fix(ci): expand npm allowlist in dep confusion script + fix lint

[imran-siddique]

Fixes CI failures: adds common npm packages to dep confusion allowlist and fixes ruff whitespace/f-string lint issues in agent-mesh CLI.

[github-actions]

🤖 AI Agent: breaking-change-detector — Summary

🔍 API Compatibility Report

Summary

No breaking changes were found in the provided diff. The changes primarily involve lint fixes, reordering imports, and minor refactoring in the agent-mesh CLI code. Additionally, updates were made to a dependency confusion script to expand the npm allowlist. These changes do not affect the public API of the microsoft/agent-governance-toolkit.

Findings

Severity	Package	Change	Impact
✅	agent-mesh	Refactored CLI code (e.g., type hints, formatting)	No impact on public API
✅	scripts	Expanded npm allowlist in dependency confusion script	No impact on public API

Migration Guide

No migration steps are required, as there are no breaking changes.

Notes

• The refactoring in the CLI code includes changes to type hints (e.g., Optional[str] replaced with str | None) and formatting improvements. These changes are backward-compatible and do not alter the behavior of the public API.
• The dependency confusion script changes are internal to the repository and do not affect the published Python packages.

✅ No breaking changes detected.

[github-actions]

🤖 AI Agent: code-reviewer

Review Summary

This pull request addresses CI failures by expanding the allowlist for dependency confusion checks and fixing lint issues in the agent-mesh CLI. While the changes seem straightforward, there are areas that require attention to ensure security, maintainability, and backward compatibility.

---

🔴 CRITICAL

1. Potential Sandbox Escape in _init_claude_integration

• The _init_claude_integration function dynamically modifies the mcpServers configuration file, including adding a command field that executes a shell command (agentmesh-proxy --filesystem-protected). This could be exploited by an attacker if the config_path points to a malicious file or if the example_server configuration is tampered with.
• Risk: Arbitrary command execution or sandbox escape.
• Recommendation:
  • Validate the config_path to ensure it points to a trusted location.
  • Sanitize the command field to prevent injection attacks.
  • Consider using a secure execution mechanism (e.g., subprocess with strict argument validation).

2. Error Handling in handle_error

• The handle_error function logs exceptions with exc_info=True, which could expose sensitive information in logs if DEBUG mode is enabled.
• Risk: Information leakage.
• Recommendation: Ensure sensitive data (e.g., file paths, stack traces) is redacted from logs in production environments.

---

🟡 WARNING

1. Breaking Change in Type Hinting

• The type hint for custom_msg in handle_error and config_path in _init_claude_integration was changed from Optional[str] to str | None. This introduces a backward compatibility issue for Python versions <3.10, as the | syntax is not supported.
• Impact: Users running Python 3.9 will encounter syntax errors.
• Recommendation: Use Optional[str] for compatibility with Python 3.9.

2. Expanded Dependency Confusion Allowlist

• Adding common npm dev dependencies to the allowlist increases the risk of overlooking dependency confusion vulnerabilities if a malicious package mimics one of these names.
• Impact: Reduced effectiveness of dependency confusion checks.
• Recommendation: Regularly audit the allowlist and consider stricter validation for critical dependencies.

---

💡 SUGGESTIONS

1. Improve Error Messages

• The error messages in handle_error are generic and may not provide sufficient context to users. Consider including actionable advice or specific error details for known exceptions.

2. Refactor _init_claude_integration

• The _init_claude_integration function is overly complex and mixes multiple concerns (e.g., file path determination, backup creation, JSON manipulation). Refactor into smaller, testable functions to improve readability and maintainability.

3. Use ruff Configuration for Consistent Formatting

• The lint fixes (e.g., whitespace adjustments) suggest inconsistent formatting practices. Ensure the ruff configuration is shared across the repository to enforce consistent styling.

4. Add Unit Tests for Dependency Confusion Script

• The check_dependency_confusion.py script lacks tests for the expanded allowlist. Add unit tests to verify that the script correctly identifies dependency confusion vulnerabilities.

5. Document CLI Changes

• The CLI changes (e.g., handle_error updates) should be documented in the agent-mesh README or CLI help output to inform users of new behavior.

---

Final Assessment

• Security: 🔴 Address sandbox escape risks and sensitive logging issues.
• Backward Compatibility: 🟡 Revert type hint changes for Python 3.9 compatibility.
• Code Quality: 💡 Refactor complex functions and improve error handling/documentation.

Let me know if you need further clarification or assistance!

[github-actions]

🤖 AI Agent: docs-sync-checker — Issues Found

📝 Documentation Sync Report

Issues Found

• ❌ handle_error() in packages/agent-mesh/src/agentmesh/cli/main.py — missing detailed docstring (e.g., parameter descriptions, return values, and exceptions raised).
• ❌ _init_claude_integration() in packages/agent-mesh/src/agentmesh/cli/main.py — missing detailed docstring (e.g., parameter descriptions, return values, and exceptions raised).
• ⚠️ packages/agent-mesh/README.md — no mention of the --policy options (strict|moderate|permissive) or the --no-footer option for customization in the "init-integration" section.
• ⚠️ CHANGELOG.md — no entry for the changes made to the dependency confusion script or the lint fixes in the CLI.
• ⚠️ examples/ — no updates to example code to reflect the new --policy and --no-footer options mentioned in _init_claude_integration().

Suggestions

• 💡 Add a detailed docstring for handle_error(e: Exception, output_json: bool = False, custom_msg: str | None = None):
  • Purpose: Describe the function's role as a centralized error handler for CLI commands.
  • Parameters:
    • e: The exception to handle.
    • output_json: Whether to output the error in JSON format.
    • custom_msg: A custom error message to display instead of the default.
  • Return Value: None.
  • Exceptions Raised: Mention any exceptions that might be raised during execution.
• 💡 Add a detailed docstring for _init_claude_integration(config_path: str | None, backup: bool):
  • Purpose: Explain the function's role in initializing the Claude Desktop integration.
  • Parameters:
    • config_path: Path to the configuration file (optional).
    • backup: Whether to create a backup of the existing configuration.
  • Return Value: None.
  • Exceptions Raised: Mention any exceptions that might be raised during execution.
• 💡 Update the packages/agent-mesh/README.md to include the new --policy options and --no-footer customization in the "init-integration" section.
• 💡 Add an entry to CHANGELOG.md summarizing the following changes:
  • Expanded npm allowlist in the dependency confusion script.
  • Fixed linting issues in the agent-mesh CLI.
• 💡 Update example code in examples/ to demonstrate the usage of the new --policy and --no-footer options in the init-integration command.

Additional Notes

• The type hints for handle_error() and _init_claude_integration() have been updated to use str | None instead of Optional[str], which is valid in Python 3.10+ and does not require further changes.
• The changes to the dependency confusion script do not appear to require additional documentation or examples, but they should still be noted in the CHANGELOG.md.

Please address the above issues to ensure documentation remains in sync with the codebase.

[github-actions]

🤖 AI Agent: test-generator — `packages/agent-mesh/src/agentmesh/cli/main.py`

🧪 Test Coverage Analysis

packages/agent-mesh/src/agentmesh/cli/main.py

• ✅ Existing coverage: The file contains a centralized error handler (handle_error) and functions for policy management and integration initialization, which are likely covered by existing tests that validate CLI commands and error handling.
• ❌ Missing coverage: There may be insufficient coverage for edge cases related to policy evaluation, such as conflicting policies, and input validation scenarios, such as malformed inputs or oversized payloads. Additionally, the handling of configuration paths and the backup process in _init_claude_integration could be explored further.
• 💡 Suggested test cases:
  1. test_handle_error_with_known_exception — Test the handle_error function with a known exception type (e.g., ValueError) to ensure it logs the correct error message and sets the appropriate status.
  2. test_handle_error_with_unknown_exception — Test the handle_error function with an unknown exception to verify that it logs the error correctly and returns a generic error message.
  3. test_policy_with_conflicting_policies — Simulate a scenario where conflicting policies are loaded and ensure that the PolicyEngine handles them correctly, either by prioritizing one policy over another or by raising an appropriate error.
  4. test_init_integration_with_nonexistent_config — Test the _init_claude_integration function with a non-existent configuration path to verify that it logs a warning and attempts to create a default configuration.
  5. test_init_integration_with_malformed_config — Provide a malformed JSON configuration file to _init_claude_integration and ensure that the function handles the error gracefully, logging the appropriate error message.

[github-actions]

🤖 AI Agent: security-scanner — Security Analysis of the Pull Request

Security Analysis of the Pull Request

1. Prompt Injection Defense Bypass

No changes in this PR directly affect prompt injection defenses. The modifications are primarily related to dependency management and minor code refactoring in the CLI. No new user input handling mechanisms or prompt-related logic were introduced or modified.

Rating: 🔵 LOW

---

2. Policy Engine Circumvention

The PR does not modify the core PolicyEngine or its logic. However, there is a minor change in the import statement:

-        from agentmesh.governance import PolicyEngine, Policy
+        from agentmesh.governance import Policy, PolicyEngine

This change is purely cosmetic and does not affect functionality. The PolicyEngine remains unchanged, and there is no indication of policy circumvention.

Rating: 🔵 LOW

---

3. Trust Chain Weaknesses

No changes in this PR affect trust chain mechanisms such as SPIFFE/SVID validation or certificate pinning. The modifications are limited to CLI refactoring and dependency allowlist updates.

Rating: 🔵 LOW

---

4. Credential Exposure

The PR introduces logging changes and modifies the handle_error function. The following line is of interest:

logger.error(f"CLI Error: {e}", exc_info=True)

While this line logs exceptions for debugging purposes, it could inadvertently expose sensitive information (e.g., file paths, stack traces, or error messages containing secrets) if the logger is configured to output to a publicly accessible location.

Attack Vector: If the logger is misconfigured to output logs to a public location, sensitive information could be exposed, leading to credential leakage or other security risks.

Suggested Fix: Sanitize sensitive information from the exception message before logging. For example:

logger.error(f"CLI Error: {str(e)}", exc_info=True)

Rating: 🟠 HIGH

---

5. Sandbox Escape

No changes in this PR affect container or process isolation. The modifications are limited to CLI refactoring and dependency allowlist updates.

Rating: 🔵 LOW

---

6. Deserialization Attacks

The PR includes deserialization of JSON and YAML files in the following sections:

policy_data = yaml.safe_load(f)
policy_data = json.load(f)

Both yaml.safe_load and json.load are considered safe methods for deserialization. There is no evidence of unsafe deserialization methods (e.g., yaml.load or pickle.loads) being introduced or used.

Rating: 🔵 LOW

---

7. Race Conditions

No changes in this PR introduce or modify concurrency mechanisms. The changes are limited to CLI refactoring and dependency allowlist updates.

Rating: 🔵 LOW

---

8. Supply Chain Risks

The PR modifies the dependency confusion allowlist in check_dependency_confusion.py by adding several common npm packages:

+    "eslint", "@typescript-eslint/parser", "@typescript-eslint/eslint-plugin",
+    "ts-jest", "@types/jest", "jest", "rimraf", "prettier",
+    "axios", "@types/vscode", "@vscode/vsce", "webpack", "webpack-cli",
+    "ts-node", "nodemon", "concurrently", "dotenv",
+    "esbuild", "@esbuild/linux-x64", "@esbuild/darwin-arm64",

While these packages are widely used and appear legitimate, adding them to the allowlist increases the risk of dependency confusion attacks if a malicious actor publishes a similarly named package to a public registry.

Attack Vector: If a malicious actor publishes a package with a name matching one of the allowlisted dependencies to a public registry, it could be mistakenly installed, leading to potential compromise.

Suggested Fix:

• Implement strict version pinning for all dependencies in the allowlist to ensure only trusted versions are installed.
• Consider using tools like npm audit or npm ci to verify the integrity of dependencies.
• Regularly review and update the allowlist to ensure it only includes necessary and trusted packages.

Rating: 🟠 HIGH

---

Summary of Findings

1. Credential Exposure: 🟠 HIGH

   • Potential sensitive information leakage in error logging.
   • Fix: Sanitize exception messages before logging.

2. Supply Chain Risks: 🟠 HIGH

   • Expanding the npm allowlist increases the attack surface for dependency confusion.
   • Fix: Implement strict version pinning and regularly audit the allowlist.

3. Prompt Injection Defense Bypass: 🔵 LOW

4. Policy Engine Circumvention: 🔵 LOW

5. Trust Chain Weaknesses: 🔵 LOW

6. Sandbox Escape: 🔵 LOW

7. Deserialization Attacks: 🔵 LOW

8. Race Conditions: 🔵 LOW

Recommendations

• Address the potential credential exposure by sanitizing log messages.
• Review the expanded npm allowlist and implement strict version pinning for all dependencies.
• Ensure that dependency management tools and processes are in place to mitigate supply chain risks.