feat(examples): add ATR community security rules for PolicyEvaluator by eeee2345 · Pull Request #908 · microsoft/agent-governance-toolkit

eeee2345 · 2026-04-08T23:32:17Z

Add ATR community security rules for PolicyEvaluator

Closes #901

What this PR does

Adds an example integration of Agent Threat Rules (ATR) detection rules as a PolicyDocument for AGT's PolicyEvaluator. This gives AGT users access to a community-maintained, continuously-updated set of AI agent security detection patterns.

Files added (all under examples/atr-community-rules/):

File	Purpose
`atr_security_policy.yaml`	15 high-confidence rules in PolicyDocument format, ready to load
`sync_atr_rules.py`	Script to convert the full ATR ruleset (108 rules) to AGT format
`test_atr_policy.py`	pytest tests: 5 known-bad denied, 3 known-good allowed
`README.md`	Usage instructions

Why ATR?

ATR is an open-source detection standard purpose-built for AI agent threats. It complements AGT's existing sample patterns in prompt_injection.py (~43 patterns) and mcp_security.py (~39 patterns) with battle-tested rules developed from real-world attack campaigns:

108 rules across 9 threat categories (prompt injection, tool poisoning, skill compromise, context exfiltration, privilege escalation, etc.)
99.6% precision on MCP tool descriptions (PINT benchmark, 850 samples)
96.9% recall on SKILL.md files (498 real-world samples, 0% false positive rate)
Adopted by Cisco AI Defense (34 rules merged, PR Agent-Threat-Rule/agent-threat-rules#79)
Wild-tested: 53,577 skills scanned, 946 flagged (1.77%), 0% false positive on clean corpus

How it maps to AGT architecture

Per @imran-siddique's guidance in #901, the rules map directly to PolicyEvaluator's existing operator: matches (which calls re.search()):

# ATR rule → AGT PolicyDocument rule
rules:
  - name: atr-00001-direct-prompt-injection
    condition:
      field: user_input            # ATR category determines the field
      operator: matches            # AGT's regex operator
      value: "(?i)\\b(ignore|disregard|forget|override|bypass)..."  # Real ATR regex
    action: deny
    priority: 80                   # Mapped from ATR severity: high
    message: "[ATR-00001] Direct prompt injection detected..."

The 15 curated rules cover the highest-impact threat categories:

5 prompt injection: direct injection, jailbreak (mode switch + named persona), system prompt override via special tokens, multi-turn false agreement
5 tool poisoning: consent bypass, trust escalation, hidden safety bypass ("NOTE TO AI"), silent action concealment, schema-description contradiction
3 context exfiltration: system prompt leak, credential/API key exposure, credential file theft
2 privilege escalation: shell/admin tool invocation, eval/child_process injection

Sync script for the full ruleset

The sync_atr_rules.py script converts all 108 ATR rules to AGT format in one command:

npm install agent-threat-rules
python examples/atr-community-rules/sync_atr_rules.py \
  --atr-dir node_modules/agent-threat-rules/rules/ \
  --output atr_community_policy.yaml

ATR includes a community-driven threat intelligence pipeline (Threat Cloud) that crystallizes new detection patterns from novel threats. As new rules are published, the sync script can pull updates.

Testing

pytest examples/atr-community-rules/test_atr_policy.py -v

Tests verify:

Direct prompt injection ("Ignore all previous instructions...") -> denied
Jailbreak mode switch ("Enable developer mode...") -> denied
ChatML token injection (<|im_start|>system...) -> denied
Tool consent bypass (hidden forwarding instructions) -> denied
Credential exposure (API keys in response) -> denied
Normal coding request -> allowed
Security discussion -> allowed
Normal tool description -> allowed

Links

ATR project: https://agentthreatrule.org
ATR GitHub: https://github.com/Agent-Threat-Rule/agent-threat-rules
npm: agent-threat-rules (108 rules, MIT license)
Issue: Community detection rules integration — ATR (108 rules, shipped in Cisco AI Defense) #901

Add 15 high-confidence detection rules from Agent Threat Rules (ATR) mapped to AGT's PolicyDocument format, plus a sync script for the full 108-rule set. Closes microsoft#901

github-actions · 2026-04-08T23:32:53Z

🤖 AI Agent: contributor-guide — Welcome to the Microsoft Agent Governance Toolkit Community! 🎉

Welcome to the Microsoft Agent Governance Toolkit Community! 🎉

Hi there, and welcome! Thank you for taking the time to contribute to the project. We’re thrilled to have you here, and your pull request is a fantastic addition to the repository. 🎊

What You Did Well 🌟

Thorough Documentation: Your PR includes a detailed description of the changes, including the purpose of the ATR rules, how they integrate with AGT, and the testing process. The inclusion of a README.md file in the examples/atr-community-rules/ directory is a great touch and will help users understand how to use these rules effectively.
Comprehensive Testing: The test_atr_policy.py file is well-structured and includes both positive and negative test cases. This ensures that the rules work as intended and don’t produce false positives or negatives.
Alignment with AGT Architecture: You’ve clearly mapped ATR rules to AGT’s PolicyEvaluator structure, including thoughtful mappings of ATR categories to AGT context fields. This demonstrates a deep understanding of the project’s architecture.
Extensibility: The inclusion of the sync_atr_rules.py script is a fantastic addition. It allows users to easily update the ATR rules as new ones are released, ensuring the project remains up-to-date with the latest security patterns.
Security Awareness: The rules you’ve added are highly relevant and address critical security concerns like prompt injection, tool poisoning, and privilege escalation. The high precision and recall metrics you provided for the ATR rules are impressive and add credibility to their effectiveness.

Suggestions for Improvement ✨

While your contribution is excellent, here are a few suggestions to align it even more closely with our project conventions and best practices:

Linting: We use ruff for linting (with rules E, F, and W). Please run ruff on your Python files (sync_atr_rules.py and test_atr_policy.py) to ensure they adhere to our style guide. You can install ruff and run it with:
```
pip install ruff
ruff check examples/atr-community-rules/
```
File Placement: While your tests are excellent, we typically place test files under the packages/{name}/tests/ directory. Could you move test_atr_policy.py to packages/examples/tests/? This will ensure consistency with our project structure.

Commit Message Style: We follow the Conventional Commits specification. Your commit message is close, but it could be updated to include a more descriptive scope and body. For example:

feat(examples): add ATR community security rules for PolicyEvaluator

- Added 15 high-confidence ATR rules in `atr_security_policy.yaml`
- Included `sync_atr_rules.py` to convert the full ATR ruleset to AGT format
- Added `test_atr_policy.py` with 8 test cases (5 deny, 3 allow)
- Provided detailed `README.md` with usage instructions
- Closes #901

Security Review: Since this PR introduces security-sensitive code, we’ll need to conduct an additional review to ensure the regex patterns and mappings are robust and don’t introduce vulnerabilities. For example:
- Some regex patterns (e.g., atr-00021-credential-exposure) could benefit from additional testing to ensure they don’t produce false positives.
- Consider adding comments or documentation for the sync_atr_rules.py script to explain how the mappings (e.g., CATEGORY_TO_FIELD) were derived.

Next Steps 🚀

Run Linting: Use ruff to check your Python files for any style issues and fix them as needed.
Move Test File: Relocate test_atr_policy.py to packages/examples/tests/.
Update Commit Message: Update your commit message to follow the Conventional Commits format.
Security Review: We’ll conduct an internal review of the security-related code and regex patterns. If we have any concerns or suggestions, we’ll let you know.

Helpful Resources 📚

CONTRIBUTING.md: Our contribution guidelines, including details on our coding standards and processes.
QUICKSTART.md: A guide to getting started with the project.
Ruff Documentation: For linting your Python code.

Thank you again for your contribution! If you have any questions or need help with the next steps, don’t hesitate to ask. We’re here to support you, and we’re excited to collaborate with you on this project! 😊

github-actions · 2026-04-08T23:32:56Z

🤖 AI Agent: security-scanner — Security Review of Pull Request: feat(examples): add ATR community security rules for PolicyEvaluator

Security Review of Pull Request: feat(examples): add ATR community security rules for PolicyEvaluator

1. Prompt Injection Defense Bypass

Rating: 🔴 CRITICAL

Attack Vector: The regex patterns in atr_security_policy.yaml are used to detect prompt injection attempts. However, regex-based detection is inherently brittle and can be bypassed with minor obfuscations, such as adding whitespace, Unicode homoglyphs, or splitting keywords across multiple inputs. For example, "Igno re all previous instructions" or "Igⲛore all prеvious instructions" may evade detection.
Fix:
- Enhance regex patterns to account for common obfuscation techniques (e.g., Unicode normalization, whitespace variations).
- Consider integrating a more robust NLP-based detection mechanism alongside regex to identify semantic intent rather than relying solely on pattern matching.

2. Policy Engine Circumvention

Rating: 🟠 HIGH

Attack Vector: The sync_atr_rules.py script converts ATR rules into AGT PolicyDocument format. If an attacker compromises the ATR rules source (e.g., via dependency confusion or malicious updates to agent-threat-rules), they could inject rules that weaken or bypass security policies. For example, a rule with action: allow for dangerous patterns could be introduced.
Fix:
- Implement a verification mechanism to validate the integrity and authenticity of ATR rules before conversion (e.g., hash validation or signed rulesets).
- Add a safeguard in the sync script to reject rules with action: allow for high-severity patterns.

3. Trust Chain Weaknesses

Rating: 🟡 MEDIUM

Attack Vector: The sync_atr_rules.py script relies on the agent-threat-rules npm package. If this package is compromised (e.g., via typosquatting or supply chain attacks), malicious rules could be introduced.
Fix:
- Pin the agent-threat-rules dependency to a specific version and verify its integrity using checksums.
- Regularly audit the dependency for vulnerabilities using tools like npm audit.

4. Credential Exposure

Rating: 🔴 CRITICAL

Attack Vector: The regex pattern for detecting credentials in atr_security_policy.yaml (ATR-00021) is comprehensive but may miss certain formats or edge cases (e.g., custom API key formats). Additionally, if the detection logic fails, sensitive credentials could be exposed in logs or responses.
Fix:
- Extend the regex to cover additional credential formats.
- Ensure that any detected credentials are securely redacted from logs and error messages.

5. Sandbox Escape

Rating: 🔴 CRITICAL

Attack Vector: The atr_security_policy.yaml includes rules to detect privilege escalation attempts (e.g., ATR-00040 for shell commands and ATR-00110 for eval injection). However, these rules rely on regex matching, which can be bypassed with obfuscation or novel techniques.
Fix:
- Implement runtime sandboxing and syscall filtering to prevent unauthorized system-level access, even if the policy engine fails.
- Use a defense-in-depth approach by combining static analysis with runtime monitoring.

6. Deserialization Attacks

Rating: 🟠 HIGH

Attack Vector: The sync_atr_rules.py script uses yaml.safe_load to parse YAML files, which is a safer alternative to yaml.load. However, if the input YAML files are maliciously crafted, they could still exploit vulnerabilities in the YAML parser.
Fix:
- Use a library like ruamel.yaml or PyYAML with strict schema validation to ensure that only expected fields and data types are allowed.
- Validate the structure and content of the parsed YAML against a predefined schema before processing.

7. Race Conditions

Rating: 🔵 LOW

Attack Vector: There is no evidence of race conditions in the provided code. The PolicyEvaluator processes a single context at a time, and the sync script operates on local files sequentially.
Fix: No immediate action required. However, if the PolicyEvaluator is used in a multi-threaded environment, ensure thread safety.

8. Supply Chain Risks

Rating: 🔴 CRITICAL

Attack Vector: The agent-threat-rules npm package is a critical dependency. If this package is compromised, it could introduce malicious rules or backdoors into the AGT system, affecting all downstream users.
Fix:
- Implement dependency pinning and lockfile validation to prevent unauthorized updates.
- Use a package integrity verification tool (e.g., npm audit, snyk) to monitor for vulnerabilities or malicious changes in dependencies.
- Consider mirroring the agent-threat-rules repository and performing internal audits before updates.

Additional Observations

Regex Complexity: The regex patterns in atr_security_policy.yaml are complex and may impact performance when evaluating large inputs. Consider benchmarking the PolicyEvaluator to ensure it can handle high-throughput scenarios without significant latency.
Error Handling in sync_atr_rules.py: The script currently prints warnings for YAML parsing errors but does not fail the process. This could lead to incomplete or incorrect policy files.
- Fix: Implement stricter error handling to abort the process if critical rules fail to load.
Testing Coverage: The provided tests in test_atr_policy.py are a good start but could be expanded to include edge cases, such as obfuscated inputs or malformed context fields.
- Fix: Add tests for variations of known attack patterns (e.g., Unicode homoglyphs, whitespace obfuscation).

Summary of Findings

Issue	Rating	Fix
Prompt Injection Defense Bypass	🔴 CRITICAL	Enhance regex patterns and integrate NLP-based detection.
Policy Engine Circumvention	🟠 HIGH	Validate ATR rules integrity and reject unsafe rules.
Trust Chain Weaknesses	🟡 MEDIUM	Pin dependencies and verify integrity.
Credential Exposure	🔴 CRITICAL	Extend regex coverage and redact sensitive data from logs.
Sandbox Escape	🔴 CRITICAL	Implement runtime sandboxing and syscall filtering.
Deserialization Attacks	🟠 HIGH	Use strict schema validation for YAML parsing.
Race Conditions	🔵 LOW	No immediate action required.
Supply Chain Risks	🔴 CRITICAL	Audit and verify dependencies, implement integrity checks, and consider mirroring repos.

Final Recommendation

This PR introduces valuable security rules to the AGT framework, but there are critical vulnerabilities that need to be addressed before merging. The most pressing issues are the potential for prompt injection bypass, supply chain risks, and sandbox escape vulnerabilities. Addressing these concerns will significantly enhance the robustness of the AGT framework and ensure the safety of downstream users.

github-actions

🤖 AI Agent: code-reviewer

Review Summary

This pull request introduces an example integration of the Agent Threat Rules (ATR) detection rules into the Agent Governance Toolkit (AGT). It includes a curated set of 15 high-confidence rules in atr_security_policy.yaml, a script (sync_atr_rules.py) to convert the full ATR ruleset into AGT-compatible format, and a test suite (test_atr_policy.py) to validate the integration.

The PR is well-documented and provides a clear mapping between ATR rules and AGT's PolicyEvaluator. The provided tests cover both positive and negative scenarios, ensuring that the rules work as expected. However, there are some areas that require attention, particularly around security, type safety, and potential edge cases.

🔴 CRITICAL

Regex Injection Vulnerability in sync_atr_rules.py
- The _atr_to_agt_rule function directly embeds regex patterns from ATR rules into the AGT policy without sanitization. If an attacker injects malicious regex patterns (e.g., catastrophic backtracking), this could lead to a denial-of-service (DoS) attack during policy evaluation.
- Recommendation: Validate and sanitize regex patterns before embedding them in the policy. Use libraries like regex (with timeouts) or pre-compile patterns to detect problematic ones.
Credential Handling in atr_security_policy.yaml
- The regex for detecting credentials (e.g., API keys, private keys) in atr_security_policy.yaml is comprehensive but may lead to false negatives for edge cases (e.g., obfuscated keys or non-standard formats).
- Recommendation: Regularly update the credential detection patterns to align with evolving formats. Consider integrating with a dedicated secret-scanning library like truffleHog or detect-secrets for enhanced coverage.
Privilege Escalation Detection
- The regex for privilege escalation (e.g., eval, child_process) in atr_security_policy.yaml is a good start but may miss obfuscated or encoded payloads (e.g., Base64-encoded commands).
- Recommendation: Implement additional layers of detection for encoded or obfuscated payloads. Consider integrating with a static analysis tool or sandbox for runtime evaluation.

🟡 WARNING

Backward Compatibility
- The introduction of atr_security_policy.yaml and the sync_atr_rules.py script does not directly modify the core AGT library. However, if users rely on the example policy or the sync script, any future changes to the ATR ruleset or the mapping logic could lead to unexpected behavior.
- Recommendation: Clearly document the versioning strategy for the atr_security_policy.yaml file and the sync_atr_rules.py script. Consider adding a version compatibility check between AGT and the ATR ruleset.

💡 SUGGESTIONS

Thread Safety in sync_atr_rules.py
- The convert_atr_directory function processes files sequentially. While this is acceptable for the current implementation, it could become a bottleneck if the number of rules increases significantly.
- Recommendation: Use Python's concurrent.futures or asyncio to parallelize the processing of ATR rule files.
Error Handling in sync_atr_rules.py
- The _load_yaml function catches exceptions but only logs a warning. This could lead to silent failures if critical files are skipped.
- Recommendation: Add an option to fail fast or log skipped files more prominently. For example, use a --strict flag to terminate the script if any file fails to load.
Test Coverage
- The test suite is well-structured and covers key scenarios. However, it does not test the sync_atr_rules.py script or the full 108-rule conversion process.
- Recommendation: Add tests for the sync_atr_rules.py script to ensure that it correctly converts ATR rules to AGT format. Use a small subset of ATR rules for testing.
Documentation
- The documentation in README.md is comprehensive but could benefit from a section on potential limitations or known issues with the ATR integration.
- Recommendation: Add a "Limitations" section to the README to set user expectations, especially regarding the potential for false positives/negatives and the need for regular updates to the ATR ruleset.
Logging in sync_atr_rules.py
- The script uses print statements for logging, which is not ideal for production-grade tools.
- Recommendation: Replace print statements with Python's logging module to provide configurable logging levels and better integration with other systems.
Type Annotations
- While the code in sync_atr_rules.py includes some type annotations, they are not comprehensive.
- Recommendation: Add type annotations for all function arguments and return types to improve code clarity and maintainability.
Default Action in atr_security_policy.yaml
- The default action in atr_security_policy.yaml is set to allow. While this is consistent with AGT's default behavior, it may not be the most secure default for a security-focused policy.
- Recommendation: Consider setting the default action to deny and explicitly allowing safe patterns. This would align better with a "default deny" security posture.
Regex Complexity
- Some regex patterns in atr_security_policy.yaml are complex and may impact performance during evaluation.
- Recommendation: Benchmark the performance of these regex patterns on large datasets. Optimize or simplify patterns where possible.
Dynamic Rule Updates
- The sync_atr_rules.py script allows users to update the ATR ruleset manually. However, there is no mechanism to automatically notify users of new rules.
- Recommendation: Implement a notification system or provide a CLI command to check for updates to the ATR ruleset.

Final Assessment

This PR is a valuable addition to the AGT project, providing a robust set of community-driven security rules. However, the following issues should be addressed before merging:

🔴 Regex injection vulnerability in sync_atr_rules.py.
🔴 Credential detection false negatives in atr_security_policy.yaml.
🔴 Privilege escalation detection gaps in atr_security_policy.yaml.

Additionally, the following improvements are recommended:

🟡 Document versioning and compatibility for the ATR ruleset and sync script.
💡 Add tests for the sync_atr_rules.py script.
💡 Improve error handling and logging in sync_atr_rules.py.
💡 Consider a "default deny" policy for atr_security_policy.yaml.

Once these issues are addressed, the PR will be ready for merging.

eeee2345 · 2026-04-08T23:36:42Z

@microsoft-github-policy-service agree

imran-siddique

Review: CHANGES REQUESTED

Diff reviewed - 4 new files under examples/atr-community-rules/ (546 additions). Closes #901.

Security checklist:

No eval(), exec(), pickle, shell=True, innerHTML
yaml.safe_load used correctly (not yaml.load)
No hardcoded secrets
agent-threat-rules npm package verified: registered on npm since 2026-03-09, 11 versions
Scope matches description - all files under examples/ only
Additions > 0

Issues to fix:

Missing MIT license headers (required per repo policy): Both sync_atr_rules.py and test_atr_policy.py need # Copyright (c) Microsoft Corporation. and # Licensed under the MIT License. at top.
Missing encoding in open() - the test file has open("...atr_security_policy.yaml") without encoding="utf-8". Per repo policy, all open() calls reading YAML/JSON/text must specify encoding (prevents Windows failures).
Trailing newline - verify all new files end with a newline (ruff W292).

Content looks solid - happy to approve once fixed.

@imran-siddique

Address review feedback from @imran-siddique: - Add Microsoft MIT license headers to .py files - Add encoding='utf-8' to all open() calls - Ensure trailing newlines on all files

github-actions

🤖 AI Agent: code-reviewer

Review Summary

This pull request introduces an example integration of the Agent Threat Rules (ATR) detection rules into the Agent Governance Toolkit (AGT). The PR includes a pre-built atr_security_policy.yaml file with 15 high-confidence rules, a script to convert the full ATR ruleset (108 rules) into AGT's PolicyDocument format, and a set of pytest-based tests to validate the integration. The contribution is well-documented and aligns with the goals of enhancing the security capabilities of AGT.

Below is a detailed review of the PR, focusing on the specified areas of concern:

🔴 CRITICAL: Security Issues

Regex Denial-of-Service (ReDoS) Vulnerabilities
- The regex patterns in atr_security_policy.yaml are complex and may be susceptible to ReDoS attacks. For example:
```
value: "(?i)\\b(ignore|disregard|forget|override|bypass|skip|abandon|drop|cancel|suppress)\\s+(all\\s+)?(the\\s+|your\\s+|my\\s+|any\\s+)?(previous|prior|above|earlier|preceding|original|existing|current|initial|default)?\\s*(instructions?|prompts?|rules?|guidelines?|directives?|constraints?|context|programming|protocols?|policies|configuration|guardrails?|restrictions?)"
```
  - This regex contains nested quantifiers (\\s+ and ?) and alternations (|), which can lead to catastrophic backtracking. An attacker could craft malicious input to exploit this and cause significant performance degradation.
  - Actionable Recommendation: Use tools like regex (Python's regex module) to validate and optimize these patterns for performance. Alternatively, consider simplifying the regex patterns or using non-backtracking constructs.
Credential Exposure Detection
- The regex for detecting credentials in atr_security_policy.yaml includes patterns like:
```
value: "(?:sk-[a-zA-Z0-9]{20,}|AKIA[0-9A-Z]{16}|AIza[a-zA-Z0-9_-]{35}|ghp_[a-zA-Z0-9]{36}|xox[bpors]-[a-zA-Z0-9\\-]{10,}|-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----|eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]+)"
```
  - While this is a good start, it may not cover all possible credential formats. For example, some API keys or secrets might not match these patterns.
  - Actionable Recommendation: Consider integrating with a dedicated secrets-detection library like truffleHog or detect-secrets for more comprehensive detection.
Potential Sandbox Escape
- The regex for detecting privilege escalation and dynamic code execution includes patterns like:
```
value: "(?i)(?:eval\\s*\\(|new\\s+Function\\s*\\(|vm\\.(runIn|createContext|compileFunction)|require\\s*\\(\\s*['\"]child_process['\"]|import\\s*\\(\\s*['\"]child_process)"
```
  - While this regex is effective for detecting common patterns, it may not cover all possible variations of dynamic code execution attempts.
  - Actionable Recommendation: Regularly update these patterns based on emerging threats and consider leveraging external libraries or tools that specialize in detecting sandbox escapes.

🟡 WARNING: Potential Breaking Changes

Backward Compatibility of sync_atr_rules.py
- The sync_atr_rules.py script introduces a new way to generate policy documents from ATR rules. While this is a new feature, any changes to the script's behavior or output format in the future could break existing integrations.
- Actionable Recommendation: Clearly document the expected input and output formats for the script. Consider versioning the output format to ensure backward compatibility.
PolicyEvaluator Behavior
- The addition of new rules to the PolicyEvaluator may result in stricter enforcement, potentially causing previously allowed inputs to be denied.
- Actionable Recommendation: Clearly communicate this change in the release notes and provide guidance on how users can customize or disable specific rules if needed.

💡 Suggestions for Improvement

Test Coverage
- The test suite covers a good range of scenarios, but it could be expanded to include:
  - Edge cases for regex patterns (e.g., inputs that are close to matching but should not).
  - Performance tests to ensure that the regex patterns do not introduce significant latency.
- Actionable Recommendation: Add tests for edge cases and performance benchmarks to ensure the robustness and efficiency of the rules.
Dynamic Rule Loading
- The current implementation requires users to manually run the sync_atr_rules.py script to update the rules. This could lead to outdated rules being used in production.
- Actionable Recommendation: Consider adding functionality to automatically fetch and update the rules from the ATR repository at runtime or during deployment.
Documentation
- The documentation is comprehensive, but it could benefit from additional details, such as:
  - Examples of how to customize the rules (e.g., changing priorities or actions).
  - Guidance on how to handle false positives or modify rules.
- Actionable Recommendation: Expand the README.md to include these details.
Thread Safety
- The PolicyEvaluator is used in a pytest fixture and may be used in concurrent agent execution scenarios. However, there is no explicit mention of thread safety in the PolicyEvaluator implementation.
- Actionable Recommendation: Review the PolicyEvaluator implementation to ensure it is thread-safe. If it is not, document this limitation clearly.
Error Handling in sync_atr_rules.py
- The _load_yaml function currently prints warnings to stderr but does not provide a mechanism for the user to handle these errors programmatically.
- Actionable Recommendation: Consider raising exceptions for critical errors (e.g., missing or malformed files) and providing an option to suppress warnings for non-critical issues.
Rule Prioritization
- The mapping of ATR severity levels to AGT priorities is hardcoded in sync_atr_rules.py.
- Actionable Recommendation: Allow users to customize the priority mapping via a configuration file or command-line arguments.

Summary of Feedback

🔴 CRITICAL: Address potential ReDoS vulnerabilities in regex patterns.
🔴 CRITICAL: Enhance credential exposure detection with specialized libraries or tools.
🔴 CRITICAL: Regularly update privilege escalation and sandbox escape detection patterns.
🟡 WARNING: Document the sync_atr_rules.py script's input/output format and consider versioning.
🟡 WARNING: Communicate potential breaking changes in PolicyEvaluator behavior due to stricter rules.
💡 SUGGESTION: Expand test coverage to include edge cases and performance benchmarks.
💡 SUGGESTION: Add dynamic rule-fetching capabilities to keep rules up-to-date.
💡 SUGGESTION: Expand documentation to include customization and false-positive handling.
💡 SUGGESTION: Review PolicyEvaluator for thread safety in concurrent execution scenarios.
💡 SUGGESTION: Improve error handling in sync_atr_rules.py.
💡 SUGGESTION: Allow customization of ATR severity-to-priority mapping.

This PR is a valuable addition to the repository and significantly enhances its security capabilities. Addressing the critical issues and implementing the suggested improvements will ensure a more robust and secure integration.

github-actions

🤖 AI Agent: code-reviewer

Code Review for `feat(examples): add ATR community security rules for PolicyEvaluator`

🔴 CRITICAL: Security Issues

Regex Injection Risk in User Input Matching
- The regex patterns used in atr_security_policy.yaml (e.g., (?i)\b(ignore|disregard|forget|override|bypass)...) are directly matched against user input. If the input is not sanitized or validated before evaluation, it could lead to regex injection attacks.
- Recommendation: Ensure that user inputs are sanitized before being passed to the PolicyEvaluator. Additionally, consider limiting regex complexity to avoid catastrophic backtracking.
Credential Exposure in Logs
- The sync_atr_rules.py script prints warnings and errors to stderr, which may inadvertently expose sensitive information if the script processes malformed or malicious ATR rule files.
- Recommendation: Sanitize all log messages to ensure no sensitive data (e.g., regex patterns, file paths) is exposed. Use structured logging with redaction for sensitive fields.
Privilege Escalation Detection
- The rule atr-00040-privilege-escalation-tools matches user input for privilege escalation attempts. However, it does not account for obfuscated or encoded commands (e.g., Base64-encoded payloads).
- Recommendation: Add additional rules or preprocessing steps to decode common encoding schemes (e.g., Base64, URL encoding) before evaluation.
Dynamic Code Execution Detection
- The rule atr-00110-eval-injection matches patterns for eval, Function, and child_process. However, it does not account for obfuscated or indirect references (e.g., global['eval']).
- Recommendation: Enhance the regex patterns to detect obfuscated or indirect references to dangerous functions.

🟡 WARNING: Potential Breaking Changes

Backward Compatibility of PolicyEvaluator
- The addition of new rules in atr_security_policy.yaml may introduce breaking changes for users who rely on the default behavior of the PolicyEvaluator. For example, legitimate user inputs or tool descriptions might now be flagged as violations.
- Recommendation: Clearly document the impact of these new rules on existing workflows. Provide a mechanism for users to selectively enable/disable specific rules.
Changes to PolicyDocument Schema
- The sync_atr_rules.py script assumes a specific schema for ATR rules and maps them to the AGT PolicyDocument format. If the ATR schema changes, this could break the script.
- Recommendation: Implement schema validation for ATR rule files and provide clear error messages if the schema changes.

💡 Suggestions for Improvement

Testing Coverage
- The test suite in test_atr_policy.py is well-structured but could benefit from additional test cases:
  - Test for false positives with edge cases (e.g., inputs that resemble attack patterns but are benign).
  - Test for performance under high load or with large input sizes.
  - Test the sync_atr_rules.py script with malformed or incomplete ATR rule files to ensure robust error handling.
Documentation Enhancements
- The README.md file in examples/atr-community-rules/ is comprehensive but could include:
  - A section on the potential performance impact of using 108 regex rules.
  - Guidance on how to customize or extend the ruleset for specific use cases.
  - A note on the importance of keeping the ATR rules up-to-date and how to automate the sync process.

Regex Optimization

Some regex patterns in atr_security_policy.yaml are complex and may lead to performance issues (e.g., catastrophic backtracking). For example:

value: "(?i)\\b(ignore|disregard|forget|override|bypass|skip|abandon|drop|cancel|suppress)\\s+(all\\s+)?(the\\s+|your\\s+|my\\s+|any\\s+)?(previous|prior|above|earlier|preceding|original|existing|current|initial|default)?\\s*(instructions?|prompts?|rules?|guidelines?|directives?|constraints?|context|programming|protocols?|policies|configuration|guardrails?|restrictions?)"

Recommendation: Use simpler patterns or pre-compile regexes to improve performance. Consider using a regex library that supports timeout or complexity limits.

Thread Safety
- The PolicyEvaluator is not explicitly documented as thread-safe. If it is used in a multithreaded environment, there could be race conditions or shared state issues.
- Recommendation: Audit the PolicyEvaluator implementation for thread safety. If it is not thread-safe, document this limitation and provide guidance for safe usage.
Sync Script Error Handling
- The sync_atr_rules.py script exits with sys.exit(1) on errors (e.g., missing YAML files). This could disrupt automated pipelines.
- Recommendation: Return structured error messages or codes instead of exiting abruptly. Allow the script to continue processing other files even if some fail.
Type Annotations
- The sync_atr_rules.py script uses type annotations, but some functions (e.g., _load_yaml, _extract_regex_patterns) could benefit from more precise types.
- Recommendation: Use TypedDict or dataclasses for structured data like ATR rules and AGT policies.
Performance Considerations
- Matching 108 regex patterns against user input or tool descriptions could impact performance, especially in high-throughput environments.
- Recommendation: Benchmark the PolicyEvaluator with the full ATR ruleset under realistic workloads. Consider optimizing the matching process, such as grouping similar patterns or using a regex engine with better performance characteristics.
Backward Compatibility Testing
- The addition of new rules could impact existing users. There is no evidence of backward compatibility testing in the PR.
- Recommendation: Add a test suite to verify that existing workflows are not disrupted by the new rules.

Summary of Recommendations

Critical: Address regex injection risks, log sanitization, and enhance detection for obfuscated threats.
Warning: Document potential breaking changes and ensure backward compatibility.
Suggestions: Improve testing coverage, optimize regex patterns, and enhance documentation.

This PR introduces valuable security features but requires additional safeguards and testing to ensure robustness and compatibility.

lawcontinue · 2026-04-10T12:05:45Z

PR #908 安全审计报告

Issue: #901 - ATR 社区检测规则集成
PR: #908 - 添加 ATR 安全规则
审计日期: 2026-04-10
状态: 草稿 - 待审阅

总结

结论: ⚠️ 条件批准（修复 3 个问题后合并）

关键发现: 108 条规则（Cisco 生产使用），但有 3 个安全问题必须修复。

🔴 关键问题（必须修复）

问题 #1: 供应链漏洞 🔴 CRITICAL

严重性: CRITICAL
CVSS 评分: 7.8 (High)

问题描述:
sync_atr_rules.py 从 npm 下载 agent-threat-rules 时没有完整性验证。如果 npm 包被劫持，可能注入恶意规则。

证据:

# sync_atr_rules.py: 没有依赖锁定，没有 checksum 验证
$ npm install agent-threat-rules  # 没有 package-lock.json 验证
$ python sync_atr_rules.py --atr-dir node_modules/agent-threat-rules/rules/

攻击向量:

依赖混淆攻击
Typosquatting（如 agent-threat-roles）
npm 账号被劫持 → 恶意 action: allow 规则

影响:

恶意规则绕过安全策略
静默降级策略
供应链攻击（影响所有 AGT 用户）

修复建议:

# 1. 添加 package-lock.json 完整性检查
$ npm install agent-threat-rules
$ sha256sum node_modules/agent-threat-rules/package/integrity.json

# 2. 验证 ATR 规则签名（如果可用）
# 3. 在 README 固定版本号
npm install agent-threat-rules@1.1.1  # 明确版本

# 4. 在同步脚本添加 checksum 验证
ATR_INTEGRITY_HASH = "sha256:abc123..."  # 从 ATR 官方发布获取

问题 #2: Unicode/混淆绕过 🔴 CRITICAL

严重性: CRITICAL
CVSS 评分: 8.2 (High)

问题描述:
基于 Regex 的检测可被 Unicode 同形字、空格变化或字符拆分绕过。

证据:

# atr_security_policy.yaml: ATR-00001
# 原始 regex: \\b(ignore|disregard|forget|override|bypass)\\b

# 绕过示例:
"Igno re all previous instructions"  # 空格拆分
"Igⲛore all previous instructions"  # 希腊字母 'nu' (U+043D)
"Ig\u006eore all previous"            # Unicode 转义
"Igno|re all previous"                # 管道注入

攻击向量:

Unicode 同形字替换（ᴀʙᴄ → ABС）
零宽字符（U+200B, U+FEFF）
多脚本混合（拉丁文 + 西里尔文）
字符级混淆

影响:

0% 误报率 → 潜在 10-30% 绕过率
失去 Regex 检测的意义

修复建议:

# 1. 在 Regex 匹配前添加 Unicode 标准化
import unicodedata

def normalize_input(text: str) -> str:
    """NFKC 标准化 + 同形字检测"""
    normalized = unicodedata.normalize('NFKC', text)
    # TODO: 添加同形字检测
    return normalized

问题 #3: 缺少恶意规则防护 🟠 HIGH

严重性: HIGH
CVSS 评分: 7.1 (High)

问题描述:
sync_atr_rules.py 盲目信任所有 ATR YAML 文件，没有验证它们只包含 action: deny 规则。

证据:

# sync_atr_rules.py:88
def _atr_to_agt_rule(atr: dict[str, Any], pattern: str, index: int) -> dict[str, Any]:
    return {
        "action": "deny",  # ← 硬编码，但没有验证！
    }

攻击向量:

ATR 仓库被攻击，添加 action: allow 规则
同步脚本导入它们 → 策略被削弱

修复建议:

# 在同步脚本添加验证
ALLOWED_ACTIONS = {"deny"}  # 只允许 deny 规则

def _atr_to_agt_rule(atr: dict[str, Any], pattern: str, index: int) -> dict[str, Any]:
    atr_action = atr.get("action", "deny")
    if atr_action not in ALLOWED_ACTIONS:
        raise ValueError(f"不安全的 ATR 规则操作: {atr_action}")

✅ 优点

1. 外部验证 ✅

Cisco 使用（108 条规则，生产验证）
精确度 99.6%（MCP 工具描述）
0% 误报（53,577 skills 测试）
MIT 许可证（兼容）

2. 架构 ✅

ATR → AGT 映射清晰
符合 PolicyEvaluator 接口
易扩展

3. 文档 ✅

README 详细（72 行）
使用说明清晰

4. 代码质量 ✅

使用 yaml.safe_load
类型注解完整
错误处理合理

🎯 建议

合并前（必须）:

添加供应链验证（依赖锁定 + checksums）
添加 Unicode 标准化（Regex 匹配前）
添加规则验证（拒绝 action: allow）

合并后（建议）:

考虑添加基于 NLP 的语义检测
扩展测试覆盖（同形字、混淆）
添加性能基准（108 条规则）

结论

决策: ⚠️ 条件批准

条件:

🔴 供应链验证
🔴 Unicode 标准化
🟠 规则验证

修复时间: 预计 2-3 小时

下一步:

在 PR feat(examples): add ATR community security rules for PolicyEvaluator #908 发布反馈
等待贡献者修复
重新审查后合并

审计日期: 2026-04-10

imran-siddique · 2026-04-11T15:39:10Z

Review Notes

Thanks for the contribution! The ATR rules integration looks well-structured. A few items flagged during review that need resolution before merge:

1. Dependency confusion risk — The sync script references \
pm install agent-threat-rules\. This package is not in our registered dependency list. Per our supply chain security policy, we need to verify:

Is this package published on npm by a trusted maintainer?
What is the download count and community traction?
Per our External Contribution Quality Gate: the \�gent-threat-rules\ npm package and the ATR project should have meaningful community adoption (50+ stars, multiple contributors)

2. Escalation required — Per our decision escalation policy, this is a new framework integration that adds external dependency patterns. Maintainer (@imran-siddique) review is required before merge.

3. Missing \init.py\ — The \�xamples/atr-community-rules/\ directory has Python files but no \init.py\. While this is under examples/ (not a package), adding one would be consistent.

Code review findings are otherwise clean: license headers present, no unsafe patterns, regex patterns for secret detection are appropriately illustrative (not real secrets).

aymenhmaidiwastaken

Nice work on the ATR converter! One small suggestion — sys.exit() inside a library function (convert_atr_directory) makes it harder to reuse and test. Raising an exception lets callers decide how to handle the error.

lawcontinue · 2026-04-12T16:41:06Z

Addressing Review Feedback

Thanks @imran-siddique @aymenhmaidiwastaken for the thorough review. Addressing each item:

1. `sys.exit()` → `FileNotFoundError` ✅

Good catch @aymenhmaidiwastaken. Agree completely — convert_atr_directory should raise, not exit. Here's the fix:

# In convert_atr_directory():
if not rule_files:
    raise FileNotFoundError(f"No YAML files found in {atr_dir}")

# In main(), catch it cleanly:
try:
    policy = convert_atr_directory(args.atr_dir)
except FileNotFoundError as exc:
    print(f"ERROR: {exc}", file=sys.stderr)
    sys.exit(1)

This keeps the library function testable while main() still exits with a clear error.

2. Missing `init.py` ✅

Will add examples/atr-community-rules/__init__.py for consistency with other example directories.

3. Dependency verification — `agent-threat-rules` npm package

Fair concern. Here is the verification:

npm package: https://www.npmjs.com/package/agent-threat-rules
GitHub: https://github.com/Agent-Threat-Rule/agent-threat-rules — 200+ stars, MIT license, multiple contributors
Adopted by Cisco AI Defense: 34 rules merged (PR Agent-Threat-Rule/agent-threat-rules#79)
Wild-tested: 53,577 skills scanned, 946 flagged (1.77% flag rate), 0% false positive on clean corpus
License: MIT, compatible with AGT's MIT license

The sync script is optional — it's for users who want the full 108-rule set. The pre-built atr_security_policy.yaml (15 rules, committed directly) works without any npm dependency.

4. Note on supply chain hygiene

To mitigate the dependency confusion risk: the sync script reads from a local directory (--atr-dir), not directly from npm. Users can pin the version in their package.json and audit the rules before converting. The sync operation is a one-time local conversion, not a runtime dependency.

@eeee2345 can push the sys.exit() fix and __init__.py when ready.

imran-siddique · 2026-04-13T04:04:37Z

Thanks for the thorough response! The verification on agent-threat-rules is solid (200+ stars, Cisco adoption, MIT). The pre-built 15-rule YAML works without npm dependency, and the sync script is a local one-time operation — that's acceptable.

Ready to merge once @eeee2345 pushes:

sys.exit() -> FileNotFoundError fix
init.py added

Please push and we will merge.

* feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <[email protected]> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <[email protected]> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <[email protected]> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <[email protected]> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <[email protected]> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <[email protected]> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <[email protected]> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <[email protected]> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <[email protected]> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <[email protected]> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <[email protected]> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <[email protected]> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <[email protected]> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]>

…1017) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (#947) Co-authored-by: Copilot <[email protected]> * docs: update SDK feature matrix after parity pass (#950) Reflects new capabilities added in PRs #947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <[email protected]> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <[email protected]> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (#954) Closes #952 Co-authored-by: Copilot <[email protected]> * feat: reversibility checker, trust calibration guide, escalation tests (#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <[email protected]> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <[email protected]> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <[email protected]> * fix(openclaw): critical honesty pass — document what works vs what's planned (#958) Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from #772. Co-authored-by: kevinkaylie <[email protected]> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (#899) Co-authored-by: aymenhmaidiwastaken <[email protected]> * feat: add LotL prevention policy for security measures (#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (#908) 15 curated ATR detection rules + sync script. Closes #901. * fix(docs): correct npm package name and stale version refs across 21 files (#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <[email protected]> * fix(ci): use ESRP Release for NuGet signing (#961) Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing (#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <[email protected]> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <[email protected]> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]>

* feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (#947) Co-authored-by: Copilot <[email protected]> * docs: update SDK feature matrix after parity pass (#950) Reflects new capabilities added in PRs #947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <[email protected]> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <[email protected]> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (#954) Closes #952 Co-authored-by: Copilot <[email protected]> * feat: reversibility checker, trust calibration guide, escalation tests (#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <[email protected]> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <[email protected]> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <[email protected]> * fix(openclaw): critical honesty pass — document what works vs what's planned (#958) Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from #772. Co-authored-by: kevinkaylie <[email protected]> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (#899) Co-authored-by: aymenhmaidiwastaken <[email protected]> * feat: add LotL prevention policy for security measures (#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (#908) 15 curated ATR detection rules + sync script. Closes #901. * fix(docs): correct npm package name and stale version refs across 21 files (#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <[email protected]> * fix(ci): use ESRP Release for NuGet signing (#961) Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing (#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <[email protected]> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <[email protected]> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]>

* fix(pipeline): run NuGet ESRP signing on Windows agent (microsoft#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <[email protected]> * docs: reland empty-merge changes from PRs microsoft#1017 and microsoft#1020 (microsoft#1125) PRs microsoft#1017 and microsoft#1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR microsoft#1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR microsoft#1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (microsoft#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <[email protected]> * docs: address external critic gaps (microsoft#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <[email protected]> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <[email protected]> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <[email protected]> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <[email protected]> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <[email protected]> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <[email protected]> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <[email protected]> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <[email protected]> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <[email protected]> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <[email protected]> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <[email protected]> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <[email protected]> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <[email protected]> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (microsoft#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <[email protected]> * fix(ci): add path filters and concurrency; announce v3.1.0 release (microsoft#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: add ADOPTERS.md and make deployment guides multi-cloud (microsoft#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <[email protected]> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (microsoft#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <[email protected]> * feat(ci): enhance weekly security audit with 7 new scan jobs (microsoft#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <[email protected]> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (microsoft#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <[email protected]> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (microsoft#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <[email protected]> * feat: deployment runtime (Docker/AKS) and shared trust core types (microsoft#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <[email protected]> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <[email protected]> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <[email protected]> * docs: Add Scaling AI Agents article to COMMUNITY.md (microsoft#857) Co-authored-by: deepsearch <[email protected]> * Add runtime evidence mode to agt verify (microsoft#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <[email protected]> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]>

…#1166) * feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <[email protected]> * docs: reland empty-merge changes from PRs #1017 and #1020 (#1125) PRs #1017 and #1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR #1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR #1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <[email protected]> * docs: address external critic gaps (#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (#947) Co-authored-by: Copilot <[email protected]> * docs: update SDK feature matrix after parity pass (#950) Reflects new capabilities added in PRs #947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <[email protected]> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <[email protected]> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (#954) Closes #952 Co-authored-by: Copilot <[email protected]> * feat: reversibility checker, trust calibration guide, escalation tests (#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <[email protected]> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <[email protected]> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <[email protected]> * fix(openclaw): critical honesty pass — document what works vs what's planned (#958) Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from #772. Co-authored-by: kevinkaylie <[email protected]> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (#899) Co-authored-by: aymenhmaidiwastaken <[email protected]> * feat: add LotL prevention policy for security measures (#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (#908) 15 curated ATR detection rules + sync script. Closes #901. * fix(docs): correct npm package name and stale version refs across 21 files (#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <[email protected]> * fix(ci): use ESRP Release for NuGet signing (#961) Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing (#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <[email protected]> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <[email protected]> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <[email protected]> * fix(ci): add path filters and concurrency; announce v3.1.0 release (#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: add ADOPTERS.md and make deployment guides multi-cloud (#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <[email protected]> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <[email protected]> * feat(ci): enhance weekly security audit with 7 new scan jobs (#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <[email protected]> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <[email protected]> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <[email protected]> * feat: deployment runtime (Docker/AKS) and shared trust core types (#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <[email protected]> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <[email protected]> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <[email protected]> * docs: Add Scaling AI Agents article to COMMUNITY.md (#857) Co-authored-by: deepsearch <[email protected]> * Add runtime evidence mode to agt verify (#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <[email protected]> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]>

…) + critic gap docs (#1170) * feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <[email protected]> * docs: reland empty-merge changes from PRs #1017 and #1020 (#1125) PRs #1017 and #1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR #1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR #1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <[email protected]> * docs: address external critic gaps (#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (#947) Co-authored-by: Copilot <[email protected]> * docs: update SDK feature matrix after parity pass (#950) Reflects new capabilities added in PRs #947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <[email protected]> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <[email protected]> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (#954) Closes #952 Co-authored-by: Copilot <[email protected]> * feat: reversibility checker, trust calibration guide, escalation tests (#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <[email protected]> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <[email protected]> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <[email protected]> * fix(openclaw): critical honesty pass — document what works vs what's planned (#958) Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from #772. Co-authored-by: kevinkaylie <[email protected]> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (#899) Co-authored-by: aymenhmaidiwastaken <[email protected]> * feat: add LotL prevention policy for security measures (#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (#908) 15 curated ATR detection rules + sync script. Closes #901. * fix(docs): correct npm package name and stale version refs across 21 files (#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <[email protected]> * fix(ci): use ESRP Release for NuGet signing (#961) Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing (#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <[email protected]> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <[email protected]> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <[email protected]> * fix(ci): add path filters and concurrency; announce v3.1.0 release (#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: add ADOPTERS.md and make deployment guides multi-cloud (#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <[email protected]> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <[email protected]> * feat(ci): enhance weekly security audit with 7 new scan jobs (#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <[email protected]> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <[email protected]> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <[email protected]> * feat: deployment runtime (Docker/AKS) and shared trust core types (#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <[email protected]> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <[email protected]> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <[email protected]> * docs: Add Scaling AI Agents article to COMMUNITY.md (#857) Co-authored-by: deepsearch <[email protected]> * Add runtime evidence mode to agt verify (#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <[email protected]> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]> * docs: address external critic gaps in limitations and threat model (#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <[email protected]> * fix!: standardize DID method to did:agentmesh across all SDKs (#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <[email protected]> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]>

…1192) * feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <[email protected]> * docs: reland empty-merge changes from PRs #1017 and #1020 (#1125) PRs #1017 and #1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR #1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR #1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <[email protected]> * docs: address external critic gaps (#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (#947) Co-authored-by: Copilot <[email protected]> * docs: update SDK feature matrix after parity pass (#950) Reflects new capabilities added in PRs #947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <[email protected]> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <[email protected]> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (#954) Closes #952 Co-authored-by: Copilot <[email protected]> * feat: reversibility checker, trust calibration guide, escalation tests (#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <[email protected]> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <[email protected]> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <[email protected]> * fix(openclaw): critical honesty pass — document what works vs what's planned (#958) Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from #772. Co-authored-by: kevinkaylie <[email protected]> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (#899) Co-authored-by: aymenhmaidiwastaken <[email protected]> * feat: add LotL prevention policy for security measures (#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (#908) 15 curated ATR detection rules + sync script. Closes #901. * fix(docs): correct npm package name and stale version refs across 21 files (#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <[email protected]> * fix(ci): use ESRP Release for NuGet signing (#961) Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing (#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <[email protected]> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <[email protected]> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <[email protected]> * fix(ci): add path filters and concurrency; announce v3.1.0 release (#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: add ADOPTERS.md and make deployment guides multi-cloud (#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <[email protected]> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <[email protected]> * feat(ci): enhance weekly security audit with 7 new scan jobs (#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <[email protected]> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <[email protected]> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <[email protected]> * feat: deployment runtime (Docker/AKS) and shared trust core types (#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <[email protected]> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <[email protected]> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <[email protected]> * docs: Add Scaling AI Agents article to COMMUNITY.md (#857) Co-authored-by: deepsearch <[email protected]> * Add runtime evidence mode to agt verify (#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <[email protected]> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]> * docs: address external critic gaps in limitations and threat model (#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <[email protected]> * fix!: standardize DID method to did:agentmesh across all SDKs (#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <[email protected]> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): fix lint errors and remove pi-mono breaking dep scan Two CI failures on main: 1. lint (agent-compliance): W293/W292 trailing whitespace and missing newlines in agt.py and verify.py — fixed. 2. dependency-scan: pi-mono-agentmesh references unregistered npm packages — removed entire pi-mono integration that was merged from draft PR #970 without proper review. Co-authored-by: Copilot <[email protected]> * feat: add AgentMesh component container images and GHCR publishing Add FastAPI server entrypoints for all four AgentMesh components: - trust-engine (port 8443): Agent identity verification, IATP handshakes - policy-server (port 8444): Governance policy evaluation from YAML/JSON - audit-collector (port 8445): Merkle-chained audit logging with persistence - api-gateway (port 8446): Reverse proxy with per-agent rate limiting Infrastructure: - Single Dockerfile with COMPONENT build arg (non-root, tini, health checks) - GitHub Actions workflow for GHCR publishing (multi-arch amd64/arm64) - Helm chart updated to reference ghcr.io/microsoft/agentmesh/* images - 28 integration tests covering all server endpoints Resolves the missing container images that blocked full AgentMesh cluster deployment (images were referenced in Helm chart but never built). Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]>

* feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <[email protected]> * docs: reland empty-merge changes from PRs #1017 and #1020 (#1125) PRs #1017 and #1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR #1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR #1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <[email protected]> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <[email protected]> * docs: address external critic gaps (#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <[email protected]> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (#947) Co-authored-by: Copilot <[email protected]> * docs: update SDK feature matrix after parity pass (#950) Reflects new capabilities added in PRs #947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <[email protected]> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <[email protected]> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (#954) Closes #952 Co-authored-by: Copilot <[email protected]> * feat: reversibility checker, trust calibration guide, escalation tests (#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <[email protected]> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <[email protected]> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <[email protected]> * fix(openclaw): critical honesty pass — document what works vs what's planned (#958) Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <[email protected]> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from #772. Co-authored-by: kevinkaylie <[email protected]> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (#899) Co-authored-by: aymenhmaidiwastaken <[email protected]> * feat: add LotL prevention policy for security measures (#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (#908) 15 curated ATR detection rules + sync script. Closes #901. * fix(docs): correct npm package name and stale version refs across 21 files (#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <[email protected]> * fix(ci): use ESRP Release for NuGet signing (#961) Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing (#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <[email protected]> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <[email protected]> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <[email protected]> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <[email protected]> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <[email protected]> * fix(ci): add path filters and concurrency; announce v3.1.0 release (#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <[email protected]> * docs: add ADOPTERS.md and make deployment guides multi-cloud (#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <[email protected]> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <[email protected]> * feat(ci): enhance weekly security audit with 7 new scan jobs (#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <[email protected]> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <[email protected]> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <[email protected]> * feat: deployment runtime (Docker/AKS) and shared trust core types (#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <[email protected]> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK (#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <[email protected]> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <[email protected]> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <[email protected]> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <[email protected]> * docs: Add Scaling AI Agents article to COMMUNITY.md (#857) Co-authored-by: deepsearch <[email protected]> * Add runtime evidence mode to agt verify (#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <[email protected]> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]> * docs: address external critic gaps in limitations and threat model (#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <[email protected]> * fix!: standardize DID method to did:agentmesh across all SDKs (#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <[email protected]> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> * fix(security): address all 14 open code scanning alerts (#13) * fix: address 6 Dependabot security vulnerabilities - python-multipart 0.0.22 → 0.0.26 (DoS via large preamble/epilogue) - pytest 8.4.1 → 9.0.3 (tmpdir handling vulnerability) - langchain-core 1.2.11 → 1.2.28 (SSRF, path traversal, f-string validation) - langchain-core >=0.2.0,<1.0 → >=1.2.28 in langchain-agentmesh pyproject.toml - tsup 8.0.0 → 8.5.1 (DOM clobbering vulnerability) - rand 0.8.5: dismissed #176 as inaccurate (vuln affects rand::rng() 0.9.x API only) Fixes Dependabot alerts: #177, #175, #166, #164, #157, #156 Dismissed: #176 (not applicable to rand 0.8.x) Co-authored-by: Copilot <[email protected]> * fix(security): address all 14 open code scanning alerts Scorecard HIGH: - publish-containers.yml: scope packages:write to job level (#316) Scorecard MEDIUM (pinned dependencies): - docs.yml: pin 4 GitHub Actions by SHA hash (#311-314) - docs.yml: use requirements.txt for pip install (#315) - agent-mesh Dockerfile: pin python:3.11-slim by SHA (#317,#318) - agent-os Dockerfile.sidecar: pin python:3.14-slim by SHA (#295,#296) - dashboard Dockerfile: pin python:3.12-slim by SHA (#291,#293) CodeQL: - test_time_decay.py: timedelta(days=365) -> 366 for leap safety (#289,#290) Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: kevinkaylie <[email protected]> Co-authored-by: Aymen Hmaidi <[email protected]> Co-authored-by: harshnair75567-cloud <[email protected]> Co-authored-by: Adamthereal <[email protected]> Co-authored-by: Jack Batzner <[email protected]> Co-authored-by: lawcontinue <[email protected]> Co-authored-by: deepsearch <[email protected]> Co-authored-by: ewmh <[email protected]> Co-authored-by: T. Smith <[email protected]>

@latest

…), add weekly sync workflow, fix #908 owed items (#1277) * feat(examples/atr-community-rules): upgrade 15→287 rules (ATR v2.0.12), add weekly sync workflow, fix #908 owed items - Upgrade atr_security_policy.yaml from 15 curated rules to 287 production-ready rules from ATR v2.0.12 (314 total; 27 excluded by maturity filter: 21 status:draft + 6 maturity:test) - Add sync_atr_rules.py maturity filter: skips status:draft and maturity:test rules - Add atr_community_policy_full.yaml: full auto-generated policy baseline - Add .github/workflows/sync-atr-community-rules.yml: weekly Monday sync, never commits to main, opens PR for human review, SHA-pinned actions - Add examples/atr-community-rules/__init__.py: promised in #908 - Update test_atr_policy.py: add TestCVECoverageDenied + TestCVECoverageAllowed classes covering CVE-2025-59528 (Flowise), CVE-2026-33032 (MCPwn), CVE-2026-27825/27826 (mcp-atlassian) Builds on #908. * fix(sync-workflow): pin agent-threat-rules to @2.0.12 instead of @latest Addresses supply chain concern from code-reviewer bot: pinned version prevents a compromised npm publish from auto-injecting malicious rules on next sync. Update the pin manually after verifying each ATR release. --------- Co-authored-by: Panguard AI <[email protected]>

@latest

…), add weekly sync workflow, fix microsoft#908 owed items (microsoft#1277) * feat(examples/atr-community-rules): upgrade 15→287 rules (ATR v2.0.12), add weekly sync workflow, fix microsoft#908 owed items - Upgrade atr_security_policy.yaml from 15 curated rules to 287 production-ready rules from ATR v2.0.12 (314 total; 27 excluded by maturity filter: 21 status:draft + 6 maturity:test) - Add sync_atr_rules.py maturity filter: skips status:draft and maturity:test rules - Add atr_community_policy_full.yaml: full auto-generated policy baseline - Add .github/workflows/sync-atr-community-rules.yml: weekly Monday sync, never commits to main, opens PR for human review, SHA-pinned actions - Add examples/atr-community-rules/__init__.py: promised in microsoft#908 - Update test_atr_policy.py: add TestCVECoverageDenied + TestCVECoverageAllowed classes covering CVE-2025-59528 (Flowise), CVE-2026-33032 (MCPwn), CVE-2026-27825/27826 (mcp-atlassian) Builds on microsoft#908. * fix(sync-workflow): pin agent-threat-rules to @2.0.12 instead of @latest Addresses supply chain concern from code-reviewer bot: pinned version prevents a compromised npm publish from auto-injecting malicious rules on next sync. Update the pin manually after verifying each ATR release. --------- Co-authored-by: Panguard AI <[email protected]>

feat(examples): add ATR community security rules for PolicyEvaluator

d091683

Add 15 high-confidence detection rules from Agent Threat Rules (ATR) mapped to AGT's PolicyDocument format, plus a sync script for the full 108-rule set. Closes microsoft#901

eeee2345 mentioned this pull request Apr 8, 2026

Community detection rules integration — ATR (108 rules, shipped in Cisco AI Defense) #901

Closed

github-actions Bot added documentation Improvements or additions to documentation size/XL Extra large PR (500+ lines) labels Apr 8, 2026

github-actions Bot reviewed Apr 8, 2026

View reviewed changes

imran-siddique requested changes Apr 8, 2026

View reviewed changes

fix: add license headers, encoding param, trailing newlines

511ba84

Address review feedback from @imran-siddique: - Add Microsoft MIT license headers to .py files - Add encoding='utf-8' to all open() calls - Ensure trailing newlines on all files

github-actions Bot reviewed Apr 8, 2026

View reviewed changes

imran-siddique enabled auto-merge (squash) April 8, 2026 23:49

fix: add cspell disable for pytest in code block

f5094be

auto-merge was automatically disabled April 8, 2026 23:55
Head branch was pushed to by a user without write access

github-actions Bot reviewed Apr 8, 2026

View reviewed changes

aymenhmaidiwastaken reviewed Apr 11, 2026

View reviewed changes

Comment thread examples/atr-community-rules/sync_atr_rules.py

imran-siddique merged commit 46b56f5 into microsoft:main Apr 13, 2026
6 of 7 checks passed

imran-siddique mentioned this pull request Apr 13, 2026

[v3.1.0] Release showcase — what's new and what's next #931

Closed

eeee2345 mentioned this pull request Apr 19, 2026

Add ATR detection rules as community detection resource safe-agentic-framework/safe-mcp#187

Open

Conversation

eeee2345 commented Apr 8, 2026

Add ATR community security rules for PolicyEvaluator

What this PR does

Why ATR?

How it maps to AGT architecture

Sync script for the full ruleset

Testing

Links

Uh oh!

github-actions Bot commented Apr 8, 2026

Welcome to the Microsoft Agent Governance Toolkit Community! 🎉

What You Did Well 🌟

Suggestions for Improvement ✨

Next Steps 🚀

Helpful Resources 📚

Uh oh!

github-actions Bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Security Review of Pull Request: feat(examples): add ATR community security rules for PolicyEvaluator

1. Prompt Injection Defense Bypass

2. Policy Engine Circumvention

3. Trust Chain Weaknesses

4. Credential Exposure

5. Sandbox Escape

6. Deserialization Attacks

7. Race Conditions

8. Supply Chain Risks

Additional Observations

Summary of Findings

Final Recommendation

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

🤖 AI Agent: code-reviewer

Review Summary

🔴 CRITICAL

🟡 WARNING

💡 SUGGESTIONS

Final Assessment

Uh oh!

eeee2345 commented Apr 8, 2026

Uh oh!

imran-siddique left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

🤖 AI Agent: code-reviewer

Review Summary

🔴 CRITICAL: Security Issues

🟡 WARNING: Potential Breaking Changes

💡 Suggestions for Improvement

Summary of Feedback

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

🤖 AI Agent: code-reviewer

Code Review for feat(examples): add ATR community security rules for PolicyEvaluator

🔴 CRITICAL: Security Issues

🟡 WARNING: Potential Breaking Changes

💡 Suggestions for Improvement

Summary of Recommendations

Uh oh!

lawcontinue commented Apr 10, 2026

PR #908 安全审计报告

总结

🔴 关键问题（必须修复）

问题 #1: 供应链漏洞 🔴 CRITICAL

问题 #2: Unicode/混淆绕过 🔴 CRITICAL

问题 #3: 缺少恶意规则防护 🟠 HIGH

✅ 优点

1. 外部验证 ✅

2. 架构 ✅

3. 文档 ✅

4. 代码质量 ✅

🎯 建议

合并前（必须）:

合并后（建议）:

结论

github-actions Bot commented Apr 8, 2026 •

edited

Loading

Code Review for `feat(examples): add ATR community security rules for PolicyEvaluator`

1. `sys.exit()` → `FileNotFoundError` ✅

2. Missing `init.py` ✅

3. Dependency verification — `agent-threat-rules` npm package