Skip to content

feat: human-in-the-loop escalation, version compat, revocation-aware verification#85

Merged
imran-siddique merged 1 commit intomainfrom
feat/escalation-hitl-rotation-compat
Mar 7, 2026
Merged

feat: human-in-the-loop escalation, version compat, revocation-aware verification#85
imran-siddique merged 1 commit intomainfrom
feat/escalation-hitl-rotation-compat

Conversation

@imran-siddique
Copy link
Copy Markdown
Member

@imran-siddique imran-siddique commented Mar 7, 2026

Summary

Addresses three enterprise-readiness gaps identified through codebase audit:

1. Human-in-the-Loop Escalation (Closes #81)

Adds EscalationPolicy with ESCALATE tier between ALLOW/DENY. When require_human_approval triggers, agent is suspended and approval routed to pluggable backend (InMemoryApprovalQueue, WebhookApprovalBackend). Configurable timeout with default action.

2. Revocation-Aware Card Verification (Closes #82)

Wires existing RevocationList into CardRegistry.is_verified() — revoked DIDs immediately fail verification, bypassing cache.

3. Inter-Package Version Compatibility (Closes #83)

Adds compatibility matrix, doctor() function, and check_compatibility() for detecting version skew between packages.

Tests: 52 new tests, all passing

  • 20 escalation (queue, handler, policy, timeout, threading)
  • 16 compat (parsing, range, pair validation, doctor)
  • 16 revocation/rotation (revoke, registry integration, key rotation proofs)

Files: 7 changed, +1,259 lines

@imran-siddique
feat: add human-in-the-loop escalation, version compat checker, and r…
fa50bdc 
…evocation-aware verification

- Add EscalationPolicy with ESCALATE decision tier between ALLOW/DENY (#81)
  - InMemoryApprovalQueue and WebhookApprovalBackend for pluggable backends
  - Configurable timeout with default action (deny/allow)
  - evaluate_and_wait() for synchronous escalation flows

- Wire RevocationList into CardRegistry.is_verified() (#82)
  - Revoked agent DIDs immediately fail verification
  - Setting revocation_list clears cache for instant effect
  - Rotation and revocation modules already existed; this wires them in

- Add inter-package version compatibility checker (#83)
  - Machine-readable compatibility matrix
  - doctor() function reports installed versions and detects skew
  - check_compatibility() validates specific version pairs

All 52 new tests pass.

Closes #81
Closes #82
Closes #83

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@imran-siddique imran-siddique merged commit c46d1e3 into main Mar 7, 2026
23 of 24 checks passed
@github-actions github-actions bot added tests agent-mesh agent-mesh package labels Mar 7, 2026
@imran-siddique imran-siddique deleted the feat/escalation-hitl-rotation-compat branch March 7, 2026 21:46
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 7, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions github-actions bot added the size/XL Extra large PR (500+ lines) label Mar 7, 2026
This was referenced Mar 7, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

agent-mesh agent-mesh package size/XL Extra large PR (500+ lines) tests

Projects

None yet

Milestone

No milestone

1 participant

@imran-siddique