docs: add GOVERNANCE.md, MAINTAINERS.md, ROADMAP.md for AAIF submission readiness (microsoft#1215)

Add foundation-required governance files:
- GOVERNANCE.md: Core vs community extension boundary, roles, decision process
- MAINTAINERS.md: Active maintainers, responsibilities, path to maintainership
- ROADMAP.md: Public roadmap with near/medium/long-term priorities

Also:
- Update AAIF-PROPOSAL.md status from paused to ready (v3.2.0, 9,500+ tests)
- Update proposals/README.md AAIF status
- Add community extension disclaimer to agentmesh-integrations README

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

GOVERNANCE.md

@@ -0,0 +1,89 @@
+# Governance
+
+This document describes the governance model for the Agent Governance Toolkit (AGT).
+
+## Project Scope
+
+The Agent Governance Toolkit provides runtime governance for autonomous AI agents:
+deterministic policy enforcement, zero-trust identity, execution sandboxing, and
+reliability engineering.
+
+## Roles
+
+### Maintainers
+
+Maintainers have merge authority and are responsible for the project's technical
+direction, security posture, and release management. See [MAINTAINERS.md](MAINTAINERS.md)
+for the current list.
+
+**Responsibilities:**
+- Review and merge pull requests
+- Triage security vulnerabilities (MSRC coordination)
+- Manage releases and signing (ESRP)
+- Enforce contribution policies
+
+### Contributors
+
+Anyone who submits a pull request, files an issue, or participates in discussions.
+See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+### Community Extension Authors
+
+External contributors who build integrations under `packages/agentmesh-integrations/`.
+Extensions are community-maintained and clearly separated from core.
+
+## Core vs Community Extension Boundary
+
+| Path | Ownership | Review Policy |
+|------|-----------|--------------|
+| `packages/agent-os/` | Microsoft maintainers | Maintainer approval required |
+| `packages/agent-mesh/src/` | Microsoft maintainers | Maintainer approval required |
+| `packages/agent-hypervisor/` | Microsoft maintainers | Maintainer approval required |
+| `packages/agent-sre/` | Microsoft maintainers | Maintainer approval required |
+| `packages/agent-compliance/` | Microsoft maintainers | Maintainer approval required |
+| `packages/agent-runtime/` | Microsoft maintainers | Maintainer approval required |
+| `packages/agent-marketplace/` | Microsoft maintainers | Maintainer approval required |
+| `packages/agent-governance-dotnet/` | Microsoft maintainers | Maintainer approval required |
+| `packages/agentmesh-integrations/` | Community + maintainers | Maintainer review, community may author |
+| `docs/integrations/` | Community + maintainers | Maintainer review, community may author |
+| `docs/adr/` | Community + maintainers | Maintainer review for proposed ADRs |
+| `examples/` | Community + maintainers | Maintainer review |
+
+**Core packages** (agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance,
+agent-runtime, agent-marketplace, agent-governance-dotnet) are maintained exclusively
+by Microsoft. External contributions to core require a prior discussion in a GitHub Issue
+and explicit maintainer approval before a PR is opened.
+
+**Community extensions** under `packages/agentmesh-integrations/` are welcome from any
+contributor. Extensions must not modify core packages. Each extension must include its
+own README, tests, and license notice.
+
+## Decision Making
+
+- **Technical decisions** are made by maintainers via GitHub Issues and ADRs
+  (Architecture Decision Records) in `docs/adr/`.
+- **Security decisions** follow the [SECURITY.md](SECURITY.md) process and coordinate
+  with MSRC when applicable.
+- **Roadmap priorities** are set by the maintainer team with community input via
+  GitHub Discussions and Issues.
+
+## Releases
+
+- Releases follow [Semantic Versioning](https://semver.org/).
+- All packages are signed via ESRP (Microsoft's approved signing service).
+- Python packages are published to PyPI, npm packages to npmjs.com, NuGet packages
+  to NuGet.org, Rust crates to crates.io.
+- Release notes are published in `RELEASE_NOTES_*.md` and GitHub Releases.
+
+## Code of Conduct
+
+This project follows the [Microsoft Open Source Code of Conduct](CODE_OF_CONDUCT.md).
+
+## License
+
+MIT License. See [LICENSE](LICENSE).
+
+## Amendments
+
+This governance document may be amended by maintainer consensus. Changes are tracked
+via pull requests to this file.

MAINTAINERS.md

@@ -0,0 +1,40 @@
+# Maintainers
+
+Current maintainers of the Agent Governance Toolkit.
+
+## Active Maintainers
+
+| Name | GitHub | Role | Scope |
+|------|--------|------|-------|
+| Imran Siddique | [@imran-siddique](https://github.com/imran-siddique) | Project Lead | All packages |
+
+## Maintainer Responsibilities
+
+- Review and approve pull requests within 5 business days
+- Triage and respond to security vulnerabilities (MSRC coordination)
+- Manage releases, signing (ESRP), and package publishing
+- Enforce the [Governance](GOVERNANCE.md) and [Contributing](CONTRIBUTING.md) policies
+- Maintain CI/CD pipelines and infrastructure
+
+## Becoming a Maintainer
+
+Maintainers are added by existing maintainers based on sustained, high-quality
+contributions. The typical path:
+
+1. **Contributor** — Multiple merged PRs demonstrating deep understanding of the codebase
+2. **Trusted Contributor** — Invited to review PRs; demonstrates good judgment on design
+3. **Maintainer** — Nominated by an existing maintainer, approved by project lead
+
+## Emeritus Maintainers
+
+Maintainers who are no longer active but made significant contributions.
+
+| Name | GitHub | Contribution Period |
+|------|--------|-------------------|
+| | | |
+
+## Contact
+
+- **Email:** agentgovtoolkit@microsoft.com
+- **GitHub Issues:** [microsoft/agent-governance-toolkit/issues](https://github.com/microsoft/agent-governance-toolkit/issues)
+- **Discussions:** [microsoft/agent-governance-toolkit/discussions](https://github.com/microsoft/agent-governance-toolkit/discussions)

ROADMAP.md

@@ -0,0 +1,72 @@
+# Roadmap
+
+Public roadmap for the Agent Governance Toolkit. Items are not commitments — they
+reflect current direction and priorities. Community input is welcome via
+[GitHub Discussions](https://github.com/microsoft/agent-governance-toolkit/discussions).
+
+## Current Release: v3.2.0 (Public Preview)
+
+### Shipped
+- 8 Python packages (agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance, agent-runtime, agent-lightning, agent-marketplace)
+- 5 SDK languages (Python, TypeScript, .NET, Rust, Go)
+- 12+ framework integrations (Semantic Kernel, AutoGen, LangChain, CrewAI, Google ADK, OpenAI Agents, MCP, A2A, etc.)
+- 32 tutorials + 7 policy-as-code chapters
+- 9,500+ tests, 10/10 OWASP Agentic coverage
+- OpenClaw sidecar for Kubernetes governance
+- Container images on GHCR (trust-engine, policy-server, audit-collector, api-gateway)
+
+## Near-Term (Next 1-2 Releases)
+
+### Governance Core
+- [ ] Policy hot-reload without agent restart
+- [ ] Cedar policy language GA support
+- [ ] OPA/Rego integration hardening
+- [ ] Multi-tenant policy isolation
+
+### Identity & Trust
+- [ ] Entra ID ↔ Agent DID bridge (Graph API integration)
+- [ ] SPIFFE/SVID production deployment guide
+- [ ] ML-DSA-65 (post-quantum) signing GA
+
+### Deployment & Operations
+- [ ] Published container images on GHCR (automated via release)
+- [ ] Helm chart v1.0 with production defaults
+- [ ] Agent SRE dashboard (Grafana templates)
+- [ ] Shadow AI discovery scanner GA
+
+### Compliance
+- [ ] ISO 42001 mapping completion
+- [ ] EU AI Act Annex IV automated evidence generation
+- [ ] SOC 2 audit trail export tooling
+
+## Medium-Term (3-6 Months)
+
+### Platform Integration
+- [ ] Microsoft Foundry Control Plane integration
+- [ ] Azure AI Foundry governance middleware
+- [ ] GitHub Copilot Extensions governance hooks
+
+### Ecosystem
+- [ ] AAIF (AI Alliance) project submission
+- [ ] LF AI & Data Foundation sandbox submission
+- [ ] CoSAI/OASIS WS4 reference implementation
+
+### Advanced Governance
+- [ ] Multi-agent delegation chain verification
+- [ ] Economic scope limits (budget governance)
+- [ ] Constitutional constraint layer (community extension)
+- [ ] Agent behavior anomaly detection
+
+## Long-Term (6-12 Months)
+
+- [ ] Federated trust across organizational boundaries
+- [ ] Formal verification of policy evaluation
+- [ ] Hardware-backed agent identity (TPM/SGX)
+- [ ] Agent governance as a managed Azure service
+
+## How to Influence the Roadmap
+
+1. **Vote on existing issues** — 👍 issues you care about
+2. **Open a discussion** — Propose new features or directions
+3. **Submit an ADR** — For architectural proposals, see `docs/adr/`
+4. **Contribute** — PRs are the strongest signal of priority

docs/proposals/AAIF-PROPOSAL.md

@@ -6,7 +6,7 @@
 **Requested Level:** Sandbox → Incubation
 **License:** MIT
 **Primary Contact:** Agent Governance Toolkit Team (agentgovtoolkit@microsoft.com)
-**Status:** ⏸️ Paused — Will re-submit after public release. A2A trust provider shipped. 6,100+ tests passing.
+**Status:** 🟢 Ready for submission — Public Preview shipped (v3.2.0). 9,500+ tests. 5 SDK languages. 12+ framework integrations. Microsoft-signed releases via ESRP.
 
 ---
 

docs/proposals/README.md

@@ -10,7 +10,7 @@ Last updated: March 21, 2026
 
 | Organization | Submission | Type | Status | Document |
 |-------------|-----------|------|--------|----------|
-| **AAIF** | [aaif/technical-committee#1](https://github.com/aaif/technical-committee/issues/1) | Project Proposal | Closed (will re-submit after public release) | [AAIF-PROPOSAL.md](./AAIF-PROPOSAL.md) |
+| **AAIF** | [aaif/technical-committee#1](https://github.com/aaif/technical-committee/issues/1) | Project Proposal | Ready for re-submission | [AAIF-PROPOSAL.md](./AAIF-PROPOSAL.md) |
 | **LF AI & Data** | [lfai/proposing-projects#102](https://github.com/lfai/proposing-projects/pull/102) | Sandbox Proposal | Open | [LFAI-PROPOSAL.md](./LFAI-PROPOSAL.md) |
 | **CoSAI/OASIS WS4** | [cosai-oasis/ws4#42](https://github.com/cosai-oasis/ws4-secure-design-agentic-systems/issues/42) | RFC | Open | [COSAI-WS4-PROPOSAL.md](./COSAI-WS4-PROPOSAL.md) |
 | **OWASP ASI** | [GenAI-Security-Project#2](https://github.com/GenAI-Security-Project/GenAI-Agent-Security-Initiative/pull/2) | Code Samples PR | Open | [OWASP-ASI-PROPOSAL.md](./OWASP-ASI-PROPOSAL.md) |

packages/agentmesh-integrations/README.md

@@ -16,6 +16,8 @@
 
 > ⭐ **If this project helps you, please star it!** It helps others discover AgentMesh integrations.
 
+> ⚠️ **Community Extensions** — Packages in this directory are community-contributed and maintained. They are reviewed by Microsoft maintainers but are NOT part of the core Agent Governance Toolkit. See [GOVERNANCE.md](../../GOVERNANCE.md) for the core vs extension boundary.
+
 > 🔗 **Part of the Agent Ecosystem** — [AgentMesh](https://github.com/microsoft/agent-governance-toolkit) (identity & trust) · [Agent OS](https://github.com/microsoft/agent-governance-toolkit) (governance) · [Agent SRE](https://github.com/microsoft/agent-governance-toolkit) (reliability)
 
 [Integrations](#available-integrations) • [Quick Start](#quick-start) • [Contributing](#contributing-a-new-integration) • [AgentMesh Core](https://github.com/microsoft/agent-governance-toolkit)