fix: rename PyPI package agent-runtime → agentmesh-runtime (name collision with AutoGen)

[imran-siddique]

Rebased version of #440 (which had merge conflicts after #439 merged).

Renames the PyPI distribution name from agent-runtime to agentmesh-runtime, since agent-runtime on PyPI is owned by AutoGen team.

Changes across 26 files: pyproject.toml, dependency declarations, docs, tutorials, CI pipelines. Directory paths and import paths unchanged.

Closes #437

[github-actions]

🤖 AI Agent: breaking-change-detector — Summary

🔍 API Compatibility Report

Summary

The pull request renames the PyPI package agent-runtime to agentmesh-runtime to resolve a naming conflict. This change affects documentation, dependency declarations, and tutorials, but does not modify any code, APIs, or functionality. No breaking changes were introduced to the public API of the microsoft/agent-governance-toolkit repository.

Findings

Severity	Package	Change	Impact
✅	agent-runtime → agentmesh-runtime	PyPI package name renamed	No impact on API compatibility. Import paths and code remain unchanged.

Migration Guide

1. Update your requirements.txt or dependency management files to replace agent-runtime with agentmesh-runtime.

   - pip install agent-runtime
   + pip install agentmesh-runtime

2. No changes are required to import paths or code, as the package structure and APIs remain unchanged.

Conclusion

✅ No breaking changes detected. This is a non-breaking change limited to package naming on PyPI. Downstream users only need to update their dependency declarations.

[github-actions]

🤖 AI Agent: test-generator — `packages/agent-compliance/src/agent_compliance/__init__.py`

🧪 Test Coverage Analysis

packages/agent-compliance/src/agent_compliance/__init__.py

• ✅ Existing coverage: The agent_compliance module is covered by tests in the tests/agent_compliance directory. These tests validate the integration of subcomponents like agent-os-kernel, agentmesh-platform, agent-runtime (now agentmesh-runtime), and others.
• ❌ Missing coverage: The rename of agent-runtime to agentmesh-runtime is a straightforward change, but there is no explicit test to verify that the renamed package is correctly imported and integrated across all modules.
• 💡 Suggested test cases:
  1. test_agentmesh_runtime_import — Verify that the agentmesh-runtime package is correctly imported and accessible within the agent_compliance module.
  2. test_agentmesh_runtime_dependency_resolution — Ensure that the agentmesh-runtime dependency is correctly resolved and functional when installed via pyproject.toml.

---

packages/agent-os/src/agent_os/integrations/compat.py

• ✅ Existing coverage: The compat.py module is covered by tests in the tests/agent_os/integrations directory. These tests validate compatibility checks for various packages, including agent-runtime (now agentmesh-runtime).
• ❌ Missing coverage: The rename of agent-runtime to agentmesh-runtime is not explicitly tested in the compatibility checks.
• 💡 Suggested test cases:
  1. test_agentmesh_runtime_compatibility — Validate that agentmesh-runtime is correctly recognized as a compatible package in the compat.py module.
  2. test_agentmesh_runtime_version_resolution — Ensure that the version constraints for agentmesh-runtime are correctly enforced during compatibility checks.

---

General Recommendations

Since the rename affects multiple files and dependencies, it is critical to ensure that:

1. Dependency resolution: The agentmesh-runtime package is correctly resolved in all contexts (e.g., pip install, pyproject.toml, and runtime imports).
2. Backward compatibility: Any references to the old agent-runtime name are either removed or appropriately redirected to agentmesh-runtime.
3. Integration tests: Add end-to-end tests to verify that the renamed package integrates seamlessly with other components, especially in scenarios involving policy evaluation, trust scoring, and runtime isolation.

By implementing the suggested test cases, the repository can ensure robust coverage for the changes introduced in this pull request.

[github-actions]

🤖 AI Agent: code-reviewer

Review Summary

This PR addresses a critical issue of a naming collision on PyPI by renaming the agent-runtime package to agentmesh-runtime. The changes are extensive, touching 26 files, including documentation, dependency declarations, and CI pipelines. The renaming is consistent across the repository, and no directory paths or import paths were altered. The changes appear to be straightforward and primarily involve renaming the package in various files.

Below is a detailed review of the PR:

---

🔴 CRITICAL

1. Dependency Confusion Risk:

   • The PR description mentions that the rename is due to a name collision with the AutoGen team's agent-runtime package on PyPI. However, there is no explicit verification in the PR that agentmesh-runtime is registered and owned by the repository maintainers. This creates a potential dependency confusion vulnerability if agentmesh-runtime is not properly registered and controlled by the team.
   • Action: Ensure that agentmesh-runtime is registered on PyPI and owned by the appropriate account before merging this PR. Add a comment in the PR confirming this step has been completed.

2. Backward Compatibility:

   • The PR does not address backward compatibility for users who may have already installed agent-runtime. This could lead to broken builds for existing users.
   • Action: Consider publishing a transitional release of agent-runtime that depends on agentmesh-runtime and emits a deprecation warning. This will give users time to migrate to the new package name.

---

🟡 WARNING

1. Breaking Change:
   • The rename of the PyPI package from agent-runtime to agentmesh-runtime is a breaking change for any users relying on the old package name. While this is unavoidable due to the name collision, it should be clearly documented in the release notes and communicated to users.
   • Action: Update the release notes to include a clear migration guide for users, including instructions to uninstall agent-runtime and install agentmesh-runtime.

---

💡 SUGGESTIONS

1. Test Coverage:

   • While the PR mentions that directory paths and import paths remain unchanged, it is still important to verify that the test suite covers all scenarios where the renamed package is used.
   • Action: Run the full test suite and confirm that all tests pass. If possible, add a test to ensure that the renamed package (agentmesh-runtime) is correctly imported and used in the codebase.

2. Documentation Updates:

   • The documentation updates are thorough, but there are some minor inconsistencies in formatting due to merge conflicts (e.g., duplicate lines in QUICKSTART.md and docs/tutorials/README.md).
   • Action: Clean up the merge conflict artifacts to ensure the documentation is clear and consistent.

3. CI/CD Pipeline:

   • The CI/CD pipeline configuration files have been updated to reflect the new package name. However, it is important to verify that the pipeline is correctly publishing the renamed package to PyPI.
   • Action: Test the CI/CD pipeline in a staging environment to ensure the renamed package is published correctly.

4. Versioning:

   • The PR does not specify whether the version of the renamed package will be updated. Since this is a breaking change, it would be appropriate to increment the major version number of the package.
   • Action: Ensure that the version number of agentmesh-runtime is incremented to reflect the breaking change.

5. Communication Plan:

   • Given the scope of this change, it is important to communicate the rename to the user community.
   • Action: Consider adding a deprecation notice to the agent-runtime repository (if it exists) and updating any external documentation or references to the old package name.

---

Final Recommendation

• Address the CRITICAL issues before merging this PR.
• Consider the WARNING and SUGGESTION points to ensure a smooth transition for users and maintain backward compatibility where possible.
• Once the above points are resolved, this PR can be merged.

[github-actions]

🤖 AI Agent: docs-sync-checker — Issues Found

📝 Documentation Sync Report

Issues Found

• ❌ No new public APIs were introduced in this PR, so no missing docstrings were found.
• ⚠️ packages/agent-runtime/README.md — section regarding the package name should be updated to reflect the new name agentmesh-runtime.
• ⚠️ CHANGELOG.md — no entry for the change of the package name from agent-runtime to agentmesh-runtime.
• ⚠️ packages/agent-os/README.md — section regarding the package name should be updated to reflect the new name agentmesh-runtime.
• ⚠️ packages/agent-compliance/README.md — section regarding the package name should be updated to reflect the new name agentmesh-runtime.

Suggestions

• 💡 Update README sections in packages/agent-runtime/README.md, packages/agent-os/README.md, and packages/agent-compliance/README.md to mention the new package name agentmesh-runtime.
• 💡 Add an entry in CHANGELOG.md to document the renaming of the package from agent-runtime to agentmesh-runtime.

If everything looks good, say ✅ Documentation is in sync.

[github-actions]

🤖 AI Agent: security-scanner — Security Review of PR: Rename PyPI Package `agent-runtime` → `agentmesh-runtime`

Security Review of PR: Rename PyPI Package agent-runtime → agentmesh-runtime

This PR primarily renames the PyPI package agent-runtime to agentmesh-runtime across documentation, dependency declarations, and CI/CD pipelines. While the changes appear straightforward, a thorough security review is necessary given the critical nature of this repository.

---

Findings

1. Dependency Confusion Risk

Severity: 🔴 CRITICAL
Issue: The renaming of the package introduces a potential dependency confusion risk if agentmesh-runtime is not immediately registered on PyPI. An attacker could preemptively register this package name and upload malicious code.
Attack Vector: If a developer or CI/CD pipeline installs agentmesh-runtime before the official package is published, they could inadvertently execute malicious code.
Recommendation:

• Immediately register the agentmesh-runtime package on PyPI, even if it is a placeholder, to prevent squatting.
• Add a pre-merge check to verify that all renamed packages are registered on PyPI.
• Use tools like pip-audit to ensure dependencies are resolved correctly.

---

2. Backward Compatibility Breakage

Severity: 🟠 HIGH
Issue: The renaming could break existing systems relying on agent-runtime. While this is not a direct security issue, it could lead to misconfigurations or unintentional use of outdated versions, which may lack security patches.
Attack Vector: Systems that fail to update to agentmesh-runtime might continue using agent-runtime, which could become unmaintained or vulnerable.
Recommendation:

• Maintain a transitional alias for agent-runtime that forwards to agentmesh-runtime for a defined deprecation period.
• Clearly document the migration path in the README and release notes.

---

3. Supply Chain Integrity

Severity: 🟡 MEDIUM
Issue: The PR does not include any updates to verify the integrity of the renamed package in CI/CD pipelines.
Attack Vector: If the CI/CD pipeline installs agentmesh-runtime without verifying its integrity (e.g., via hash pinning or signature verification), it could be compromised.
Recommendation:

• Add hash pinning for agentmesh-runtime in CI/CD pipelines.
• Use tools like pip-tools or poetry to lock dependencies and ensure reproducible builds.

---

4. Documentation Merge Conflicts

Severity: 🔵 LOW
Issue: There are unresolved merge conflict markers (<<<<<<<, =======, >>>>>>>) in several documentation files (e.g., QUICKSTART.md, README.md, docs/tutorials/README.md).
Attack Vector: While not a direct security issue, unresolved conflicts can lead to confusion and misconfiguration, potentially weakening security postures.
Recommendation:

• Resolve all merge conflicts before merging the PR.
• Add a CI check to fail builds if conflict markers are detected.

---

5. No Changes to Import Paths or Code Logic

Severity: 🔵 LOW
Issue: The PR does not modify any import paths or core logic, which is expected for a package rename. However, this should be explicitly verified to ensure no accidental changes were introduced.
Recommendation:

• Perform a manual review of all modified files to confirm that no functional changes were made.
• Add a test case to verify that the renamed package works as expected in downstream integrations.

---

Summary of Findings

Finding	Severity	Action Required
Dependency confusion risk	🔴 CRITICAL	Register agentmesh-runtime on PyPI immediately and add pre-merge checks.
Backward compatibility breakage	🟠 HIGH	Maintain a transitional alias and document the migration path.
Supply chain integrity	🟡 MEDIUM	Add hash pinning and integrity checks in CI/CD pipelines.
Documentation merge conflicts	🔵 LOW	Resolve all merge conflicts before merging.
No changes to import paths or logic	🔵 LOW	Verify no functional changes were introduced and add downstream integration tests.

---

Final Recommendation

Do not merge this PR until the following actions are taken:

1. Register agentmesh-runtime on PyPI to prevent dependency confusion.
2. Resolve all merge conflicts in documentation files.
3. Add CI/CD checks for dependency integrity and unresolved conflict markers.
4. Document the migration path and consider maintaining a transitional alias for agent-runtime.

Once these issues are addressed, the PR can be safely merged.