fix: update all references to use new PyPI package names

[imran-siddique]

Comprehensive sweep to replace all remaining old PyPI package names with their new names:

• \�gent-lightning\ → \�gentmesh-lightning\ (12 files)
• \�gent-runtime\ → \�gentmesh-runtime\ (workflows)

Also fixes merge conflict markers in QUICKSTART.md and docs/tutorials/README.md.

Files changed: README, QUICKSTART, CONTRIBUTING, RELEASE_NOTES_v1.0.0, tutorials, 3 GitHub workflows, scripts/check_dependency_confusion.py, packages/agent-lightning/{README,pyproject.toml}

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

[github-actions]

🤖 AI Agent: security-scanner — Security Review of PR: `fix: update all references to use new PyPI package names`

Security Review of PR: fix: update all references to use new PyPI package names

This PR updates references to two PyPI package names across the repository: agent-lightning → agentmesh-lightning and agent-runtime → agentmesh-runtime. It also resolves merge conflict markers in documentation files.

---

Findings

1. Supply Chain Risk: Dependency Confusion

• Severity: 🔴 CRITICAL
• Issue: The renaming of PyPI packages introduces a potential supply chain attack vector. If the new package names (agentmesh-lightning and agentmesh-runtime) are not properly reserved and published on PyPI by the maintainers, attackers could register these names and upload malicious packages. This would allow attackers to inject malicious code into the dependency resolution process for downstream users.
• Attack Vector: If an attacker registers a malicious package with the same name (agentmesh-lightning or agentmesh-runtime) on PyPI before the legitimate maintainers do, any downstream users who install these dependencies will unknowingly execute malicious code.
• Recommendation:
  1. Ensure that the new package names (agentmesh-lightning and agentmesh-runtime) are already registered and published on PyPI by the official maintainers before merging this PR.
  2. If the packages are not yet published, publish placeholder packages with minimal metadata to reserve the names and prevent dependency confusion attacks.
  3. Add a CI/CD check to verify that all dependencies are sourced from trusted registries (e.g., PyPI) and not from untrusted sources.

---

2. Merge Conflict Markers in Documentation

• Severity: 🟡 MEDIUM
• Issue: The presence of merge conflict markers (=======, >>>>>>, <<<<<) in QUICKSTART.md and docs/tutorials/README.md indicates unresolved conflicts. While these are in documentation files and do not directly impact the codebase, they can lead to confusion for users and developers.
• Attack Vector: If these markers are left unresolved, they could mislead users or developers into using incorrect or incomplete information, potentially leading to misconfigurations or security missteps.
• Recommendation:
  1. Resolve the merge conflict markers in QUICKSTART.md and docs/tutorials/README.md before merging this PR.
  2. Add a pre-commit hook or CI check to detect and block commits containing unresolved merge conflict markers.

---

3. Potential for Incomplete Updates

• Severity: 🟠 HIGH
• Issue: The PR updates references to the new package names across multiple files, but there is no automated test or validation to ensure that all instances of the old package names have been replaced. This could lead to inconsistencies or broken functionality if some references are missed.
• Attack Vector: If any references to the old package names remain, they could cause runtime errors or lead to the installation of incorrect dependencies, potentially introducing vulnerabilities or breaking the security guarantees of the toolkit.
• Recommendation:
  1. Add a script or CI check to ensure that no references to the old package names (agent-lightning and agent-runtime) remain in the codebase.
  2. Manually verify all changes in this PR to ensure completeness.

---

4. Potential Credential Exposure in check_dependency_confusion.py

• Severity: 🟡 MEDIUM
• Issue: The script check_dependency_confusion.py is updated to include the new package names. However, there is no indication in the PR that this script has been tested or reviewed for potential issues like logging sensitive information (e.g., API keys or tokens) during execution.
• Attack Vector: If the script logs sensitive information (e.g., API keys or tokens) during execution, it could expose these credentials to unauthorized users, especially if logs are stored in an insecure location.
• Recommendation:
  1. Review the check_dependency_confusion.py script to ensure that it does not log sensitive information.
  2. Add a test case to validate the behavior of the script with the updated package names.

---

Summary of Findings

1. 🔴 CRITICAL: Dependency confusion risk due to new PyPI package names.
2. 🟡 MEDIUM: Unresolved merge conflict markers in documentation files.
3. 🟠 HIGH: Risk of incomplete updates to package name references.
4. 🟡 MEDIUM: Potential credential exposure in check_dependency_confusion.py.

---

Action Items

1. Address Dependency Confusion Risk:

   • Verify that agentmesh-lightning and agentmesh-runtime are already registered and published on PyPI by the maintainers.
   • If not, publish placeholder packages to reserve the names.
   • Add a CI/CD check to validate dependency sources.

2. Resolve Merge Conflict Markers:

   • Remove all merge conflict markers from QUICKSTART.md and docs/tutorials/README.md.
   • Add a pre-commit hook or CI check to prevent commits with unresolved conflict markers.

3. Ensure Complete Updates:

   • Conduct a manual review to confirm that all instances of the old package names have been replaced.
   • Add a script or CI check to automate this validation.

4. Review check_dependency_confusion.py:

   • Ensure the script does not log sensitive information.
   • Add test cases to verify its behavior with the updated package names.

---

Final Recommendation

Do not merge this PR until:

1. The dependency confusion risk is mitigated.
2. Merge conflict markers are resolved.
3. A thorough review ensures no references to the old package names remain.
4. The check_dependency_confusion.py script is reviewed and tested.

[github-actions]

🤖 AI Agent: code-reviewer

Review of Pull Request: fix: update all references to use new PyPI package names

---

Summary

This pull request updates all references to the old PyPI package names (agent-lightning → agentmesh-lightning, agent-runtime → agentmesh-runtime) across the repository. It also resolves merge conflict markers in QUICKSTART.md and docs/tutorials/README.md.

---

Feedback

🔴 CRITICAL

1. Dependency Confusion Risk:
   • The script scripts/check_dependency_confusion.py is updated to include the new package names (agentmesh-lightning and agentmesh-runtime). However, there is no explicit check to ensure that the old package names (agent-lightning and agent-runtime) are no longer being used in the repository or by any external dependencies.
   • Action: Add a validation step in the CI pipeline to ensure that no references to the old package names exist in the repository or are being pulled in as dependencies. This will prevent dependency confusion attacks where an attacker could publish malicious packages under the old names.

🟡 WARNING

1. Backward Compatibility:
   • Renaming the PyPI packages (agent-lightning → agentmesh-lightning, agent-runtime → agentmesh-runtime) is a breaking change for users who rely on the old package names in their requirements.txt or setup.py files.
   • Action: Clearly document this breaking change in the RELEASE_NOTES_v1.0.0.md and provide migration instructions for users to update their dependencies. Consider publishing a final version of the old packages with a deprecation notice to guide users to the new package names.

💡 SUGGESTIONS

1. Merge Conflict Markers:

   • The merge conflict markers in QUICKSTART.md and docs/tutorials/README.md were removed, but there is no test or validation in the CI pipeline to ensure that such markers are not accidentally committed in the future.
   • Action: Add a linting step in the CI pipeline to detect and fail the build if merge conflict markers (<<<<<<<, =======, >>>>>>>) are present in any file.

2. Documentation Consistency:

   • The CONTRIBUTING.md file still mentions "seven packages" in the description, but the table lists eight packages. This discrepancy might confuse contributors.
   • Action: Update the description in CONTRIBUTING.md to reflect the correct number of packages.

3. PyPI Metadata:

   • The pyproject.toml file for agent-lightning was updated to use the new name agentmesh-lightning. However, the description field still refers to "agent-lightning."
   • Action: Update the description field in pyproject.toml to reflect the new package name.

4. Testing:

   • While the changes appear to be straightforward, it's critical to ensure that the renaming does not break any functionality.
   • Action: Add a test to verify that the new package names are correctly resolved and imported in the codebase. For example, a simple test could attempt to import the renamed packages and verify their functionality.

5. Version Pinning:

   • The QUICKSTART.md and other documentation files suggest installing the packages without specifying version constraints (e.g., pip install agentmesh-lightning). This could lead to unexpected issues if breaking changes are introduced in future versions of the packages.
   • Action: Recommend pinning specific versions of the packages in the documentation to ensure stability for users.

---

Summary of Actions

1. Critical: Add a CI validation step to ensure no references to old package names exist and prevent dependency confusion.
2. Warning: Document the breaking change in RELEASE_NOTES_v1.0.0.md and provide migration instructions.
3. Suggestions:
   • Add a linting step to detect merge conflict markers.
   • Fix the inconsistency in the number of packages mentioned in CONTRIBUTING.md.
   • Update the description field in pyproject.toml for agentmesh-lightning.
   • Add tests to verify the correctness of the renamed packages.
   • Recommend version pinning in the documentation.

---

Final Assessment

The changes in this pull request are necessary and well-executed, but the critical issues around dependency confusion and backward compatibility must be addressed before merging. Additionally, implementing the suggested improvements will enhance the robustness and usability of the repository.