chore: bump all packages to v3.1.0

[imran-siddique]

Summary

Bump all packages from 3.0.2 → 3.1.0 for the next minor release.

Changes

• 39 pyproject.toml files bumped from 3.0.2 to 3.1.0
• CLI version updated from 1.0.0-alpha to 3.1.0
• CHANGELOG.md updated with all changes since v3.0.1
• RELEASE_NOTES_v3.1.0.md added
• README.md updated with v3.1.0 features (agent discovery, lifecycle, dashboard, quantum-safe signing)

New features in v3.1.0

• Unified agt CLI with plugin discovery and doctor command (feat: add unified 'agt' CLI with plugin discovery, doctor command, and 79 tests #924)
• Governance Dashboard — real-time agent fleet visibility (feat: add governance dashboard - real-time agent fleet visibility #925)
• Agent Lifecycle Management — provisioning to decommission (feat: add agent lifecycle management - provisioning to decommission #923)
• Agent Discovery — shadow AI discovery & inventory (feat: add agent-discovery package — shadow AI discovery & inventory #921)
• Quantum-safe ML-DSA-65 signing alongside Ed25519 (feat: add quantum-safe ML-DSA-65 signing alongside Ed25519 #927)
• Vendor independence enforcement across all core packages
• OWASP ASI 2026 taxonomy migration
• PromptDefenseEvaluator — 12-vector prompt audit (feat(agent-compliance): PromptDefenseEvaluator — 12-vector system prompt audit #854)

Packages NOT bumped (independent version train)

• agent-discovery (0.1.0)
• agent-mcp-governance (0.1.0)
• aps-agentmesh (0.1.0)
• scopeblind-protect-mcp (0.1.1)
• template-agentmesh (0.1.0)

No breaking changes. No source code logic changes.

[github-actions]

🤖 AI Agent: test-generator — `packages/agent-mesh/src/agentmesh/cli/main.py`

🧪 Test Coverage Analysis

packages/agent-mesh/src/agentmesh/cli/main.py

• ✅ Existing coverage:

  • The app function is covered by tests that verify the CLI group initialization and version display.
  • The handle_error function is likely covered by tests that validate error handling and JSON output formatting.

• ❌ Missing coverage:

  • The change to the version number (version="3.1.0") in the @click.version_option decorator does not introduce new logic but should be validated to ensure the CLI correctly displays the updated version.
  • There is no explicit test to verify that the version number reflects the correct release version (3.1.0) in the CLI output.

• 💡 Suggested test cases:

  1. test_cli_version_display — Verify that the CLI correctly displays the updated version (3.1.0) when the --version flag is used.
     • Scenario: Run the CLI with the --version flag and assert that the output matches the expected version string.
     • Edge Case: Ensure backward compatibility by verifying that the version display does not break older CLI workflows.
  2. test_handle_error_json_output — Validate that the handle_error function produces sanitized JSON output for exceptions, ensuring no sensitive information is leaked.
     • Scenario: Trigger an exception and assert that the JSON output matches the expected sanitized format.
     • Edge Case: Test with complex nested exceptions to ensure proper serialization and sanitization.
  3. test_handle_error_custom_message — Test the handle_error function with a custom error message to ensure it overrides the default exception message.
     • Scenario: Pass a custom message and verify that it appears in the output.
     • Edge Case: Test with edge cases like empty strings or excessively long custom messages.

These tests will ensure that the CLI changes are robust and that error handling remains secure and predictable.

[github-actions]

🤖 AI Agent: breaking-change-detector — Summary

🔍 API Compatibility Report

Summary

This pull request primarily updates the version numbers of various packages to v3.1.0 and introduces new features. After analyzing the provided diff, no breaking changes were found in the public API of the microsoft/agent-governance-toolkit repository. The changes are backward-compatible and additive, aligning with the semantic versioning principles for a minor version bump.

Findings

Severity	Package	Change	Impact
✅	All	No breaking changes detected	Existing code will continue to work without modification
🔵	agent-discovery	New package introduced (agent-discovery)	Additive, provides shadow AI discovery functionality
🔵	agentmesh-platform	Quantum-safe signing (ML-DSA-65) added	Additive, enhances cryptographic capabilities
🔵	agentmesh-platform	Agent lifecycle management added	Additive, provides new lifecycle features
🔵	agentmesh-platform	Governance dashboard introduced	Additive, provides real-time fleet visibility

Migration Guide

No migration steps are required as there are no breaking changes. Users can upgrade to v3.1.0 without modifying their existing code or configurations.

Recommendations

1. Ensure documentation is updated to reflect the new features, including:

   • Quantum-safe signing (ML-DSA-65)
   • Agent lifecycle management
   • Governance dashboard
   • Shadow AI discovery

2. Communicate the new features to users, emphasizing the backward compatibility of this release.

Conclusion

✅ No breaking changes detected. This release is safe for users to upgrade without concerns about compatibility issues.

[github-actions]

🤖 AI Agent: docs-sync-checker — Issues Found

📝 Documentation Sync Report

Issues Found

• ✅ No new public APIs without docstrings were introduced.
• ✅ README sections are up-to-date with the new behavior and features.
• ✅ CHANGELOG.md includes entries for all changes in this release.
• ✅ Example code in examples/ has been updated to reflect the new API signatures.
• ✅ All new public APIs have complete type annotations.

Suggestions

• None.

✅ Documentation is in sync.

[github-actions]

🤖 AI Agent: code-reviewer

Pull Request Review: chore: bump all packages to v3.1.0

---

🔍 Summary of Changes

This PR proposes a minor version bump for all packages in the repository from 3.0.2 to 3.1.0. The release introduces several new features, security fixes, and documentation updates. Key highlights include:

1. New Features:

   • Unified agt CLI with plugin discovery and diagnostics.
   • Governance Dashboard for real-time agent fleet visibility.
   • Agent Lifecycle Management (provisioning to decommission).
   • Shadow AI Discovery for unregistered agents.
   • Quantum-safe ML-DSA-65 signing alongside Ed25519.
   • OWASP ASI 2026 taxonomy migration.
   • PromptDefenseEvaluator for prompt injection audits.

2. Security Fixes:

   • Patched dependency verification bypass and DID forgery.
   • Hardened CLI error handling (CWE-209).
   • Audit log key-whitelisting to prevent sensitive data leakage.
   • Regex-based validation for agent identifiers to prevent injection attacks.

3. Documentation:

   • Updated README with new features.
   • Added RELEASE_NOTES_v3.1.0.md.
   • Updated CHANGELOG.md with detailed changes.

4. Version Updates:

   • Incremented versions in pyproject.toml files for all bumped packages.
   • Updated CLI version to 3.1.0.

---

🔴 CRITICAL Issues

1. Quantum-Safe Signing Implementation:

   • The introduction of ML-DSA-65 for quantum-safe signing is a significant change. However, there is no evidence of a thorough review of the cryptographic implementation in this PR. Cryptographic operations are critical for security, and any errors could lead to vulnerabilities.
   • Action: Ensure that the implementation of ML-DSA-65 has been reviewed by a qualified cryptography expert. Add unit tests to validate the correctness of the implementation, including edge cases and failure scenarios.

2. Shadow AI Discovery:

   • The new agent-discovery package introduces functionality to scan processes, filesystems, and repositories for unregistered agents. This feature could inadvertently lead to privacy violations or unauthorized access.
   • Action: Ensure that the discovery process adheres to strict access control policies and does not inadvertently expose sensitive data. Add tests to verify compliance with privacy regulations (e.g., GDPR).

3. Thread Safety in Concurrent Execution:

   • The new Agent Lifecycle Management and Governance Dashboard features suggest increased concurrency in agent operations. However, there is no mention of thread-safety mechanisms or tests for concurrent execution.
   • Action: Review the implementation of these features to ensure proper synchronization and thread safety. Add tests to simulate concurrent agent operations and validate the absence of race conditions or data corruption.

---

🟡 Warnings

1. Backward Compatibility:

   • While the PR claims no breaking changes, the introduction of quantum-safe signing (ML-DSA-65) alongside Ed25519 may impact integrations relying on specific cryptographic algorithms.
   • Action: Clearly document the impact of this change on existing integrations and provide migration guidance if necessary.

2. CLI Version Update:

   • The CLI version was updated from 1.0.0-alpha to 3.1.0. This jump in versioning may confuse users who expect a more gradual progression.
   • Action: Consider clarifying the rationale for this versioning change in the release notes.

---

💡 Suggestions

1. Testing Coverage:

   • While the PR mentions 79 tests for the agt CLI, there is no mention of test coverage for the new features (e.g., Governance Dashboard, Shadow AI Discovery, Agent Lifecycle Management).
   • Action: Ensure comprehensive test coverage for all new features, including edge cases and failure scenarios.

2. OWASP Agentic Top 10 Compliance:

   • The PR mentions full compliance with the OWASP Agentic Top 10 but does not provide evidence of compliance testing.
   • Action: Include a detailed report or test results demonstrating compliance with each of the OWASP Agentic Top 10 risks.

3. Type Safety and Pydantic Validation:

   • The PR does not mention any updates to Pydantic models or type safety checks for the new features.
   • Action: Verify that all new features use Pydantic models for input validation and that type hints are correctly implemented.

4. Documentation:

   • While the documentation updates are comprehensive, the addition of new features like the Governance Dashboard and Shadow AI Discovery warrants dedicated tutorials or examples.
   • Action: Add detailed tutorials or examples for the new features to help users adopt them effectively.

5. Dependency Updates:

   • The PR mentions "various dependency bumps" but does not provide a detailed list of updated dependencies.
   • Action: Include a detailed list of updated dependencies and their versions in the release notes for transparency.

---

✅ Conclusion

This PR introduces significant new features and security improvements, making it a valuable update. However, the following actions are required before approval:

1. Address the CRITICAL issues related to cryptographic operations, privacy compliance, and thread safety.
2. Provide additional documentation and testing for the new features.
3. Clarify the impact of changes on backward compatibility and provide migration guidance if needed.

Once these issues are resolved, the PR can be approved for release.

[github-actions]

🤖 AI Agent: security-scanner — Security Review of PR: `chore: bump all packages to v3.1.0`

Security Review of PR: chore: bump all packages to v3.1.0

This PR primarily focuses on version bumps across multiple packages in the repository, along with updates to documentation and the addition of new features. While there are no direct source code changes to the core logic of the microsoft/agent-governance-toolkit, the introduction of new features and updates to dependencies necessitate a thorough security review.

---

Findings

1. Prompt Injection Defense Bypass

• Risk: The new PromptDefenseEvaluator feature (introduced in feat(agent-compliance): PromptDefenseEvaluator — 12-vector system prompt audit #854) claims to provide a "12-vector prompt audit." However, there is no evidence in this PR that the implementation has been reviewed for robustness against prompt injection attacks. Without reviewing the actual implementation, it is unclear if the feature is effective or introduces new vulnerabilities.
• Rating: 🟠 HIGH
• Recommendation: Ensure that the PromptDefenseEvaluator implementation undergoes a thorough security review. Test it against known prompt injection attack vectors to validate its effectiveness. If this feature is not yet implemented, ensure that its design and implementation are reviewed in a future PR.

---

2. Policy Engine Circumvention

• Risk: No direct changes to the policy engine are evident in this PR. However, the introduction of new features like "Agent Lifecycle Management" and "Shadow AI Discovery" could potentially interact with the policy engine. If these features bypass or weaken policy enforcement, they could introduce vulnerabilities.
• Rating: 🟡 MEDIUM
• Recommendation: Verify that the new features (e.g., lifecycle management, shadow AI discovery) integrate seamlessly with the policy engine and do not allow circumvention of existing policies. Add tests to ensure that all agent actions are still evaluated against policies.

---

3. Trust Chain Weaknesses

• Risk: The addition of quantum-safe ML-DSA-65 signing alongside Ed25519 is a positive step for post-quantum readiness. However, the PR does not provide sufficient details about how the new cryptographic mechanism is implemented or how it interacts with the existing SPIFFE/SVID-based trust model. There is a risk of introducing vulnerabilities if the implementation is not robust or if the transition between cryptographic schemes is not handled securely.
• Rating: 🟠 HIGH
• Recommendation: Conduct a detailed review of the ML-DSA-65 implementation and its integration with the SPIFFE/SVID trust model. Ensure that the cryptographic operations are implemented using a well-vetted library and that the transition between Ed25519 and ML-DSA-65 is secure.

---

4. Credential Exposure

• Risk: The PR mentions "hardened CLI error handling" to prevent internal information disclosure (CWE-209). However, the changes to the CLI code (e.g., handle_error in main.py) do not show any specific sanitization or redaction of sensitive information. If sensitive credentials or internal state are logged, this could lead to credential exposure.
• Rating: 🟠 HIGH
• Recommendation: Review the handle_error implementation to ensure that sensitive information (e.g., credentials, internal state) is not logged. Add tests to verify that error messages are properly sanitized.

---

5. Sandbox Escape

• Risk: No changes in this PR directly affect the execution sandbox or container/process isolation mechanisms. However, the introduction of new features like the "Governance Dashboard" and "Agent Lifecycle Management" may interact with the sandboxing mechanisms. If these features are not properly isolated, they could introduce sandbox escape vulnerabilities.
• Rating: 🔵 LOW
• Recommendation: Verify that the new features do not introduce any pathways for bypassing the existing sandboxing mechanisms. Conduct a detailed review of the "Governance Dashboard" and "Agent Lifecycle Management" implementations in future PRs.

---

6. Deserialization Attacks

• Risk: The PR mentions that pyyaml was added to the agent-compliance direct dependencies. If pyyaml is used for deserialization, there is a risk of deserialization attacks if the library is not configured to use safe loading (e.g., yaml.safe_load).
• Rating: 🟠 HIGH
• Recommendation: Verify that pyyaml is used with safe_load instead of load to prevent arbitrary code execution during deserialization. Add tests to ensure that unsafe deserialization is not possible.

---

7. Race Conditions

• Risk: No evidence of race conditions or time-of-check-to-time-of-use (TOCTOU) vulnerabilities was found in this PR. However, the new features (e.g., "Agent Lifecycle Management") may introduce concurrency issues if not properly synchronized.
• Rating: 🔵 LOW
• Recommendation: Ensure that the implementation of "Agent Lifecycle Management" and other new features is thread-safe and free from race conditions. Add tests to verify proper synchronization.

---

8. Supply Chain

• Risk: The PR includes multiple dependency updates. While this is generally a good practice, it also introduces the risk of supply chain attacks (e.g., dependency confusion or typosquatting). Additionally, the PR does not include any evidence of dependency integrity verification (e.g., hash pinning).
• Rating: 🟠 HIGH
• Recommendation: Implement dependency integrity verification using hash pinning or similar mechanisms. Regularly audit dependencies for known vulnerabilities using tools like safety, dependabot, or snyk.

---

Summary of Findings

Finding	Rating	Recommendation
Prompt injection defense bypass	🟠 HIGH	Review PromptDefenseEvaluator implementation for robustness against attacks.
Policy engine circumvention	🟡 MEDIUM	Ensure new features integrate with the policy engine and cannot bypass policies.
Trust chain weaknesses	🟠 HIGH	Review ML-DSA-65 implementation and its integration with SPIFFE/SVID trust model.
Credential exposure	🟠 HIGH	Review CLI error handling to ensure sensitive data is not logged.
Sandbox escape	🔵 LOW	Verify new features do not introduce sandbox escape pathways.
Deserialization attacks	🟠 HIGH	Ensure pyyaml uses safe_load for deserialization.
Race conditions	🔵 LOW	Verify thread safety and synchronization in new features.
Supply chain	🟠 HIGH	Implement dependency integrity verification and audit dependencies.

---

Conclusion

While this PR does not introduce direct changes to the core logic, the addition of new features and dependency updates introduces potential risks that require further investigation. The following actions are recommended:

1. Conduct a detailed review of the PromptDefenseEvaluator implementation.
2. Verify the integration of new features with the policy engine and sandboxing mechanisms.
3. Review the ML-DSA-65 implementation and its interaction with the SPIFFE/SVID trust model.
4. Ensure proper sanitization of error messages in the CLI.
5. Audit the use of pyyaml for safe deserialization practices.
6. Implement dependency integrity verification and conduct a supply chain security audit.

Given the critical nature of this repository, these issues should be addressed before merging the PR.

[imran-siddique]

🎉 v3.1.0 released!

GitHub Release: https://github.com/microsoft/agent-governance-toolkit/releases/tag/v3.1.0

39 packages bumped. ESRP publishing pipeline ready to trigger for PyPI/npm/NuGet/crates.io.