Phase D Batch 28 — Notes
Batch theme: Enterprise gateways, registries & governance runtimes — MCP registries, proxies, gateways, policy/governance runtimes
Agent: Phase D batch agent #28 of 33 Date: 2026-05-26 Frameworks: 10 Files written: 110 (11 per framework × 10)
Frameworks Covered
| Slug | Repo | Stars | Tier | Primary Category |
|---|---|---|---|---|
| contextforge | IBM/mcp-context-forge | 3770 | A | MCP-gateway-with-admin-UI |
| archestra | archestra-ai/archestra | 3745 | A | K8s-native-MCP-orchestration |
| agentgateway | agentgateway/agentgateway | 2871 | A | universal-AI-gateway |
| atmosphere | Atmosphere/atmosphere | 3767 | A | Java-runtime-with-compliance |
| parlant | emcie-co/parlant | 18084 | A | conversation-behavior-engine |
| cai-cybersecurity | aliasrobotics/cai | 8753 | A | cybersecurity-pentest-framework |
| plano | katanemo/plano | 6543 | A | envoy-based-AI-gateway |
| gitagent-protocol | open-gitagent/gitagent-protocol | 2790 | B | agent-governance-standard |
| acpx | openclaw/acpx | 2759 | B | agent-to-agent-protocol-client |
| claude-plugin-design-joestump | joestump/claude-plugin-sdd | 11 | C | architecture-governance-plugin |
Tier Counts
- Tier A (production-ready, significant stars, runtime): 7 frameworks
- Tier B (active, meaningful stars, notable gaps): 2 frameworks (gitagent-protocol, acpx)
- Tier C (low stars but technically capable): 1 framework (claude-plugin-sdd)
Duplicates / Overlaps with Other Batches
None detected. All 10 frameworks are distinct from the 11 seed frameworks and from the other Phase D batches (batch numbers known: 1, 2, 8, 9, 11, 13, 17, 18, 22, 23, 24, 25, 26, 29, 30, 32).
Most Surprising Find
Atmosphere's Stop hook + drift-log enforcement (atmosphere/atmosphere): The framework ships a git hook script check-drift-log.sh that fires when Claude Code attempts to stop a session. The script reads the Claude Code session transcript, scans for 6 specific "drift-correction language" patterns (phrases that indicate the AI went off-spec), and blocks the stop if it detects these patterns without a corresponding entry in .harness/drift-log.md. Additionally, git commit hooks silently reject commits with AI co-author signatures in the message.
This is the only framework in the corpus that:
- Uses a Claude Code Stop hook as a compliance enforcement gate
- Reads the AI's own session transcript to detect behavioral drift
- Blocks the AI from stopping until it documents its drift in a human-readable log
The mechanism treats the AI as a contractor that must log deviations before clocking out. No other framework in any batch takes this approach.
Second-Most Surprising Find
acpx's prompt queueing via IPC: acpx implements a Unix socket/named pipe queue so prompts submitted to a busy agent session are queued and executed in order rather than rejected. This IPC-based cooperative scheduling has no equivalent in any other framework. Combined with --no-wait (fire-and-forget), it enables orchestrators to submit work without polling for agent availability.
Notable Patterns Across the Batch
audit_log implementations (batch focus)
| Framework | Audit Log Mechanism | Storage |
|---|---|---|
| contextforge | OTEL spans + SQLAlchemy events | PostgreSQL/SQLite |
| archestra | PostToolUse hook logs | in-memory/file |
| agentgateway | CEL-evaluated policy decisions | structured JSON |
| atmosphere | governance_audit_log table (JSONB) |
PostgreSQL |
| parlant | Per-turn behavioral trace | SQLite |
| cai-cybersecurity | .cai/ JSONL session traces |
flat files |
| plano | Agentic Signals™ (OTEL zero-code) | OTEL backend |
| gitagent-protocol | git commit history | git repository |
| acpx | ~/.acpx/sessions/*/history/ JSON |
flat files |
| claude-plugin-sdd | CLAUDE.md + docs/ (no formal audit log) | markdown files |
Deployment topology patterns
- K8s-native: archestra (Helm), agentgateway (Gateway API + K8s controller), plano (Envoy-based)
- Self-hosted service: contextforge (uvicorn/Docker), atmosphere (JVM/brew), parlant (Docker/pip), cai-cybersecurity (pip/Docker)
- Single binary: agentgateway (Rust), plano (brightstaff native binary)
- npm package (definition/client): gitagent-protocol (opengap CLI), acpx (acpx CLI)
- Claude Code plugin (no server): claude-plugin-sdd
Observability/safety primitives
- OTEL: contextforge (full), plano (zero-code Agentic Signals), agentgateway (export targets)
- CEL policy engine: agentgateway (cel-fork/celx crates)
- AWS Cedar / OPA Rego: atmosphere (governance modules)
- Multi-guardrail stack: agentgateway (regex + OpenAI moderation + Bedrock Guardrails + Model Armor)
- PII plugins: contextforge (40+ plugins including PII redaction)
- ARQ reasoning blueprints: parlant (arXiv 2503.03669) — test-validated behavioral correctness
- Dual-LLM sanitizer: archestra (sub-agent sanitizes inputs before primary LLM)
- Prompt injection notes: agentgateway (A2A indirect prompt injection mitigation)
Key Differentiators per Framework
contextforge
IBM-backed Python gateway with the widest plugin ecosystem (40+) in this batch: TOON, circuit-breaker, PII, content-moderation, rate-limit, retry. Unique: HTMX+Alpine.js admin UI embedded in a Python service (no npm/React). Tool authorization log in SQLAlchemy.
archestra
Lethal Trifecta awareness (sensitive data + prompt injection + exfiltration = Simon Willison's concept) built into architecture. Dual-LLM sanitizer sub-agent. Cost optimizer claiming 96% reduction. PostToolUse hook for Biome formatting (unique in corpus). AGPL-3.0 with CNCF/LF membership.
agentgateway
Only framework supporting all three: LLM Gateway + MCP Gateway + A2A Gateway. Rust single binary with embedded Next.js UI at :15000. CEL policy engine with cel-fork/celx crates. Most complete "universal AI gateway" in the batch.
atmosphere
Java/JVM 2008-vintage; v4.0.48 most battle-tested. Stop hook behavioral drift detection (most surprising find). 12 runtime adapters with OpenSSF SKILLCARD.yaml signed manifests. Cedar/Rego policy, HITL durable approvals, PostgreSQL audit log.
parlant
Highest stars (18084) in batch by large margin. Per-turn contextual matching engine — only items semantically matching the current turn are assembled into the LLM call. ARQ reasoning blueprints (published research). Strict/Canned output mode. Production at JPMorgan Chase.
cai-cybersecurity
Only offensive security framework in corpus. 15 code-class security agents. Professional Edition ($350/month, alias1 model, "no refusals"). retester → HackerOne production pipeline. NOASSERTION license. 4 CLIs including cai-gif (offensive tool presentations as GIFs).
plano
Built by Envoy core contributors. WASM filters embedded in data plane. Plano-Orchestrator 4B LLM for routing. Agentic Signals™ zero-code OTEL is a commercial differentiator. 8 developer skills in .claude/skills/.
gitagent-protocol
git IS the audit trail — not a workaround, a design principle. SOD conflict matrix in agent.yaml with AJV validation + CI blocking. 12 framework export adapters (only framework-neutral definition standard in batch). Financial compliance (FINRA/Fed/SEC) as first-class.
acpx
ACP (Agent Client Protocol) client — third protocol category alongside MCP (tools) and git (state). 17 built-in agent adapters across 8 vendors. IPC prompt queueing. Designed for agent-as-primary-user. Dynamic sub-agent role assignment via --system-prompt.
claude-plugin-sdd
Only framework implementing a complete development methodology (SDD) as a plugin. Adversarial Grumpy Engineer in scrum planning. Security-by-default specs with opt-out requiring justification. Conflict-marker hard gate before PR review. Artifact dependency DAG with impact analysis. 18 slash commands.
Files
All 110 files written to /Users/yigitkonur/research/spec-driven-dev/spec-system/<slug>/ (00-summary.md through 09-uniqueness.md + METRICS.yaml).
Paths
/Users/yigitkonur/research/spec-driven-dev/spec-system/contextforge/
/Users/yigitkonur/research/spec-driven-dev/spec-system/archestra/
/Users/yigitkonur/research/spec-driven-dev/spec-system/agentgateway/
/Users/yigitkonur/research/spec-driven-dev/spec-system/atmosphere/
/Users/yigitkonur/research/spec-driven-dev/spec-system/parlant/
/Users/yigitkonur/research/spec-driven-dev/spec-system/cai-cybersecurity/
/Users/yigitkonur/research/spec-driven-dev/spec-system/plano/
/Users/yigitkonur/research/spec-driven-dev/spec-system/gitagent-protocol/
/Users/yigitkonur/research/spec-driven-dev/spec-system/acpx/
/Users/yigitkonur/research/spec-driven-dev/spec-system/claude-plugin-design-joestump/