Skip to content

CHANGELOG.md

Latest commit

 

History

History
290 lines (216 loc) · 17.4 KB

CHANGELOG.md

File metadata and controls

290 lines (216 loc) · 17.4 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Important

All releases to date are community preview releases for testing and evaluation. They are not official Microsoft-signed releases. Official signed packages are coming in a future release.

[Unreleased]

Added

  • Demo --include-attacks flag for adversarial scenario testing (prompt injection, tool alias bypass, SQL bypass).
  • .NET SagaStep.MaxAttempts property replacing deprecated MaxRetries.
  • ContentHashInterceptor for SHA-256 tool identity verification at intercept time.
  • ToolRegistry content hashing — computes and verifies handler integrity at registration and execution.
  • PolicyEngine.freeze() method with MappingProxyType immutability and mutation audit log.
  • QuorumConfig for M-of-N approval requirements in EscalationHandler.
  • Escalation fatigue detection — auto-DENY when agents exceed configurable rate threshold.
  • EscalationRequest.votes field for per-approver vote tracking.

Security

  • Replaced XOR placeholder encryption with AES-256-GCM in DMZ module.
  • Added Security Model & Limitations section to README.
  • Added security advisories to SECURITY.md for CostGuard and thread safety fixes.
  • Hardened against agent sandbox escape vectors (tool aliasing, runtime policy self-modification, approval fatigue).

[2.2.0] - 2026-03-17

Added

  • ESRP Release ADO pipeline for PyPI publishing (pipelines/pypi-publish.yml)
  • ESRP Release ADO pipeline for npm publishing (pipelines/npm-publish.yml)
  • npm build + pack job in GitHub Actions publish workflow
  • Community preview disclaimers across all READMEs, release notes, and package descriptions
  • PUBLISHING.md guide covering PyPI, npm, and NuGet publishing requirements
  • agent-runtime re-export wrapper package (src/agent_runtime/__init__.py)
  • RELEASE_NOTES_v2.2.0.md
  • create_policies_from_config() API — load security policies from YAML config files
  • SQLPolicyConfig dataclass and load_sql_policy_config() for structured policy loading
  • 10 sample policy configs in examples/policies/ (sql-safety, sql-strict, sql-readonly, sandbox-safety, prompt-injection-safety, mcp-security, semantic-policy, pii-detection, conversation-guardian, cli-security-rules)
  • Configurable security rules across 7 modules: sandbox, prompt injection, MCP security, semantic policy, PII detection, conversation guardian, CLI checker

Changed

  • GitHub Actions publish.yml no longer publishes to PyPI (build + attest only)
  • Python package author updated to Microsoft Corporation with team DL (all 7 packages)
  • npm packages renamed to @microsoft scope (from @agentmesh, @agent-os, unscoped)
  • npm package author set to Microsoft Corporation (all 9 packages)
  • All package descriptions prefixed with Community Edition
  • License corrected to MIT where mismatched (agent-mesh classifier, 2 npm packages)

Deprecated

  • create_default_policies() — emits runtime warning directing users to create_policies_from_config() with explicit YAML configs

Security

  • Expanded SQL policy deny-list to block GRANT, REVOKE, CREATE USER, EXEC xp_cmdshell, UPDATE without WHERE, MERGE INTO
  • Externalized all hardcoded security rules to YAML configuration across 7 modules

Fixed

  • agent-runtime build failure (invalid parent-directory hatch reference)
  • Missing License :: OSI Approved :: MIT License classifier in 3 Python packages
  • Incorrect repository URLs in 2 npm packages

2.1.0 - 2026-03-15

🚀 Highlights

Multi-language SDK readiness, TypeScript full parity, .NET NuGet hardening, 70+ commits since v1.1.0. This release makes the toolkit a true polyglot governance layer — Python, TypeScript, and .NET are all first-class citizens with install instructions, quickstarts, and package metadata ready for registry publishing.

Added

  • TypeScript SDK full parity (— PolicyEngine + AgentIdentity) — rich policy evaluation with 4 conflict resolution strategies, expression evaluator, rate limiting, YAML/JSON policy documents, Ed25519 identity with lifecycle/delegation/JWK/JWKS/DID export, IdentityRegistry with cascade revocation. 136 tests passing. (#269)
  • @agentmesh/sdk 1.0.0 — TypeScript package now publish-ready with exports field, prepublishOnly build hook, correct repository.directory, MIT license.
  • Multi-language README — root README now surfaces Python (PyPI), TypeScript (npm), and .NET (NuGet) install sections, badges, quickstart code, and a multi-SDK packages table.
  • Multi-language QUICKSTART — getting started guide now covers all three SDKs with code examples.
  • Semantic Kernel + Azure AI Foundry added to framework integration table.
  • 5 standalone framework quickstarts — one-file runnable examples for LangChain, CrewAI, AutoGen, OpenAI Agents, Google ADK.
  • Competitive comparison page — vs NeMo Guardrails, Guardrails AI, LiteLLM, Portkey (docs/COMPARISON.md).
  • GitHub Copilot Extension — agent governance code review extension for Copilot.
  • Observability integrations — Prometheus, OpenTelemetry, PagerDuty, Grafana (#49).
  • NIST RFI mapping — question-by-question mapping to NIST AI Agent Security RFI 2026-00206 (#29).
  • Performance benchmarks — published BENCHMARKS.md with p50/p99 latency, throughput at 50 concurrent agents (#231).
  • 6 comprehensive governance tutorials — policy engine, trust & identity, framework integrations, audit & compliance, agent reliability, execution sandboxing (#187).
  • Azure deployment guides — AKS, Azure AI Foundry, Container Apps, OpenClaw sidecar.

Changed

  • agent-governance (formerly ai-agent-compliance): Renamed PyPI package for better discoverability.
  • README architecture disclaimer reframed from apology to confidence — leads with enforcement model, composes with container isolation (#240).
  • README tagline updated for OWASP 10/10 discoverability.
  • .NET NuGet metadata enhanced — Authors, License, RepositoryUrl, Tags, ReadmeFile in csproj.
  • All example install strings updated from ai-agent-compliance[full] to agent-governance[full].
  • Demo fixed: legacy agent-hypervisor path → agent-runtime.
  • BENCHMARKS.md: fixed stale "VADP version" reference.

Fixed

  • Demo fixed: legacy agent-hypervisor path → agent-runtime.
  • BENCHMARKS.md: fixed stale "VADP version" reference.
  • .NET bug sweep — thread safety, error surfacing, caching, disposal fixes (#252).
  • Behavioral anomaly detection implemented in RingBreachDetector.
  • CLI edge case tests and input validation for agent-compliance (#234).
  • Cross-package import errors breaking CI resolved (#222).
  • OWASP-COMPLIANCE.md broken link fix + Copilot extension server hardening (#270).

Security

  • CostGuard org kill switch bypass — crafted IEEE 754 inputs (NaN/Inf/negative) could bypass organization-level kill switch. Fixed with input validation + persistent _org_killed flag (#272).
  • CostGuard thread safety — bound breach history + Lock for concurrent access (#253).
  • ErrorBudget._events bounded with deque(maxlen=N) to prevent unbounded growth (#172).
  • VectorClock thread safety + integrity type hints (#243).
  • Block importlib dynamic imports in sandbox (#189).
  • Centralize hardcoded ring thresholds and constants (#188).

Infrastructure

  • Phase 3 architecture rename propagated across 52 files (#221).
  • Deferred architecture extractions — slim OS init, marketplace, lightning (#207).
  • Architecture naming review and layer consolidation (#206).
  • agentmesh-integrations migrated into monorepo (#138).
  • CI test matrix updated with agentmesh-integrations packages (#226).
  • OpenSSF Scorecard improved from 5.3 to ~7.7 (#113, #137).

Install

# Python
pip install agent-governance-toolkit[full]

# TypeScript
npm install @agentmesh/sdk

# .NET
dotnet add package Microsoft.AgentGovernance

[2.0.2] - 2026-03-12

Changed

  • agent-runtime: Version bump to align with mono-repo versioning

Security

  • Block importlib dynamic imports in sandbox (#189)

[2.0.1] - 2026-03-11

Changed

  • agent-runtime: Centralize hardcoded ring thresholds and constants (#188)

1.1.0 - 2026-03-08

🚀 Highlights

15 issues closed, 339+ tests added, 12 architectural features shipped — in 72 hours from first analysis to merged code. This release transforms the toolkit from a well-structured v1.0 into an enterprise-hardened governance layer with real adversarial durability.

Added — Security & Adversarial Durability

  • Policy conflict resolution engine — 4 declared strategies (DENY_OVERRIDES, ALLOW_OVERRIDES, PRIORITY_FIRST_MATCH, MOST_SPECIFIC_WINS) with 3-tier policy scope model (global → tenant → agent) and auditable resolution trace. Answers the question every security architect will ask: "if two policies conflict, which wins?" (#91)
  • Session policy pinningcreate_context() now deep-copies policy so running sessions get immutable snapshots. Mid-flight policy mutations no longer leak into active sessions. (#92)
  • Tool alias registry — Canonical capability mapping for 7 tool families (30+ aliases) prevents policy bypass via tool renaming. bing_search can no longer dodge a web_search block. (#94)
  • Human-in-the-loop escalationEscalationPolicy with ESCALATE tier, InMemoryApprovalQueue, and WebhookApprovalBackend. Adds the suspend-and-route-to-human path required by regulated industries (healthcare, finance, legal). (#81)

Added — Reliability & Operations

  • Inter-package version compatibility matrixdoctor() function with runtime compatibility checking across all 5 packages. Detects silent version skew before it causes trust handshake failures. (#83)
  • Credential lifecycle management — Wired RevocationList into CardRegistry.is_verified() so revoked credentials are actually rejected. Key rotation now has a kill path. (#82)
  • File-backed trust persistenceFileTrustStore with JSON persistence, atomic writes, and thread safety. Trust scores survive agent restarts — misbehaving agents can no longer reset reputation by crashing. (#86)
  • Policy schema versioningapiVersion field with validation, migration tooling, and deprecation warnings. Schema evolution in v1.2+ won't silently break existing policy files. (#87)

Added — Supply Chain & Certification (PR #99)

  • Bootstrap integrity verificationIntegrityVerifier hashes 15 governance module source files and 4 critical function bytecodes (SHA-256) against a published integrity.json manifest. Detects supply chain tampering before any policy evaluation occurs. (#95)
  • Governance certification CLIagent-governance verify checks all 10 OWASP ASI 2026 controls, generates signed attestations, and outputs shields.io badges for README embedding. agent-governance integrity --generate creates baseline manifests for release signing.

Added — Governance Enhancements (PR #90)

  • SIGKILL-analog process isolation — Real os.kill(SIGKILL) for Linux, TerminateProcess for Windows, with PID tracking and cgroup integration. Not a simulated kill — actual process-level termination. (#77)
  • OpenTelemetry observabilityGovernanceTracer with distributed traces, span events for policy checks, custom metrics (policy evaluations, violations, latency histograms), and OTLP exporter integration. (#76)
  • Async concurrency safetyasyncio.Lock guards on shared state, ConcurrencyStats tracking, deadlock detection with configurable timeouts. Concurrent agent evaluations no longer corrupt trust scores. (#75)
  • Policy-as-code CI pipelinePolicyCI class with YAML linting, schema validation, conflict detection, and dry-run simulation. Integrates with GitHub Actions for PR-time policy validation. (#74)
  • Deep framework integrationsLangChainGovernanceCallback, CrewAIGovernanceMiddleware, AutoGenGovernanceHook with framework-specific lifecycle hooks, not just wrapper-level interception. (#73)
  • External audit trail integritySignedAuditEntry with Ed25519 signatures, HashChainVerifier for tamper detection, FileAuditSink for append-only external storage. Cryptographic proof that audit logs haven't been modified. (#72)
  • Behavioral anomaly detection — Statistical anomaly detection for agent behavior patterns (tool call frequency, response time, error rate) with configurable sensitivity. Catches rogue agents before they violate explicit rules. (#71)

Added — Infrastructure

  • Copilot auto-review workflow — Automated PR review on every pull request. (#70)
  • 7 production module ports — Episodic Memory Kernel, CMVK, Self-Correcting Agent Kernel, Context-as-a-Service, Agent Control Plane, Trust Engine, Mute Agent infrastructure — ported from internal production with full test coverage. (#63–#69)

Fixed

  • 44 code scanning alerts resolved — CodeQL SAST findings across the entire repository including CWE-209 (error information exposure), CWE-116 (improper encoding), and CWE-20 (improper input validation). (#79)

Security

  • All cryptographic operations use real Ed25519 primitives (not placeholder/XOR).
  • Prompt injection defense verified: prompt_injection.py + LlamaFirewall + OutputValidationMiddleware.
  • SLO alerting verified: AlertManager with Slack, PagerDuty, Teams, and OpsGenie channels.

Test Coverage

  • 339+ new tests across all features with full assertion coverage.
  • All 5 packages pass CI independently.

Install

pip install agent-governance-toolkit[full]

1.0.1 - 2026-03-06

Added

  • CODEOWNERS — Default and per-package code ownership for review routing.
  • SBOM workflow — Generates SPDX-JSON and CycloneDX-JSON on every release with GitHub attestation via actions/attest-sbom.

Changed

  • Microsoft org release — First publish from microsoft/agent-governance-toolkit
  • Added MIT license headers to 1,159 source files across all packages.
  • Migrated all 215 documentation URLs from personal repos to Microsoft org.
  • Replaced personal email references with team alias (agt@microsoft.com).
  • Enhanced README with hero section, CI badge, navigation links, CLA/Code of Conduct sections.
  • Bumped all 5 package versions from 1.0.0 to 1.0.1.

Fixed

  • Fixed agentmesh PyPI link to agentmesh-platform (correct package name).
  • Removed internal feed reference from providers.py.

Security

  • Secret scan verified clean — no keys, tokens, or credentials in repository.
  • pip-audit verified 0 known vulnerabilities across all packages.
  • All 43 OSV vulnerabilities from v1.0.0 confirmed resolved.

Repository

  • Archived 6 personal repos with deprecation banners and migration notices.
  • Closed 83 open issues and annotated 596 closed items with migration links.
  • Posted migration announcements to 89 stargazers.
  • Enabled GitHub Discussions, 12 topic tags, OpenSSF Scorecard.

1.0.0 - 2026-03-04

Added

  • Agent OS Kernel (agent-os-kernel) — Policy-as-code enforcement engine with syscall-style interception, OWASP ASI 2026 compliance, and Microsoft Agent Framework (MAF) native middleware adapter.
  • AgentMesh (agentmesh) — Zero-trust inter-agent identity mesh with SPIFFE-based identity, DID-linked credentials, Microsoft Entra Agent ID adapter, and AI-BOM v2.0 supply-chain provenance.
  • Agent Runtime (agent-runtime) — Runtime sandboxing with capability-based isolation, resource quotas, and Docker/Firecracker execution environments.
  • Agent SRE (agent-sre) — Observability toolkit with chaos-engineering probes, canary deployment framework, and automated incident response.
  • Agent Compliance (agent-governance, formerly ai-agent-compliance) — Unified compliance installer mapping OWASP ASI 2026 (10/10), NIST AI RMF, EU AI Act, and CSA Agentic Trust Framework.
  • Mono-repo CI/CD: lint (ruff) × 5 packages, test matrix (3 Python versions × 4 packages), security scanning (safety), CodeQL SAST (Python + JavaScript).
  • Dependabot configuration for 8 ecosystems.
  • OpenSSF Best Practices badge and Scorecard integration.
  • Comprehensive governance proposal documents for standards bodies (OWASP, CoSAI, LF AI & Data).

Security

  • CVE-2025-27520 — Bumped python-multipart to ≥0.0.20 (arbitrary file write).
  • CVE-2024-53981 — Bumped python-multipart to ≥0.0.20 (DoS via malformed boundary).
  • CVE-2024-47874 — Bumped python-multipart to ≥0.0.20 (Content-Type ReDoS).
  • CVE-2024-5206 — Bumped scikit-learn to ≥1.6.1 (sensitive data leakage).
  • CVE-2023-36464 — Replaced deprecated PyPDF2 with pypdf ≥4.0.0 (infinite loop).
  • Removed exception details from HTTP error responses (CWE-209).
  • Redacted PII (patient IDs, SSNs) from example log output (CWE-532).
  • Fixed ReDoS patterns in policy library regex (CWE-1333).
  • Fixed incomplete URL validation in Chrome extension (CWE-20).
  • Pinned all GitHub Actions by SHA hash.
  • Pinned all Docker base images by SHA256 digest.
  • Removed gradle-wrapper.jar binary artifact.