Commit 1998481
docs: sync audit redaction status and framing with current code (#8)
* feat(openshell): add governance skill package and runnable example (microsoft#942)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: update SDK feature matrix after parity pass (microsoft#950)
Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go:
- TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14)
- .NET: Kill switch + lifecycle management (was 8/14, now 10/14)
- Rust: Execution rings + lifecycle management (was 6/14, now 8/14)
- Go: MCP security + rings + lifecycle (was 4/14, now 7/14)
All SDKs now have lifecycle management. Core governance (policy, identity,
trust, audit) + lifecycle = 5 primitives shared across all 5 languages.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953)
Addresses valid external critique of AGT's architectural blind spots:
1. Action vs Intent: AGT governs individual actions, not reasoning or
action sequences. Documents the compound-action gap explicitly and
recommends content policies + model safety layers.
2. Audit logs record attempts, not outcomes: Documents that post-action
state verification is the user's responsibility today, with hooks planned.
3. Performance honesty: README now notes that <0.1ms is policy-eval only;
distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md.
4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator,
no mesh/crypto) vs full enterprise stack.
5. Vendor independence: Documents zero cloud dependencies in core,
standard formats for all state, migration path.
6. Recommended layered defense architecture diagram showing AGT as one
layer alongside model safety, application logic, and infrastructure.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954)
Closes microsoft#952
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955)
ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956)
agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957)
- Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0
- Bump version= in 6 setup.py files from 3.0.2 to 3.1.0
- Bump meter version strings in _mcp_metrics.py
- Bump 9 package.json files from 3.0.2 to 3.1.0
- Bump .NET csproj Version from 3.0.2 to 3.1.0
- Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0
- Create Go sdk doc.go with version marker 3.1.0
- Fix ruff W292 (missing newline at EOF) in data_classification.py
- Fix CLI init regex to allow dots in agent names (test_init_special_characters)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959)
* fix(openclaw): critical honesty pass — document what works vs what's planned
Server (__main__.py):
- Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080)
Dockerfile.sidecar:
- Copy modules/ directory (was missing, causing build failure)
- Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers)
- Remove phantom port 9091 (no separate metrics listener exists)
openclaw-sidecar.md — full honesty rewrite:
- Add status banner: transparent interception is NOT yet implemented
- Document actual sidecar API endpoints (health, detect/injection, execute, metrics)
- Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile)
- Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this)
- Replace fictional SLO/Grafana sections with real /api/v1/metrics docs
- Add Roadmap section listing what's planned vs shipped
openshell.md:
- Remove references to non-existent shell scripts
- Fix python -m agentmesh.server to python -m agent_os.server
- Add note that sidecar doesn't transparently intercept (must call API)
- Replace pip install agentmesh-platform with Python skill library usage
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh
cargo package in a workspace writes .crate files to the workspace root's
target/package/, not the individual crate's directory. The pipeline was
running from the crate subdirectory and couldn't find the output.
Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh
to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh
to all cargo commands to target the specific crate.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948)
Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772.
Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com>
* blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899)
Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com>
* feat: add LotL prevention policy for security measures (microsoft#949)
YAML policy template for Living-off-the-Land detection and prevention.
* feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908)
15 curated ATR detection rules + sync script. Closes microsoft#901.
* fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960)
- Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files
(README, QUICKSTART, tutorials, SDK docs, i18n, changelog)
- Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py)
- Remove stale v1.0.0 labels from extension status table
- Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and
ATF conformance assessment
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): use ESRP Release for NuGet signing (microsoft#961)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): correct ESRP NuGet contenttype casing (microsoft#962)
* fix(ci): add missing packages to ESRP pipeline and fix Go version tag
Three gaps found during publish verification:
1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix)
2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp)
- Changed from single-crate to workspace build (--workspace)
- Package loop builds both .crate files
- Renamed artifact from 'rust-agentmesh' to 'rust-crates'
3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0)
- Go module tags require semver with v prefix
- Pipeline grep expects '// Version: v...' format
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget'
ESRP Release rejected 'Nuget' with: 'The value provided for
ReleaseContentType property is invalid.' ErrorCode 2254.
ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963)
* fix(ci): add missing packages to ESRP pipeline and fix Go version tag
Three gaps found during publish verification:
1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix)
2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp)
- Changed from single-crate to workspace build (--workspace)
- Package loop builds both .crate files
- Renamed artifact from 'rust-agentmesh' to 'rust-crates'
3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0)
- Go module tags require semver with v prefix
- Pipeline grep expects '// Version: v...' format
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget'
ESRP Release rejected 'Nuget' with: 'The value provided for
ReleaseContentType property is invalid.' ErrorCode 2254.
ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965)
EsrpRelease@11 does not support NuGet as a contenttype — it's for
PyPI/npm/Maven/crates.io package distribution. NuGet packages must be
signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push.
New flow:
1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405)
2. dotnet nuget push with the signed .nupkg to nuget.org
This matches the standard Microsoft NuGet ESRP signing pattern used by
azure-sdk, dotnet runtime, and other Microsoft OSS projects.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966)
Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities.
CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration
via Header Injection Chain — prototype pollution gadget enables CRLF
injection in HTTP headers, bypassing AWS IMDSv2 session tokens.
CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing
dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through
attacker-controlled proxy.
Upgraded in 3 packages:
- extensions/copilot: 1.14.0 → 1.15.0
- extensions/cursor: 1.13.5 → 1.15.0
- agent-os-vscode: 1.13.6 → 1.15.0
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967)
The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference,
preventing ESRP authentication across ALL publishing stages (PyPI, npm,
NuGet, crates.io).
Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the
well-known Microsoft corporate tenant ID (72f988bf-..., same default
used by ESRP Release action.yml). This is a public value, not a secret.
Also: NuGet publishing requires Microsoft as co-owner of the package
on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: sync audit redaction status and framing with current code
- Update SOC2 mapping to reflect CredentialRedactor now redacts
credential-like secrets before audit persistence (API keys, tokens,
JWTs, connection strings, etc.). Remaining gap: non-credential PII
(email, phone, addresses) not yet redacted in audit entries.
- Replace 'kernel-level enforcement' with 'policy-layer enforcement'
in README, OWASP compliance, and architecture overview to match the
existing 'application-level governance' framing in README Security
section and LIMITATIONS.md.
- Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote
clarifying this means mitigation components exist per risk category,
not full elimination.
- Update owasp-llm-top10-mapping.md LLM06 row for credential redaction.
Addresses doc/code inconsistencies identified in external review.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com>
Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com>
Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com>
Co-authored-by: Adamthereal <imadam4real@gmail.com>1 parent 441cd11 commit 1998481
113 files changed
Lines changed: 4376 additions & 442 deletions
File tree
- docs
- adr
- case-studies
- compliance
- deployment
- i18n
- integrations
- security
- tutorials
- examples
- atr-community-rules
- policies
- production
- quickstart
- packages
- agent-compliance/src/agent_compliance
- agent-governance-dotnet/src/AgentGovernance
- agent-hypervisor/src/hypervisor
- agent-mesh
- docs
- blog
- deployment
- packages
- langchain-agentmesh/langchain_agentmesh
- mcp-proxy
- mcp-trust-server/src/mcp_trust_server
- sdks
- go
- rust
- target
- typescript
- src
- tests
- services/api
- src/agentmesh
- cli
- agent-os-vscode
- agent-os
- examples
- carbon-auditor/src
- self-evaluating
- src
- extensions
- chrome
- copilot
- cursor
- mcp-server
- modules
- amb/amb_core
- atr
- atr
- caas/src/caas
- cmvk/src/cmvk
- control-plane
- src/agent_control_plane
- emk/emk
- iatp
- iatp
- mcp-kernel-server/src/mcp_kernel_server
- mute-agent
- mute_agent
- nexus
- observability/src/agent_os_observability
- primitives/agent_primitives
- scak
- agent_kernel
- src/agent_os
- policies
- server
- tests
- agent-sre/src/agent_sre
- agentmesh-integrations
- copilot-governance
- langchain-agentmesh/langchain_agentmesh
- langflow-agentmesh/src/langflow_agentmesh
- langgraph-trust/langgraph_trust
- llamaindex-agentmesh/llama_index/agent/agentmesh
- mastra-agentmesh
- nostr-wot/agentmesh_nostr_wot
- openai-agents-trust/src/openai_agents_trust
- pydantic-ai-governance/src/pydantic_ai_governance
- pipelines
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
55 | 55 | | |
56 | 56 | | |
57 | 57 | | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
37 | 40 | | |
38 | 41 | | |
39 | 42 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
196 | 196 | | |
197 | 197 | | |
198 | 198 | | |
199 | | - | |
| 199 | + | |
200 | 200 | | |
201 | 201 | | |
202 | 202 | | |
| |||
254 | 254 | | |
255 | 255 | | |
256 | 256 | | |
257 | | - | |
| 257 | + | |
258 | 258 | | |
259 | 259 | | |
260 | 260 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
| 23 | + | |
23 | 24 | | |
24 | 25 | | |
25 | 26 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
27 | | - | |
| 27 | + | |
28 | 28 | | |
29 | 29 | | |
30 | 30 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
42 | 42 | | |
43 | 43 | | |
44 | 44 | | |
45 | | - | |
| 45 | + | |
46 | 46 | | |
47 | 47 | | |
48 | 48 | | |
| |||
107 | 107 | | |
108 | 108 | | |
109 | 109 | | |
110 | | - | |
| 110 | + | |
111 | 111 | | |
112 | 112 | | |
113 | 113 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
42 | 42 | | |
43 | 43 | | |
44 | 44 | | |
45 | | - | |
| 45 | + | |
46 | 46 | | |
47 | 47 | | |
48 | 48 | | |
| |||
145 | 145 | | |
146 | 146 | | |
147 | 147 | | |
148 | | - | |
| 148 | + | |
149 | 149 | | |
150 | 150 | | |
151 | 151 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
30 | 30 | | |
31 | 31 | | |
32 | 32 | | |
33 | | - | |
| 33 | + | |
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
| |||
70 | 70 | | |
71 | 71 | | |
72 | 72 | | |
73 | | - | |
| 73 | + | |
74 | 74 | | |
75 | 75 | | |
76 | 76 | | |
| |||
200 | 200 | | |
201 | 201 | | |
202 | 202 | | |
203 | | - | |
| 203 | + | |
204 | 204 | | |
205 | 205 | | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
206 | 210 | | |
207 | 211 | | |
208 | 212 | | |
| |||
212 | 216 | | |
213 | 217 | | |
214 | 218 | | |
215 | | - | |
| 219 | + | |
216 | 220 | | |
217 | 221 | | |
218 | 222 | | |
| |||
253 | 257 | | |
254 | 258 | | |
255 | 259 | | |
| 260 | + | |
256 | 261 | | |
257 | 262 | | |
258 | 263 | | |
| |||
268 | 273 | | |
269 | 274 | | |
270 | 275 | | |
| 276 | + | |
| 277 | + | |
271 | 278 | | |
272 | 279 | | |
273 | 280 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
21 | | - | |
| 21 | + | |
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
| |||
99 | 99 | | |
100 | 100 | | |
101 | 101 | | |
102 | | - | |
| 102 | + | |
103 | 103 | | |
104 | 104 | | |
105 | 105 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
34 | | - | |
| 34 | + | |
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
39 | 39 | | |
| 40 | + | |
| 41 | + | |
40 | 42 | | |
41 | 43 | | |
42 | 44 | | |
| |||
0 commit comments