Skip to content

Inspect governed evidence

Use governed attributes and policy checkpoints when you need local evidence about sensitive, classified, reviewed, or policy-relevant relational targets without making IncQL responsible for your organization’s policy engine.

Inspect inferred governed attributes

inspect_plan(...) carries governed evidence next to lineage, metadata attachments, adapter requirements, and unsupported-evidence markers.

from pub::incql import inspect_plan

inspection = inspect_plan(summary)

for attribute in inspection.governed_attributes:
    println(f"{attribute.target.name}: {attribute.key} = {attribute.value.value}")
    println(f"  source={attribute.source.value()} status={attribute.status.value()}")

Inspection infers field schema attributes when local plan evidence includes a field’s primitive kind. These records use the same target, provenance, confidence, status, and evidence-reference shape as caller-supplied attributes, so catalog, contract, and policy-ingress steps can attach compatible evidence without a separate record model.

Declare a caller-supplied attribute

Use governed_attribute(...) when another local step already knows a governed fact and wants to attach it to a semantic target.

from pub::incql import (
    GovernedAttributeConfidence,
    GovernedAttributeScope,
    GovernedAttributeSource,
    GovernedAttributeStatus,
    governed_attribute,
    inspect_plan,
)

inspection = inspect_plan(customer_report)
email_target = inspection.output_fields[0]

classification = governed_attribute(
    email_target,
    "classification",
    "personal_data",
    scope=GovernedAttributeScope.Field,
    source=GovernedAttributeSource.User,
    confidence=GovernedAttributeConfidence.High,
    status=GovernedAttributeStatus.Asserted,
    authority=Some("privacy-review"),
    evidence_refs=["catalog:customer_report.email"],
)

This only creates evidence. It does not mask the field, filter rows, block execution, or certify the output.

Record a policy checkpoint

Use policy_checkpoint(...) to record a policy result or observation at a known boundary.

from pub::incql import (
    MetadataVisibility,
    PolicyCheckpointAction,
    PolicyCheckpointKind,
    policy_checkpoint,
)

checkpoint = policy_checkpoint(
    email_target,
    PolicyCheckpointKind.Planning,
    PolicyCheckpointAction.Warn,
    "policy:pii-export",
    "masking_recommended",
    visibility=MetadataVisibility.Internal,
    evidence_refs=[classification.attribute_id],
)

The checkpoint says that a warning decision was recorded. A CI job, notebook, orchestration layer, or governance tool can decide what to do with that warning. IncQL keeps the decision evidence explicit and local.

Read policy observation from inspection

Local inspection emits a planning checkpoint when it observes governed evidence. That checkpoint uses PolicyCheckpointAction.Observe, not Allow or Deny, because inspection is not a policy engine.

for checkpoint in inspection.policy_checkpoints:
    println(f"{checkpoint.checkpoint.value()}: {checkpoint.action.value()} {checkpoint.reason_code}")

For the complete record and enum reference, see Governed attributes and policy checkpoints (Reference).