CI pipeline

Use the same `bl.govern({...})` call from your CI script — set `context.session = { user: 'github-action:deploy', machine: 'ci.acme.com', repo, branch, cwd, tool_client: 'github-actions' }` so the audit trail attributes the action to the pipeline, not a person. The decision token can be inspected by reviewers without sharing the SDK key (anonymous verify endpoint). Pair with `bl.cost.record` after each LLM call your CI step makes so cost rolls up against the `source: ci` bucket on `/v1/insights/coverage`.