fix(ci): normalize package names to underscores for PyPI compliance

[imran-siddique]

PyPI rejects sdist uploads with hyphenated filenames (PEP 625). Changed all 37 pyproject.toml name fields from hyphens to underscores. PyPI treats these as equivalent package names.

[github-actions]

🤖 AI Agent: code-reviewer

Review Feedback

🔴 CRITICAL

No critical issues identified in this pull request.

---

🟡 WARNING

1. Potential Breaking Change in Package Names:
   • Changing package names from hyphenated to underscored format may cause issues for users who rely on the previous package names in their dependency files (e.g., requirements.txt, setup.py, or pyproject.toml).
   • Impact: Users upgrading to the new version may encounter ModuleNotFoundError or dependency resolution failures if they do not update their dependency references.
   • Recommendation: Add a clear note in the changelog and release documentation about this change. Consider providing migration instructions for users.

---

💡 SUGGESTIONS

1. Backward Compatibility Alias:

   • To minimize disruption for existing users, consider publishing the packages under both the old hyphenated names and the new underscored names for a transitional period. This can be achieved by using the provides-extra field in pyproject.toml or by creating alias packages.

2. Automated Dependency Update:

   • Provide a script or tool that helps users update their dependency files (e.g., requirements.txt) to replace the old hyphenated package names with the new underscored names.

3. Testing for Package Name Changes:

   • Ensure that all CI/CD pipelines and tests are updated to reflect the new package names. Verify that the changes do not break any existing workflows or integrations.

4. PyPI Upload Validation:

   • Before merging this PR, verify that the updated package names are accepted by PyPI. This ensures the changes resolve the issue described in PEP 625.

5. Documentation Update:

   • Update all documentation, including README files, examples, and tutorials, to reflect the new package names. This will help users avoid confusion when referencing the packages.

6. Versioning Strategy:

   • Consider incrementing the major version number for all affected packages to signal a breaking change in package names. This aligns with semantic versioning practices.

7. Deprecation Notice:

   • If alias packages are not feasible, include a deprecation notice in the README files of the old packages, directing users to the new package names.

---

Summary

The changes in this PR address compliance with PEP 625 for PyPI package naming conventions, which is a necessary and valid update. However, the changes introduce potential breaking changes for users relying on the previous hyphenated package names. To mitigate these issues, it is recommended to provide clear documentation, migration tools, and possibly alias packages during a transitional period. Ensure thorough testing and validation before merging this PR.

[github-actions]

🤖 AI Agent: security-scanner — Security Review of PR: `fix(ci): normalize package names to underscores for PyPI compliance`

Security Review of PR: fix(ci): normalize package names to underscores for PyPI compliance

This PR modifies the pyproject.toml files across multiple packages in the repository to replace hyphens (-) in package names with underscores (_) to comply with PyPI's naming conventions as per PEP 625. Below is the security analysis of the changes:

---

1. Prompt Injection Defense Bypass

Assessment: 🔵 LOW
The changes in this PR are limited to renaming package names in pyproject.toml files. There is no direct impact on prompt injection defenses, as these changes do not modify any runtime code or prompt-handling logic.

Recommendation: No action required.

---

2. Policy Engine Circumvention

Assessment: 🔵 LOW
The changes do not affect the policy engine or its enforcement mechanisms. They are limited to metadata changes for package naming compliance.

Recommendation: No action required.

---

3. Trust Chain Weaknesses

Assessment: 🔵 LOW
The changes do not involve any modifications to trust chain mechanisms, such as SPIFFE/SVID validation or certificate pinning. The changes are purely related to package metadata.

Recommendation: No action required.

---

4. Credential Exposure

Assessment: 🔵 LOW
The changes do not introduce or expose any sensitive information such as credentials, secrets, or tokens.

Recommendation: No action required.

---

5. Sandbox Escape

Assessment: 🔵 LOW
The changes do not involve any runtime code or execution logic that could lead to a sandbox escape vulnerability.

Recommendation: No action required.

---

6. Deserialization Attacks

Assessment: 🔵 LOW
The changes do not involve any deserialization logic or modifications to data parsing mechanisms.

Recommendation: No action required.

---

7. Race Conditions

Assessment: 🔵 LOW
The changes do not introduce or modify any concurrency or timing-related logic. There is no risk of race conditions.

Recommendation: No action required.

---

8. Supply Chain

Assessment: 🟡 MEDIUM
While the changes themselves are benign, they involve modifying package names across multiple pyproject.toml files. This could potentially introduce supply chain risks if the new package names inadvertently conflict with existing PyPI packages owned by third parties. For example, if agent_governance_toolkit or agentmesh_runtime is already registered by another user on PyPI, this could lead to dependency confusion or typosquatting attacks.

Attack Vector:
An attacker could register a package with the same name on PyPI before the legitimate package is uploaded. If users mistakenly install the malicious package, they could execute untrusted code.

Recommendation:

1. Preemptive Registration: Ensure all renamed packages are registered on PyPI under the new names before merging this PR. This will prevent malicious actors from exploiting the name change.
2. Dependency Audit: Verify that all internal and external dependencies are updated to reference the new package names to avoid broken builds or accidental use of malicious packages.
3. Automated Scanning: Use tools like pip-audit or safety to scan for dependency vulnerabilities and ensure no typosquatting or dependency confusion risks exist.

---

Overall Assessment

• The changes in this PR are low risk from a security perspective, as they primarily involve renaming package metadata for compliance with PyPI standards.
• The supply chain risk is the only notable concern, as it could lead to dependency confusion if the new package names are not preemptively registered on PyPI.

---

Action Items

1. Preemptively register all renamed packages on PyPI to secure the new names.
2. Verify that all internal and external dependencies are updated to use the new package names.
3. Perform a dependency audit to ensure no typosquatting or dependency confusion risks exist.

---

Final Rating

• Prompt injection defense bypass: 🔵 LOW
• Policy engine circumvention: 🔵 LOW
• Trust chain weaknesses: 🔵 LOW
• Credential exposure: 🔵 LOW
• Sandbox escape: 🔵 LOW
• Deserialization attacks: 🔵 LOW
• Race conditions: 🔵 LOW
• Supply chain: 🟡 MEDIUM

This PR is safe to merge after addressing the supply chain-related recommendations.