feat: OpenSSF scorecard fixes, badges, and v1.0.0 release notes

* docs: add OpenSSF badges, update OWASP to 10/10, add v1.0.0 release notes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: add actions:read permission and continue-on-error to CodeQL

CodeQL needs actions:read for SARIF upload on microsoft/ org repos.
Added continue-on-error so CodeQL doesn't block PRs while GHAS
is being enabled.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

.github/workflows/codeql.yml

@@ -11,11 +11,13 @@ on:
 permissions:
   contents: read
   security-events: write
+  actions: read
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    continue-on-error: true
     strategy:
       fail-fast: false
       matrix:

README.md

@@ -6,7 +6,9 @@
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![Python](https://img.shields.io/badge/python-3.9+-blue.svg)](https://python.org)
-[![OWASP Agentic Top 10](https://img.shields.io/badge/OWASP_Agentic_Top_10-9/10_Covered-brightgreen)](docs/OWASP-COMPLIANCE.md)
+[![OWASP Agentic Top 10](https://img.shields.io/badge/OWASP_Agentic_Top_10-10/10_Covered-brightgreen)](docs/OWASP-COMPLIANCE.md)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12085/badge)](https://www.bestpractices.dev/projects/12085)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/microsoft/agent-governance-toolkit/badge)](https://scorecard.dev/viewer/?uri=github.com/microsoft/agent-governance-toolkit)
 
 </div>
 
@@ -23,7 +25,7 @@ Autonomous AI agents (LangChain, AutoGen, CrewAI, etc.) can call tools, spawn su
 - **Execution isolation** with privilege rings and kill switches
 - **Reliability engineering** with SLOs, error budgets, and chaos testing
 
-Covers **9 of 10 [OWASP Agentic Top 10](https://owasp.org/www-project-agentic-ai-top-10/)** risks out of the box.
+Covers **10 of 10 [OWASP Agentic Top 10](https://owasp.org/www-project-agentic-ai-top-10/)** risks out of the box.
 
 ## Architecture
 

RELEASE_NOTES_v1.0.0.md

@@ -0,0 +1,88 @@
+# Agent Governance Toolkit v1.0.0
+
+**The missing security layer for AI agents.** Runtime policy enforcement, identity mesh, execution sandboxing, and reliability engineering — in one toolkit.
+
+## Highlights
+
+- 🛡️ **10/10 OWASP Agentic Top 10 coverage** — full compliance mapping across all ASI-01 through ASI-10 risks
+- 🔐 **Microsoft Entra Agent ID integration** — bridge DID identity with enterprise Zero Trust via Entra Agent ID
+- 📦 **AI-BOM v2.0** — full AI supply chain tracking: model provenance, dataset lineage, weights versioning
+- 🏛️ **CSA Agentic Trust Framework** — compliance mapping across all 5 ATF pillars (15/15 requirements)
+- ✅ **OpenSSF Scorecard hardened** — pinned dependencies, CodeQL SAST, Dependabot, signed workflows
+
+## Packages
+
+| Package | Description | Install |
+|---------|-------------|---------|
+| **Agent OS** | Stateless governance kernel with policy engine, VFS, and MCP proxy | `pip install agent-os-kernel` |
+| **AgentMesh** | Zero-trust identity mesh with DID, trust scoring, delegation chains | `pip install agentmesh-platform` |
+| **Agent Hypervisor** | Execution rings, resource limits, kill switch, saga orchestration | `pip install agent-hypervisor` |
+| **Agent SRE** | SLOs, error budgets, circuit breakers, chaos engineering | `pip install agent-sre` |
+| **Agent Compliance** | Unified installer and compliance documentation | `pip install ai-agent-compliance` |
+
+## Security & Compliance
+
+| Framework | Coverage |
+|-----------|----------|
+| [OWASP Agentic Top 10 (2026)](docs/OWASP-COMPLIANCE.md) | 10/10 risks covered |
+| [CSA Agentic Trust Framework](docs/compliance/csa-atf-mapping.md) | 15/15 requirements |
+| [NIST AI RMF](https://www.nist.gov/artificial-intelligence/ai-risk-management-framework) | Govern, Map, Measure, Manage |
+| [Singapore MGF for Agentic AI](docs/analyst/singapore-mgf-mapping.md) | Zero-trust, accountability, oversight |
+| [EU AI Act](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai) | Risk classification, audit trails, human oversight |
+
+## Key Features in v1.0.0
+
+### Identity & Trust
+- Cryptographic DID identity (`did:mesh:`) with Ed25519 key pairs
+- Microsoft Entra Agent ID adapter (sponsor accountability, lifecycle management, Conditional Access)
+- Trust scoring with decay, delegation chains with capability narrowing
+- SPIFFE/SVID workload identity support
+
+### Governance
+- Policy-as-code engine (strict/permissive/audit modes)
+- MCP Governance Proxy for tool call interception
+- Approval workflows with quorum logic and expiration
+- Prompt injection detection and PII protection
+
+### Runtime Security
+- Execution rings (Ring 0–3) with graduated privilege
+- Kill switch for instant agent termination
+- Saga orchestration with automatic rollback
+- Joint liability scoring (Shapley values)
+
+### Reliability (SRE)
+- Agent-specific SLOs (correctness, safety, latency, cost)
+- Circuit breakers with cascading failure detection
+- Chaos engineering framework for AI agents
+- Cost anomaly detection with per-agent budgets
+
+### Supply Chain
+- AI-BOM v2.0 — model provenance, dataset tracking, weights versioning
+- SLSA-compatible build provenance for model artifacts
+- CycloneDX ML-BOM export support
+
+## External Submissions
+
+45 integration proposals submitted across the ecosystem:
+- **Merged:** GitHub Copilot (×3), Dify (×1)
+- **Under Review:** Microsoft Agent Framework, Google ADK, AutoGen, CrewAI, LangChain, OpenAI Swarm, MetaGPT, Anthropic, MCP, OpenLit, OWASP, LF AI, CoSAI, AAIF
+
+See [docs/PROPOSALS-INDEX.md](docs/PROPOSALS-INDEX.md) for the full list.
+
+## Quick Start
+
+```bash
+pip install ai-agent-compliance[full]
+```
+
+```python
+from agent_os import StatelessKernel, ExecutionContext
+
+kernel = StatelessKernel()
+ctx = ExecutionContext(agent_id="my-agent", policies=["read_only"])
+result = await kernel.execute(action="query_db", params={"table": "users"}, context=ctx)
+```
+
+## License
+
+[MIT](LICENSE) — © Microsoft Corporation