Agent Validator: Governance at the Code Gate
Agent Validator takes a different approach entirely. Instead of governing design decisions, it validates the output — the actual code repository — against 33 automated rules across four tiers:
| Tier | What It Catches | Effect |
|---|---|---|
| HARD | Hardcoded secrets, banned imports, SSRF vulnerabilities, missing A2A agent card | ❌ Reject — blocks deployment |
| SOFT | Missing rate limiting, PII exposure, weak error handling | ⚠️ Warning — deployable but flagged |
| QUALITY | No README, missing tests, unpinned dependencies | 📋 Advisory |
| A2A | Google A2A spec compliance (agent.json, JSON-RPC endpoint) | Interoperability check |
Point it at a GitHub repo, get back a structured report card. The rule engine parses plain Markdown files — no DSL, no YAML schema. Adding a custom rule means writing a Markdown file with a regex pattern or AST check. The validator runs as a FastAPI server, a CLI tool (pip install soul-validator), or a Google A2A-compatible endpoint that orchestrators like LangGraph or CrewAI can call directly.
Different Layers, Same Goal
These tools aren’t competitors. They operate at fundamentally different layers:
ArcKit answers: Should we build this? Does the design meet our architecture principles? Have we assessed the risks? Is the vendor selection defensible?
Agent Validator answers: Is this code safe to deploy? Are there leaked secrets? Does it comply with A2A standards? Will it pass a security audit?
One is pre-build governance. The other is pre-deploy validation. An enterprise could use ArcKit to produce a formal design review for a new AI agent system, then run Agent Validator against every repo in that system before anything reaches production.
The Integration Point
Here’s where it gets interesting: ArcKit already supports MCP servers and autonomous research agents. Agent Validator already exposes a Google A2A endpoint. An ArcKit design review workflow could invoke Agent Validator as an A2A tool — “before I approve this architecture, validate the reference implementation.” The design review gets enriched with actual code-level findings. The architecture decision record includes not just stakeholder alignment and risk assessment, but concrete security and compliance status.
This isn’t theoretical. Both tools use open protocols. ArcKit’s plugin architecture can call external services. Agent Validator’s /a2a endpoint accepts a repo URL and returns structured results. The plumbing exists.
Who Uses What
| If you’re… | Start with |
|---|---|
| An enterprise architect defining standards | ArcKit |
| A DevOps engineer building CI gates | Agent Validator |
| A platform team governing agent deployments end-to-end | Both |
ArcKit gives you the governance framework. Agent Validator gives you the governance enforcement. Frameworks without enforcement are aspirational. Enforcement without frameworks is arbitrary. The combination is what makes governance real.
Getting Started
- ArcKit:
/plugin marketplace add tractorjuice/arc-kitin Claude Code, orpip install git+https://github.com/tractorjuice/arc-kit.gitfor other platforms - Agent Validator:
pip install soul-validator && soul-validator serve— running in under a minute
Both are MIT-licensed. Both are actively maintained. And both are solving a problem that’s only going to get more urgent as agent deployments accelerate.