v1.1.0 — Enterprise Hardening Release

Agent Governance Toolkit v1.1.0 — Enterprise Hardening Release

Security First

This toolkit now covers 10/10 OWASP Agentic Security Initiative (ASI) 2026 controls — verified by an automated certification CLI that produces a signed attestation on every deployment. Run agent-compliance verify and get a machine-readable proof.

The threat model this release addresses:

Threat	Defense	Verified
Prompt injection smuggling tool calls	PolicyInterceptor + LlamaFirewall + OutputValidationMiddleware	✅ ASI-01
Tool renaming to bypass allowlists	ToolAliasRegistry — 30+ aliases across 7 canonical families	✅ ASI-02
Excessive agent autonomy	GovernancePolicy with capability caps + token budgets	✅ ASI-03
Unauthorized privilege escalation	EscalationPolicy with ESCALATE tier + human approval queues	✅ ASI-04
Trust boundary violation	CardRegistry with RevocationList + Ed25519 identity mesh	✅ ASI-05
Insufficient audit logging	AuditChain with Ed25519 signatures + hash-chain tamper detection	✅ ASI-06
Insecure agent identity	AgentIdentity with SPIFFE DIDs + key rotation	✅ ASI-07
Policy conflict bypass	4-strategy conflict resolver (DENY_OVERRIDES, MOST_SPECIFIC_WINS, ...)	✅ ASI-08
Supply chain tampering	IntegrityVerifier — SHA-256 module hashing + function bytecode verification	✅ ASI-09
Behavioral anomaly (rogue agents)	Statistical anomaly detection on tool call frequency + error rates	✅ ASI-10

Bootstrap integrity: The governance layer verifies its own integrity at startup — hashing 15 module source files and 4 critical enforcement function bytecodes against a published manifest. A supply chain attack on the toolkit itself is detectable before any policy evaluation occurs.

339+ tests. Not smoke tests — adversarial tests. Tamper detection, policy bypass attempts, synonym evasion, mid-session mutation, trust score crash recovery.

---

What Changed Since v1.0.1

15 issues closed · 339+ tests added · 12 features shipped in 72 hours.

Security & Adversarial Durability

• Policy conflict resolution — 4 strategies: DENY_OVERRIDES, ALLOW_OVERRIDES, PRIORITY_FIRST_MATCH, MOST_SPECIFIC_WINS with 3-tier scope (global → tenant → agent) and auditable resolution trace (#91)
• Session policy pinning — Deep-copy snapshots prevent mid-flight policy mutations from leaking into running sessions (#92)
• Tool alias registry — Canonical capability mapping blocks bing_search from dodging a web_search policy (#94)
• Human-in-the-loop escalation — Suspend-and-route-to-human for regulated industries (#81)
• Bootstrap integrity verification — Module + bytecode hashing against published manifest (#95)

Reliability & Operations

• Version compatibility matrix — doctor() detects silent inter-package version skew (#83)
• Credential lifecycle — RevocationList wired into CardRegistry.is_verified() (#82)
• File-backed trust persistence — Atomic JSON writes, survives restarts (#86)
• Policy schema versioning — apiVersion field with migration + deprecation warnings (#87)

Governance Certification CLI

agent-compliance verify           # OWASP ASI 2026 check → signed attestation
agent-compliance verify --json    # Machine-readable for CI pipelines
agent-compliance verify --badge   # Shields.io badge for your README
agent-compliance integrity --generate integrity.json  # Baseline manifest

Deep Governance (PR #90)

• SIGKILL-analog process isolation (#77)
• OpenTelemetry observability (#76)
• Async concurrency safety (#75)
• Policy-as-code CI pipeline (#74)
• LangChain/CrewAI/AutoGen deep integrations (#73)
• Ed25519-signed audit trail (#72)
• Behavioral anomaly detection (#71)

Infrastructure

• 7 production module ports (25,400+ lines) (#63–#69)
• 44 CodeQL scanning alerts resolved (#79)
• Copilot auto-review on all PRs (#70)

---

Install

pip install ai-agent-compliance[full]

v1.2 Roadmap

4 architectural items tracked for the next release:

• #80 — .NET SDK support
• #84 — XACML/Cedar policy interchange
• #88 — Behavioral chaos testing (deadlocks, contradictory instructions)
• #93 — Cross-organizational federation governance

Full changelog: CHANGELOG.md