feat(go): add MCP security, execution rings, and lifecycle management to Go SDK by imran-siddique · Pull Request #7 · imran-siddique/agent-governance-toolkit

imran-siddique · 2026-04-12T03:50:16Z

Summary

Adds three new modules to the Go SDK:

MCP Security Scanner (`mcp.go`)

Detects tool poisoning (prompt injection in descriptions)
Typosquatting detection via Levenshtein distance
Hidden instruction detection (zero-width chars, homoglyphs)
Rug pull detection (oversized descriptions with malicious patterns)
Risk scoring (0-100)

Execution Rings (`rings.go`)

Four privilege levels: Admin (0), Standard (1), Restricted (2), Sandboxed (3)
Default-deny access control
Wildcard permission support

Lifecycle Management (`lifecycle.go`)

Eight-state lifecycle model matching other SDKs
Validated state transitions
Event history tracking
Convenience methods (Activate, Suspend, Quarantine, Decommission)

Tests

mcp_test.go: All 4 threat types, safe tools, Levenshtein, risk score capping
rings_test.go: Assign, access checks, default deny, wildcard, reassignment
lifecycle_test.go: Valid/invalid transitions, terminal states, event recording

All tests pass. go vet ./... clean.

…icrosoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

… to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-04-12T03:50:42Z

🤖 AI Agent: security-scanner — Security Analysis of Pull Request

Security Analysis of Pull Request

This pull request introduces three new modules to the Go SDK: MCP Security Scanner (mcp.go), Execution Rings (rings.go), and Lifecycle Management (lifecycle.go). Below is a detailed security analysis of the changes, focusing on the critical areas outlined in the task.

1. Prompt Injection Defense Bypass

Finding: 🔴 CRITICAL

The detectToolPoisoning function in mcp.go attempts to identify prompt injection patterns by matching specific substrings in the tool description. However, this approach is vulnerable to obfuscation techniques, such as:

Using synonyms or rephrased instructions (e.g., "forget prior commands" instead of "ignore previous instructions").
Adding spaces, punctuation, or other characters between words (e.g., "ignore...previous").
Using base64 encoding or other encoding methods to hide malicious instructions.

Attack Vector:
An attacker could craft a tool description that bypasses these substring checks by using obfuscation techniques, leading to prompt injection vulnerabilities.

Suggested Fix:

Implement a more robust NLP-based approach to detect semantic intent rather than relying on substring matching.
Use a pre-trained model or embedding-based similarity scoring to flag suspicious descriptions.
Regularly update the list of patterns and integrate community feedback to improve detection.

2. Policy Engine Circumvention

Finding: 🟠 HIGH

The rings.go module implements execution rings with privilege levels and access control. However:

The SetRingPermissions method allows wildcard permissions, which could inadvertently grant overly broad access if misconfigured.
The CheckAccess method does not validate the action against the agent's assigned ring permissions in a robust manner. If an attacker can manipulate the action string (e.g., via injection), they may bypass access controls.

Attack Vector:
An attacker could exploit wildcard permissions or manipulate the action string to gain unauthorized access to restricted actions.

Suggested Fix:

Remove support for wildcard permissions or implement strict validation to ensure they are not overly permissive.
Sanitize and validate the action string before checking permissions.
Add unit tests to simulate edge cases and ensure the access control logic is robust.

3. Trust Chain Weaknesses

Finding: 🔵 LOW

No SPIFFE/SVID validation or certificate pinning mechanisms were introduced in this pull request. However, this is not directly relevant to the changes made in this PR. Future iterations of the SDK should ensure that any identity or trust-related mechanisms are robust and secure.

Suggested Fix:

Ensure SPIFFE/SVID validation is implemented in future updates.
Add certificate pinning for any TLS connections used by the SDK.

4. Credential Exposure

Finding: 🔵 LOW

No credentials or secrets were exposed in logs, error messages, or debug output. The modules appear to handle sensitive information securely.

Suggested Fix:

Continue to avoid logging sensitive information.
Implement a mechanism to redact sensitive data from error messages.

5. Sandbox Escape

Finding: 🟡 MEDIUM

The sandbox-policy.yaml file was updated to use regex-based conditions (matches) instead of prefix-based conditions (starts_with). While regex provides more flexibility, it also introduces the risk of overly permissive or incorrect patterns that could allow sandbox escapes.

Attack Vector:
An attacker could exploit a poorly written regex pattern to bypass sandbox restrictions, enabling unauthorized file writes or shell access.

Suggested Fix:

Perform rigorous testing of all regex patterns to ensure they are not overly permissive.
Use a whitelist approach for file paths and actions instead of regex where possible.
Add automated tests to validate the behavior of sandbox policies.

6. Deserialization Attacks

Finding: 🔵 LOW

No deserialization mechanisms (e.g., JSON, YAML, or pickle loading) were introduced in this PR. The mcp.go module uses JSON for data structures, but there is no evidence of unsafe deserialization.

Suggested Fix:

Ensure that any future deserialization mechanisms validate input data and sanitize it to prevent code execution or injection attacks.

7. Race Conditions

Finding: 🟡 MEDIUM

The lifecycle.go module uses a sync.RWMutex to manage state transitions. While this prevents concurrent writes, there is a potential Time-of-Check-to-Time-of-Use (TOCTOU) vulnerability in the CanTransition method:

The method checks if a transition is valid (canTransitionLocked) but does not lock the state during the actual transition (Transition).

Attack Vector:
An attacker could exploit a race condition by invoking CanTransition and Transition concurrently, potentially bypassing lifecycle validation.

Suggested Fix:

Combine the CanTransition and Transition logic into a single atomic operation to eliminate the possibility of TOCTOU vulnerabilities.
Use the sync.Mutex instead of sync.RWMutex for stricter locking during state transitions.

8. Supply Chain

Finding: 🔵 LOW

No new external dependencies were introduced in this pull request. The existing dependencies appear to be legitimate and free from typosquatting risks.

Suggested Fix:

Regularly audit dependencies for vulnerabilities and typosquatting risks.
Use tools like go mod verify and snyk to ensure dependency integrity.

Summary of Findings

Finding	Severity	Description	Suggested Fix
Prompt injection defense bypass	🔴 CRITICAL	Substring matching is insufficient to detect obfuscated prompt injection patterns.	Use NLP-based semantic analysis and update detection patterns regularly.
Policy engine circumvention	🟠 HIGH	Wildcard permissions and unvalidated action strings could allow unauthorized access.	Remove wildcard permissions or validate them strictly; sanitize action strings.
Trust chain weaknesses	🔵 LOW	No SPIFFE/SVID validation or cert pinning issues in this PR.	Implement SPIFFE/SVID validation and certificate pinning in future updates.
Credential exposure	🔵 LOW	No credentials or sensitive data exposed in logs or errors.	Maintain current practices; add redaction for sensitive data in error messages.
Sandbox escape	🟡 MEDIUM	Regex-based sandbox policies could be overly permissive or incorrect.	Test regex patterns rigorously; prefer whitelist-based policies where possible.
Deserialization attacks	🔵 LOW	No unsafe deserialization mechanisms detected.	Validate and sanitize input data during deserialization in future updates.
Race conditions	🟡 MEDIUM	Potential TOCTOU vulnerability in lifecycle state transitions.	Combine `CanTransition` and `Transition` logic into a single atomic operation.
Supply chain	🔵 LOW	No new dependencies or typosquatting risks detected.	Regularly audit dependencies for vulnerabilities and typosquatting risks.

Final Recommendation

Address the CRITICAL and HIGH findings immediately, as they pose significant risks to the security of the toolkit. The MEDIUM findings should also be prioritized to ensure robust sandboxing and lifecycle management. The LOW findings can be addressed in future iterations but should not be ignored.

github-actions

🤖 AI Agent: code-reviewer

Review Summary

This pull request introduces three major modules to the Go SDK: MCP Security Scanner, Execution Rings, and Lifecycle Management. While the implementation is generally well-structured and adheres to good coding practices, there are several areas that require attention to ensure security, correctness, and backward compatibility. Below is a detailed review of each module and the associated code.

MCP Security Scanner (`mcp.go`)

🔴 CRITICAL: Homoglyph Detection Incompleteness

The looksLikeLatinHomoglyph function only checks a limited set of homoglyphs. This creates a false sense of security, as attackers can use other Unicode characters to bypass detection. For example, Latin Extended-A characters (ā, ē, etc.) or visually similar characters from other scripts are not covered.

Actionable Fix: Use a comprehensive Unicode homoglyph detection library or expand the list to include more characters. Consider leveraging external libraries like unicode-matcher for broader coverage.

🔴 CRITICAL: Risk Scoring Weakness

The computeRiskScore function aggregates threat severity scores but does not cap the maximum risk score. This could lead to inconsistent scoring if multiple threats are detected. Additionally, the scoring logic does not account for the cumulative impact of multiple "critical" threats.

Actionable Fix: Introduce a risk score cap (e.g., 100) and refine the scoring algorithm to account for the compounding effect of multiple high-severity threats.

💡 SUGGESTION: Known Tools Registry

The knownTools list is populated dynamically during scanning, which could lead to false positives for typosquatting detection if the list contains tools with similar names. This approach may also be vulnerable to poisoning attacks.

Recommendation: Use a predefined list of trusted tool names and allow dynamic updates only from authenticated sources.

Execution Rings (`rings.go`)

🔴 CRITICAL: Default-Deny Implementation

The default-deny access control mechanism is critical for security. However, the implementation does not explicitly verify that all actions are denied unless explicitly allowed. This could lead to unintended privilege escalation if the SetRingPermissions function is misused.

Actionable Fix: Add explicit checks to ensure that actions not listed in SetRingPermissions are denied by default.

💡 SUGGESTION: Wildcard Permission Handling

The wildcard permission support is useful but could lead to overly permissive configurations if not carefully managed. For example, * could inadvertently allow sensitive actions.

Recommendation: Introduce a mechanism to restrict wildcard usage to specific namespaces (e.g., data.*).

Lifecycle Management (`lifecycle.go`)

🔴 CRITICAL: Thread Safety

The LifecycleManager uses a sync.RWMutex for thread safety, but the Transition method appends to the events slice without bounds checking. This could lead to memory exhaustion in high-concurrency scenarios.

Actionable Fix: Add a configurable limit to the number of recorded events and implement eviction for older events.

💡 SUGGESTION: State Transition Validation

The validTransitions map ensures that state transitions are validated, but the error messages returned by Transition are generic. This makes debugging difficult.

Recommendation: Enhance error messages to include the agent ID and current state for better traceability.

Tests

💡 SUGGESTION: Coverage for Edge Cases

While the tests cover common scenarios, edge cases such as invalid tool definitions (e.g., empty names or descriptions) and high-concurrency lifecycle transitions are not tested.

Recommendation: Add tests for edge cases and concurrency scenarios to ensure robustness.

Documentation

💡 SUGGESTION: Expand Examples

The examples provided in the README.md are helpful but lack real-world use cases, such as integrating the MCP Security Scanner with the Execution Rings and Lifecycle Management modules.

Recommendation: Add a comprehensive example demonstrating how these modules work together in a governance pipeline.

Backward Compatibility

🟡 WARNING: Public API Changes

The addition of new modules expands the public API of the Go SDK. While this is not inherently breaking, downstream consumers may need to update their code to leverage the new functionality.

Actionable Fix: Clearly document the changes in the release notes and provide migration guidance for existing users.

General Observations

💡 SUGGESTION: OWASP Agentic Top 10 Compliance

The modules address several OWASP Agentic Top 10 concerns, such as prompt injection and privilege escalation. However, additional measures like rate limiting and monitoring for anomalous behavior could further enhance security.

Recommendation: Consider adding rate limiting and anomaly detection features in future iterations.

Final Assessment

Security: 🔴 Critical issues in homoglyph detection, risk scoring, and thread safety need immediate attention.
Correctness: The modules are generally well-implemented but require edge case handling and enhanced error messages.
Backward Compatibility: 🟡 Changes to the public API should be documented to avoid confusion for downstream users.
Documentation: Examples and usage scenarios need expansion for better developer adoption.

Action Items

🔴 Fix homoglyph detection and risk scoring vulnerabilities in mcp.go.
🔴 Ensure thread safety and add event limits in lifecycle.go.
🟡 Document public API changes and provide migration guidance.
💡 Expand examples and test coverage for edge cases and concurrency.
💡 Enhance error messages and restrict wildcard permissions.

Let me know if you need further clarification or assistance!

github-actions · 2026-04-12T03:51:05Z

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

…osoft#1014) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…icrosoft#1017) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com>

* feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com>

* fix(pipeline): run NuGet ESRP signing on Windows agent (microsoft#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs microsoft#1017 and microsoft#1020 (microsoft#1125) PRs microsoft#1017 and microsoft#1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR microsoft#1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR microsoft#1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (microsoft#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (microsoft#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (microsoft#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (microsoft#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (microsoft#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (microsoft#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (microsoft#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (microsoft#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (microsoft#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (microsoft#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (microsoft#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (microsoft#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>

…microsoft#1166) * feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (microsoft#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs microsoft#1017 and microsoft#1020 (microsoft#1125) PRs microsoft#1017 and microsoft#1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR microsoft#1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR microsoft#1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (microsoft#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (microsoft#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (microsoft#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (microsoft#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (microsoft#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (microsoft#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (microsoft#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (microsoft#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (microsoft#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (microsoft#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (microsoft#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (microsoft#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>

…) + critic gap docs (microsoft#1170) * feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (microsoft#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs microsoft#1017 and microsoft#1020 (microsoft#1125) PRs microsoft#1017 and microsoft#1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR microsoft#1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR microsoft#1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (microsoft#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (microsoft#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (microsoft#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (microsoft#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (microsoft#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (microsoft#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (microsoft#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (microsoft#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (microsoft#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (microsoft#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (microsoft#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (microsoft#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co> * docs: address external critic gaps in limitations and threat model (#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix!: standardize DID method to did:agentmesh across all SDKs (#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>

…icrosoft#1192) * feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (microsoft#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs microsoft#1017 and microsoft#1020 (microsoft#1125) PRs microsoft#1017 and microsoft#1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR microsoft#1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR microsoft#1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (microsoft#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (microsoft#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (microsoft#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (microsoft#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (microsoft#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (microsoft#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (microsoft#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (microsoft#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (microsoft#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (microsoft#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (microsoft#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (microsoft#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co> * docs: address external critic gaps in limitations and threat model (#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix!: standardize DID method to did:agentmesh across all SDKs (#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix lint errors and remove pi-mono breaking dep scan Two CI failures on main: 1. lint (agent-compliance): W293/W292 trailing whitespace and missing newlines in agt.py and verify.py — fixed. 2. dependency-scan: pi-mono-agentmesh references unregistered npm packages — removed entire pi-mono integration that was merged from draft PR microsoft#970 without proper review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AgentMesh component container images and GHCR publishing Add FastAPI server entrypoints for all four AgentMesh components: - trust-engine (port 8443): Agent identity verification, IATP handshakes - policy-server (port 8444): Governance policy evaluation from YAML/JSON - audit-collector (port 8445): Merkle-chained audit logging with persistence - api-gateway (port 8446): Reverse proxy with per-agent rate limiting Infrastructure: - Single Dockerfile with COMPONENT build arg (non-root, tini, health checks) - GitHub Actions workflow for GHCR publishing (multi-arch amd64/arm64) - Helm chart updated to reference ghcr.io/microsoft/agentmesh/* images - 28 integration tests covering all server endpoints Resolves the missing container images that blocked full AgentMesh cluster deployment (images were referenced in Helm chart but never built). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>

* feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (microsoft#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs microsoft#1017 and microsoft#1020 (microsoft#1125) PRs microsoft#1017 and microsoft#1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR microsoft#1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR microsoft#1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (microsoft#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (microsoft#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (microsoft#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (microsoft#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (microsoft#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (microsoft#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (microsoft#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (microsoft#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (microsoft#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (microsoft#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (microsoft#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (microsoft#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co> * docs: address external critic gaps in limitations and threat model (#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix!: standardize DID method to did:agentmesh across all SDKs (#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): address all 14 open code scanning alerts (#13) * fix: address 6 Dependabot security vulnerabilities - python-multipart 0.0.22 → 0.0.26 (DoS via large preamble/epilogue) - pytest 8.4.1 → 9.0.3 (tmpdir handling vulnerability) - langchain-core 1.2.11 → 1.2.28 (SSRF, path traversal, f-string validation) - langchain-core >=0.2.0,<1.0 → >=1.2.28 in langchain-agentmesh pyproject.toml - tsup 8.0.0 → 8.5.1 (DOM clobbering vulnerability) - rand 0.8.5: dismissed microsoft#176 as inaccurate (vuln affects rand::rng() 0.9.x API only) Fixes Dependabot alerts: microsoft#177, microsoft#175, microsoft#166, microsoft#164, microsoft#157, microsoft#156 Dismissed: microsoft#176 (not applicable to rand 0.8.x) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): address all 14 open code scanning alerts Scorecard HIGH: - publish-containers.yml: scope packages:write to job level (microsoft#316) Scorecard MEDIUM (pinned dependencies): - docs.yml: pin 4 GitHub Actions by SHA hash (microsoft#311-314) - docs.yml: use requirements.txt for pip install (microsoft#315) - agent-mesh Dockerfile: pin python:3.11-slim by SHA (microsoft#317,microsoft#318) - agent-os Dockerfile.sidecar: pin python:3.14-slim by SHA (microsoft#295,microsoft#296) - dashboard Dockerfile: pin python:3.12-slim by SHA (microsoft#291,microsoft#293) CodeQL: - test_time_decay.py: timedelta(days=365) -> 366 for leap safety (microsoft#289,microsoft#290) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>

imran-siddique and others added 2 commits April 11, 2026 20:34

feat(openshell): add governance skill package and runnable example (m…

6f3d2a0

…icrosoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

imran-siddique merged commit 441cd11 into main Apr 12, 2026
20 of 22 checks passed

github-actions Bot reviewed Apr 12, 2026

View reviewed changes

github-actions Bot added documentation Improvements or additions to documentation agent-mesh size/XL labels Apr 12, 2026

imran-siddique deleted the feat/sdk-parity-go branch April 15, 2026 04:47

Conversation

imran-siddique commented Apr 12, 2026

Summary

MCP Security Scanner (mcp.go)

Execution Rings (rings.go)

Lifecycle Management (lifecycle.go)

Tests

Uh oh!

Uh oh!

github-actions Bot commented Apr 12, 2026

Security Analysis of Pull Request

1. Prompt Injection Defense Bypass

Finding: 🔴 CRITICAL

2. Policy Engine Circumvention

Finding: 🟠 HIGH

3. Trust Chain Weaknesses

Finding: 🔵 LOW

4. Credential Exposure

Finding: 🔵 LOW

5. Sandbox Escape

Finding: 🟡 MEDIUM

6. Deserialization Attacks

Finding: 🔵 LOW

7. Race Conditions

Finding: 🟡 MEDIUM

8. Supply Chain

Finding: 🔵 LOW

Summary of Findings

Final Recommendation

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

🤖 AI Agent: code-reviewer

Review Summary

MCP Security Scanner (mcp.go)

🔴 CRITICAL: Homoglyph Detection Incompleteness

🔴 CRITICAL: Risk Scoring Weakness

💡 SUGGESTION: Known Tools Registry

Execution Rings (rings.go)

🔴 CRITICAL: Default-Deny Implementation

💡 SUGGESTION: Wildcard Permission Handling

Lifecycle Management (lifecycle.go)

🔴 CRITICAL: Thread Safety

💡 SUGGESTION: State Transition Validation

Tests

💡 SUGGESTION: Coverage for Edge Cases

Documentation

💡 SUGGESTION: Expand Examples

Backward Compatibility

🟡 WARNING: Public API Changes

General Observations

💡 SUGGESTION: OWASP Agentic Top 10 Compliance

Final Assessment

Action Items

Uh oh!

github-actions Bot commented Apr 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

MCP Security Scanner (`mcp.go`)

Execution Rings (`rings.go`)

Lifecycle Management (`lifecycle.go`)

MCP Security Scanner (`mcp.go`)

Execution Rings (`rings.go`)

Lifecycle Management (`lifecycle.go`)