imran-siddique
diff --git a/‎README.md‎
Lines changed: 2 additions & 2 deletions b/‎README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/COMPARISON.md‎
Lines changed: 3 additions & 1 deletion b/‎docs/COMPARISON.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎docs/OWASP-COMPLIANCE.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/OWASP-COMPLIANCE.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/compliance/owasp-llm-top10-mapping.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/compliance/owasp-llm-top10-mapping.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/compliance/soc2-mapping.md‎
Lines changed: 8 additions & 8 deletions b/‎docs/compliance/soc2-mapping.md‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎docs/modern-agent-architecture-overview.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/modern-agent-architecture-overview.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/agent-governance-dotnet/README.md‎
Lines changed: 57 additions & 0 deletions b/‎packages/agent-governance-dotnet/README.md‎
Lines changed: 57 additions & 0 deletions
@@ -30,7 +30,7 @@
 Agent Action ──► Policy Check ──► Allow / Deny ──► Audit Log    (< 0.1 ms)
 ```
 
-**Why it matters:** Prompt-based safety ("please follow the rules") has a [26.67% policy violation rate](BENCHMARKS.md) in red-team testing. AGT's kernel-level enforcement: **0.00%**.
+**Why it matters:** Prompt-based safety ("please follow the rules") has a [26.67% policy violation rate](BENCHMARKS.md) in red-team testing. AGT's policy-layer enforcement: **0.00%**.
 
 ---
 
@@ -200,7 +200,7 @@ Governance adds **< 0.1 ms per action** — roughly 10,000× faster than an LLM
 |---|---|---|
 | Policy evaluation (1 rule) | 0.012 ms | 72K ops/sec |
 | Policy evaluation (100 rules) | 0.029 ms | 31K ops/sec |
-| Kernel enforcement | 0.091 ms | 9.3K ops/sec |
+| Policy enforcement | 0.091 ms | 9.3K ops/sec |
 | Concurrent (50 agents) | — | 35,481 ops/sec |
 
 > **Note:** These numbers measure policy evaluation only. In distributed multi-agent
 
@@ -31,12 +31,14 @@ When evaluating agent security tooling, developers often encounter [NeMo Guardra
 | **Least-privilege capability model** | ✅ | ❌ | ❌ | ❌ | ❌ |
 | **Deterministic pre-execution enforcement** | ✅ < 0.1 ms | ❌ | ❌ | ❌ | ❌ |
 | **Chaos / replay testing** | ✅ | ❌ | ❌ | ❌ | ❌ |
-| **OWASP Agentic Top 10 coverage** | **10 / 10** | ~2 / 10 ¹ | ~1 / 10 ¹ | ~0 / 10 ¹ | ~1 / 10 ¹ |
+| **OWASP Agentic Top 10 coverage** | **10 / 10** ² | ~2 / 10 ¹ | ~1 / 10 ¹ | ~0 / 10 ¹ | ~1 / 10 ¹ |
 | **Framework integrations** | **12+** | 3 (LangChain, NeMo-based, custom) | 2 (LangChain, custom) | N/A (gateway) | N/A (gateway) |
 | **LLM provider routing / caching** | ❌ | ❌ | ❌ | ✅ | ✅ |
 | **Works alongside existing tools** | ✅ | ✅ | ✅ | ✅ | ✅ |
 
 > ¹ **OWASP scoring methodology:** Each tool was assessed against the ten [OWASP Agentic Top 10 (2026)](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/) risk categories. A risk is counted as "covered" only when the tool provides a mitigation that addresses the root cause of that risk category (not merely partial or indirect coverage). Scores for NeMo, Guardrails AI, LiteLLM, and Portkey are approximate because none of those tools publish explicit OWASP Agentic Top 10 mappings; they are based on a good-faith review of each tool's documented capabilities as of early 2026.
+>
+> ² **10/10 means mitigation components exist for each risk category**, not that each risk is fully eliminated. AGT provides application-layer governance — see [Known Limitations](LIMITATIONS.md) for documented gaps including hallucination detection, indirect prompt injection into reasoning, and multi-step workflow correlation.
 
 ---
 
 
@@ -33,10 +33,10 @@
 
 > *Attackers manipulate the agent's objectives via indirect prompt injection or poisoned inputs.*
 
-**Mitigation:** Agent OS enforces **policy-based action interception** at the kernel level. Every agent action passes through the policy engine before execution. Unauthorized goal changes are blocked before they reach the agent's tools.
+**Mitigation:** Agent OS enforces **policy-based action interception** at the application layer. Every agent action passes through the policy engine before execution. Unauthorized goal changes are blocked before they reach the agent's tools.
 
 - **Policy Engine** — declarative rules controlling what agents can and cannot do
-- **Action Interception** — kernel-level syscall abstraction intercepts all agent actions
+- **Action Interception** — application-layer action interception intercepts all agent actions
 - **Policy Modes** — `strict` (deny by default), `permissive` (allow by default), `audit` (log only)
 - **MCP Governance Proxy** — policy enforcement for MCP tool calls
 
 
@@ -40,7 +40,7 @@ The widest gaps are in output sanitization and sensitive data protection.
 | LLM03 | Training Data Poisoning | Partial | MemoryGuard for runtime memory stores | Training pipeline out of scope; MemoryGuard not wired into adapters |
 | LLM04 | Model Denial of Service | Partial | Token/call/timeout limits + concurrency semaphore + circuit breakers | TokenBudgetTracker advisory-only; RateLimiter not wired; no payload size limits |
 | LLM05 | Supply Chain Vulnerabilities | Partial | SBOM + Ed25519 signing + MCP fingerprinting + ContentHashInterceptor | SupplyChainGuard reporting-only; signing opt-in |
-| LLM06 | Sensitive Information Disclosure | Partial | PII patterns in MCP gateway + secret detection in codegen + egress policy | Only 2 PII patterns; no output text filtering; audit logs record full parameters |
+| LLM06 | Sensitive Information Disclosure | Partial | PII patterns in MCP gateway + secret detection in codegen + egress policy + credential redaction in audit logs | Only 2 PII patterns for tool-call blocking; no output text filtering; non-credential PII not yet redacted in audit entries |
 | LLM07 | Insecure Plugin Design | Partial | MCPGateway 5-stage pipeline + rug-pull detection + schema abuse scanning | JSON Schema composition ($ref/oneOf) unexamined; gateway and scanner disconnected |
 | LLM08 | Excessive Agency | Partial | Execution rings + kill switch + rogue detection + scope guard | Kill switch manual-only; detection modules advisory, not auto-wired to enforcement |
 | LLM09 | Overreliance | Partial | Drift detection + confidence threshold + adversarial evaluator | No fact-checking; confidence attribute never provided by frameworks |
 
@@ -17,7 +17,7 @@
 
 The Agent Governance Toolkit provides runtime governance infrastructure that addresses SOC 2 Type II controls across Security, Availability, and Processing Integrity criteria. The toolkit's strongest coverage is in **Security** (CC1–CC9), where the policy engine, RBAC, cryptographic identity, execution rings, and audit logging provide a defense-in-depth enforcement stack. **Availability** (A1) is well-supported through circuit breakers, SLO enforcement, and chaos testing primitives. **Processing Integrity** (PI1) benefits from deterministic policy evaluation, Merkle audit chains, and input validation — though several audit chain implementations have integrity defects.
 
-**Confidentiality** (C1) has partial coverage through egress controls, PII pattern detection, and cryptographic identity — but lacks at-rest encryption, key rotation, and audit log redaction. **Privacy** (P1–P8) is the largest gap area: the toolkit detects only 2 PII patterns (SSN, credit card), has no consent management, no data subject access request support, and no retention enforcement. Organizations deploying this toolkit in SOC 2 scope must supplement Privacy controls with external tooling.
+**Confidentiality** (C1) has partial coverage through egress controls, PII pattern detection, credential redaction in audit logs, and cryptographic identity — but lacks at-rest encryption and key rotation. Credential-like secrets (API keys, tokens, connection strings, JWTs, etc.) are redacted before audit persistence via `CredentialRedactor`, but non-credential PII (email, phone, addresses) is not yet redacted in audit entries. **Privacy** (P1–P8) is the largest gap area: the toolkit detects only 2 PII patterns (SSN, credit card) for tool-call blocking, has no consent management, no data subject access request support, and no retention enforcement. Organizations deploying this toolkit in SOC 2 scope must supplement Privacy controls with external tooling.
 
 > **Important**: This mapping documents what the toolkit provides as infrastructure. SOC 2 Type II requires evidence of **operating effectiveness over a review period** — policies followed, controls monitored, exceptions investigated. The toolkit provides the enforcement mechanisms; the operating procedures, organizational policies, and evidence collection are the deployer's responsibility. "Partial" coverage means the toolkit provides building blocks but does not satisfy the control independently.
 
@@ -30,7 +30,7 @@ The Agent Governance Toolkit provides runtime governance infrastructure that add
 | **Security** (CC1–CC9) | ⚠️ Partial | Policy engine, RBAC, DID identity, execution rings, audit logging, MCP security scanning | Kill switch placeholder, detection modules unwired from enforcement |
 | **Availability** (A1) | ⚠️ Partial | Circuit breakers, SLO/error budgets, chaos testing framework, sub-millisecond enforcement | Chaos engine framework-only, no health check endpoints, rate limiter unwired |
 | **Processing Integrity** (PI1) | ⚠️ Partial | Merkle audit chain, policy validation, input sanitization, drift detection | 3 of 4 audit chain implementations have integrity defects, `post_execute()` never blocks |
-| **Confidentiality** (C1) | ⚠️ Partial | Ed25519 identity, HMAC-SHA256 signing, egress policy, PII/secret detection | Symmetric HMAC keys, no at-rest encryption, audit logs store unredacted parameters |
+| **Confidentiality** (C1) | ⚠️ Partial | Ed25519 identity, HMAC-SHA256 signing, egress policy, PII/secret detection, credential redaction in audit logs | Symmetric HMAC keys, no at-rest encryption, non-credential PII not redacted in audit entries |
 | **Privacy** (P1–P8) | ❌ Gap | 2 PII regex patterns, blocked patterns, retention_days schema field | No consent management, no DSAR, no data minimization, retention not enforced |
 
 **0 of 5 criteria fully covered. 4 partially addressed. 1 gap.**
@@ -312,15 +312,15 @@ assert policy.is_allowed("api.openai.com")              # Allowed
 - [ ] **HMAC uses symmetric keys** (C1.2): Any insider with the HMAC key can forge the entire audit chain. No external commitment (Merkle root anchoring to a timestamping service) or asymmetric signing prevents full chain rewrite.
 - [ ] **No at-rest encryption** (C1.1): Audit logs, policy documents, and configuration files are stored in plaintext. No encryption for data at rest.
 - [ ] **No key rotation mechanism** (C1.2): No mechanism for rotating Ed25519 keys, HMAC secrets, or SPIFFE certificates on a schedule.
-- [ ] **Audit logs store unredacted parameters** (C1.1): `mcp_gateway.py:165` stores raw `parameters=params` with no redaction. Every tool call's full parameters — including any PII, credentials, or tokens passed as arguments — are stored verbatim in `AuditEntry` and exposed via `logger.info()`. **The toolkit's own security logging is a data leak pathway.**
+- [x] **~~Audit logs store unredacted parameters~~** (C1.1): **Resolved for credentials.** `MCPGateway.intercept_tool_call()` now applies `CredentialRedactor.redact_data_structure(params)` before creating `AuditEntry` records. This redacts API keys, tokens, connection strings, JWTs, PEM keys, Bearer tokens, and other credential patterns. **Remaining gap:** Non-credential PII (email addresses, phone numbers, physical addresses) in tool parameters is not redacted before audit persistence. The structured audit log no longer exposes raw parameters via `logger.info()` — only agent ID, tool name, allowed/denied, and reason are logged at INFO level.
 - [ ] **Only 2 PII patterns** (C1.1): SSN and credit card number. No email, phone, IP address, JWT token, or other sensitive data patterns.
 - [ ] **`retention_days` not enforced** (C1.3): The schema field exists but no code preserves or deletes logs based on this value. A deployer can set `retention_days: 1` without validation error.
 - [ ] **No TLS enforcement** (C1.2): Network encryption deferred entirely to deployment configuration.
 
 ### Recommended Controls
 
-1. **Add `GovernancePolicy.redact_audit_pii` flag** for pattern-based redaction of `AuditEntry.parameters` before persistence.
-2. Expand PII patterns to cover the OWASP-recommended set (email, phone, IP address, JWT tokens).
+1. **Add `GovernancePolicy.redact_audit_pii` flag** for pattern-based PII redaction of `AuditEntry.parameters` before persistence (credential redaction already exists via `CredentialRedactor`).
+2. Expand PII patterns to cover the OWASP-recommended set (email, phone, IP address — JWT tokens are already handled by `CredentialRedactor`).
 3. Implement asymmetric signing for audit entries to prevent insider forgery.
 4. Add key rotation tooling for Ed25519 and HMAC credentials.
 5. Enforce `retention_days` at runtime with actual log deletion and archival.
@@ -357,13 +357,13 @@ assert policy.is_allowed("api.openai.com")              # Allowed
 - [ ] **No retention enforcement** (P4): `retention_days` field exists in the policy schema but no code preserves or deletes data based on this value. Default is 90 days with minimum 1 — there is no floor enforcement.
 - [ ] **Only 2 PII patterns** (P6): SSN (`\b\d{3}-\d{2}-\d{4}\b`) and credit card number regex in `mcp_gateway.py:34-42`. No detection for email addresses, phone numbers, IP addresses, physical addresses, dates of birth, or other PII categories.
 - [ ] **No output PII scanning** (P6): PII patterns check tool *input* arguments only. LLM response text is not scanned — an agent can freely output personal data in its responses.
-- [ ] **Audit logs record full parameters** (P6): Every tool call's complete arguments are stored verbatim in `AuditEntry` and logged via `logger.info()`. PII in tool arguments becomes PII in audit logs with no redaction. This makes the audit system itself a privacy risk.
+- [ ] **Audit logs record non-credential PII** (P6): Credential-like secrets are redacted via `CredentialRedactor` before audit persistence, but non-credential PII (email, phone, addresses) in tool arguments is still stored verbatim in `AuditEntry`. PII in tool arguments can become PII in audit logs.
 - [ ] **No privacy notice mechanism** (P1): No feature generates or delivers privacy notices to end users interacting with governed agents.
 - [ ] **No privacy impact assessment tooling** (P8): No DPIA/PIA workflow or template generation.
 
 ### Recommended Controls
 
-1. **Implement audit parameter redaction** — apply PII pattern detection to `AuditEntry.parameters` before persistence. This is the highest-leverage single fix.
+1. **Implement audit PII redaction** — extend `CredentialRedactor` or add a dedicated PII redactor for `AuditEntry.parameters` before persistence (credential redaction already exists; this covers the remaining non-credential PII gap).
 2. Expand PII detection from 2 patterns to the OWASP-recommended set (email, phone, IP, JWT, passport, driver's license numbers).
 3. Apply PII scanning to LLM outputs via `post_execute()` or a dedicated output interceptor.
 4. Deploy dedicated privacy management tooling (e.g., OneTrust, BigID, Transcend) for consent, DSAR, and data mapping.
@@ -445,7 +445,7 @@ All gaps consolidated and rated by severity for remediation prioritization.
 
 | Gap | Criteria | Impact | Location |
 |-----|----------|--------|----------|
-| **Audit logs store unredacted PII** | C1.1, P6 | The audit system records full tool call parameters verbatim, making it a data leak pathway | `mcp_gateway.py:165` |
+| **Non-credential PII not redacted in audit logs** | C1.1, P6 | Credential-like secrets are redacted via `CredentialRedactor`, but non-credential PII (email, phone, addresses) in tool parameters is still stored verbatim | `MCPGateway.intercept_tool_call()` |
 | **DeltaEngine `verify_chain()` is a stub** | PI1.5 | Returns `True` always — hypervisor audit trail has zero tamper evidence | `delta.py:99` |
 | **No consent management** | P2 | Fundamental Privacy criteria requirement not addressed | — |
 | **No data subject access request support** | P5 | Required for Privacy criteria compliance | — |
 
@@ -18,7 +18,7 @@ Enterprise AI is shifting from chat-based copilots to **autonomous agents** —
 
 Current frameworks (LangChain, CrewAI, AutoGen) rely on **prompt-based safety** — asking the LLM to follow rules. That's like asking a driver to self-enforce the speed limit.
 
-**Benchmark result:** Prompt-based safety has a **26.67% policy violation rate**. AGT's kernel-level enforcement: **0.00%**.
+**Benchmark result:** Prompt-based safety has a **26.67% policy violation rate**. AGT's policy-layer enforcement: **0.00%**.
 
 ---
 
 
@@ -134,6 +134,63 @@ var limits = enforcer.GetLimits(ring);
 
 When enabled via `GovernanceOptions.EnableRings`, ring checks are automatically enforced in the middleware pipeline.
 
+### Kill Switch
+
+Terminate rogue agents immediately with an arm/disarm safety mechanism, event history, and subscriber notifications:
+
+```csharp
+using AgentGovernance.Hypervisor;
+
+var ks = new KillSwitch();
+ks.Arm();
+
+// Subscribe to kill events
+ks.OnKill += (_, evt) =>
+    Console.WriteLine($"Killed {evt.AgentId}: {evt.Reason} — {evt.Detail}");
+
+// Terminate an agent
+var killEvent = ks.Kill("did:mesh:rogue-agent", KillReason.PolicyViolation, "exceeded scope");
+
+// Review history
+foreach (var e in ks.History)
+    Console.WriteLine($"{e.Timestamp}: {e.AgentId} — {e.Reason}");
+
+ks.Disarm(); // Prevents further kills until re-armed
+```
+
+| Reason | Description |
+|--------|-------------|
+| `PolicyViolation` | Agent violated a governance policy |
+| `TrustThreshold` | Trust score dropped below threshold |
+| `ManualOverride` | Human operator triggered the kill |
+| `AnomalyDetected` | Anomalous behaviour detected |
+| `ResourceExhaustion` | Resource consumption limits exceeded |
+
+### Lifecycle Management
+
+Eight-state lifecycle machine with validated transitions, event logging, and convenience methods:
+
+```csharp
+using AgentGovernance.Lifecycle;
+
+var mgr = new LifecycleManager("did:mesh:agent-007");
+
+mgr.Activate();                          // Provisioning → Active
+mgr.Suspend("scheduled maintenance");    // Active → Suspended
+mgr.Transition(LifecycleState.Active, "maintenance done", "ops");
+mgr.Quarantine("trust breach detected"); // Active → Quarantined
+mgr.Decommission("end of life");         // Quarantined → Decommissioning
+
+// Check transition validity
+bool canActivate = mgr.CanTransition(LifecycleState.Active); // false
+
+// Review full event log
+foreach (var evt in mgr.Events)
+    Console.WriteLine($"{evt.Timestamp}: {evt.FromState} → {evt.ToState} ({evt.Reason})");
+```
+
+**Lifecycle states:** Provisioning → Active ↔ Suspended / Rotating / Degraded / Quarantined → Decommissioning → Decommissioned
+
 ### Saga Orchestrator
 
 Multi-step transaction governance with automatic compensation on failure: