Agent Governance Toolkit v3.0.0 — Microsoft-Signed Public Preview

See RELEASE_NOTES_v3.0.0.md for full details.

Agent Governance Toolkit v2.3.0

Agent Governance Toolkit v2.3.0

Important

Community Preview Release — All packages published from this repository (PyPI, npm, NuGet)
are community preview releases for testing and evaluation purposes only. They are not
official Microsoft-signed releases. Official Microsoft-signed packages published via ESRP
Release will be available in a future release.

Plugin governance, developer tooling, and hardened security — 97 commits since v2.2.0.

This release introduces a full plugin governance layer (MCP server allowlist/blocklist, schema
adapters, trust tiers), developer-facing tooling (policy linter CLI, pre-commit hooks, GitHub
Actions action), runtime reliability primitives (event bus, task outcomes, graceful degradation,
budget policies), and 14 new tutorials. It also includes significant security hardening across the
entire codebase and two PyPI package renames to avoid namespace collisions.

🚀 What's New

Plugin Governance & MCP Server Controls

• MCP server allowlist/blocklist — Enforces marketplace-level policies on which MCP servers
  plugins can use through MCPServerPolicy with allowlist/blocklist modes. Validates plugin
  manifests and rejects non-compliant plugins during registration (#425, #426, #434)
• Plugin trust tiers — Classify plugins into trust levels (e.g., verified, community,
  untrusted) with tier-based policy enforcement (#434)
• Plugin schema adapters — Auto-detects and adapts Copilot-style and Claude-style plugin
  manifest formats to the canonical PluginManifest schema, enabling multi-format plugin
  support with capability extraction (#424, #429, #433)
• Batch plugin evaluation — Evaluate multiple plugins against governance policies in a single
  call for marketplace-scale validation (#429, #433)
• Reference integration example — Complete example showing plugin marketplace governance
  integration end-to-end (#427, #435)

Developer Tooling

• Governance policy linter CLI — New agent-compliance lint-policy <path> command validates
  YAML policy files for required fields, unknown operators/actions, deprecated names, and
  conflicting rules with JSON/text output options (#404, #432)
• Pre-commit hooks — Two new hooks for local development: validate-plugin-manifest (checks
  plugin.json schema compliance) and evaluate-plugin-policy (evaluates manifests against
  governance policies before commit) (#428, #431)
• GitHub Actions action — Composite action at action/action.yml wrapping governance
  verification commands (governance-verify, marketplace-verify, policy-evaluate, all)
  with configurable inputs, structured outputs, and support for plugin marketplace PR
  workflows (#423, #430)
• JSON schema validation — Governance policy files are now validated against a formal JSON
  schema, catching structural errors before runtime (#305, #367)

Runtime Reliability & Observability

• Event bus — Cross-gate publish/subscribe system (GovernanceEventBus) enabling loose
  coupling between governance gates (PolicyEvaluator, TrustGate, CircuitBreaker) with standard
  event types for policy violations, trust changes, circuit state, and budget overages
  (#398, #415)
• Task outcomes — TaskOutcomeRecorder tracks agent task successes/failures with
  severity-based scoring, diminishing returns on success boosts, time-based score recovery,
  and per-agent trust state management (#396, #415)
• Diff policy — Evaluate only the delta between previous and current policy state to reduce
  overhead on incremental policy updates (#395, #415)
• Sandbox provider — Pluggable sandbox provider abstraction for swapping isolation backends
  (#394, #415)
• Graceful degradation — agent_os.compat module provides no-op fallbacks
  (NoOpPolicyEvaluator, NoOpGovernanceMiddleware) allowing consumers to optionally depend
  on the toolkit without try/except boilerplate (#410, #414)
• Budget policies — BudgetPolicy dataclass defines resource consumption limits (max tokens,
  tool calls, cost, duration) with BudgetTracker for monitoring usage and detecting overages
  with detailed violation reasons (#409, #414)
• Audit logger — Structured audit logging for governance decisions with pluggable backends
  (#400, #414)
• Policy evaluation heatmap — Visual heatmap added to the SRE dashboard showing policy
  evaluation patterns and hotspots (#309, #326)
• Compliance grading — compliance_grade() method added to GovernanceAttestation for
  calculating compliance scores (#346)

Tutorials & Learning Paths

• 14 new tutorials (07–20) — Launch-ready tutorials covering all toolkit features including
  plugin governance, budget policies, event bus, graceful degradation, MCP server controls,
  and more
• Tutorials landing page — New README with structured learning paths guiding users from
  beginner to advanced topics (#422)

CI/CD & ESRP

• PR review orchestrator — Collapses multiple agent review comments into a single unified
  summary on pull requests (#345)
• Dependency confusion pre-commit hook — Detects unregistered package names before commit,
  plus weekly CI audit job (#350)
• Markdown link checker — CI workflow to catch broken links in documentation (#323)
• ESRP NuGet signing — Updated NuGet signing config with Client ID and Key Vault
  integration (#359, #361, #363, #365)

⚠️ Breaking Changes

PyPI Package Renames

Two PyPI packages have been renamed to avoid namespace collisions:

Old Name	New Name	Reason
agent-runtime	agentmesh-runtime	Name collision with AutoGen team's agent-runtime package (#444)
agent-marketplace	agentmesh-marketplace	Consistent agentmesh namespace alignment (#439)

Migration: Update your requirements.txt or pyproject.toml:

- agent-runtime
+ agentmesh-runtime

- agent-marketplace
+ agentmesh-marketplace

🔒 Security

• Fork RCE hardening — Hardened pull_request_target workflows against fork-based remote
  code execution [MSRC-111178] (#353)
• Dependency confusion — Comprehensive remediation across the entire codebase: replaced all
  unregistered PyPI package names, added weekly audit CI, added pre-commit detection hook
  (#325, #328, #349, #350, #351, #352)
• MD5 → SHA-256 migration — All cryptographic hash usage migrated from MD5 to SHA-256
  (#349, #351)
• ESRP secrets — Moved all ESRP configuration values to pipeline secrets (#370)
• Maintainer approval enforcement — All external PRs now require maintainer approval (#392)
• SECURITY.md — Added security policy files to all packages (#354)
• LangChain crypto hardening — Hardened cryptographic fallback in LangChain integration (#354)
• 24 security findings addressed — Comprehensive sweep across codebase (#303)
• Agent sandbox escape hardening — Strengthened isolation boundaries against escape
  vectors (#297)
• OWASP Agentic AI hardening — Proactive hardening against OWASP Agentic AI Top 10
  themes
• 47 negative security tests — Adversarial scenario test suite added
• 101 additional tests — CA security, MCP integration, and audit stub coverage
• OpenSSF Scorecard fixes — Dangerous-workflow, signed-releases, and pinned-deps
  improvements (#356)

🐛 Bug Fixes

• Corrected license reference in AgentMesh README from Apache 2.0 to MIT (#436)
• Hardcoded service connection name in ESRP pipelines (ADO compile-time requirement) (#421)
• ESRP pipeline fixes for each directive syntax in Verify stages and ESRP_CERT_IDENTIFIER
  secret usage
• Fixed .NET GovernanceMetrics test isolation — flush listener before baseline assertion (#417)
• Fixed dependency confusion + pydantic dependency issues (#411, #412)
• Followup cleanup for recently merged community PRs (#393)
• Bumped cryptography package, migrated PyPDF2 → pypdf, scoped workflow permissions (#355)
• Filled community PR gaps — replaced bare excepts, print → logging, added py.typed
  markers, LICENSE fixes (#344)
• Improved CLI error messages in register and policy commands (#314)
• SagaStep.MaxRetries rename + behavioral fault injection + lint fix (#295)
• Pre-announcement security hardening and demo improvements (#296)
• Restored read-all at workflow level for Scorecard verification (#327)
• Reverted unsafe merged PRs #357 and #362 (#391)

📚 Documentation

• Added copilot-instructions.md with PR review checklist (#413)
• Standardized package README badges across all packages (#373)
• Added README files to example directories and skill integrations (#371, #372, #390)
• Added requirements files for example directories (#372)
• Refreshed all design proposals — updated status, added 5 new proposals (#348)
• Added inline comments to Helm chart values.yaml (#341)
• Updated framework integration star counts to current values (#329)
• Added comprehensive docstrings to mcp_adapter.py classes (#324)
• Added testing guide for external testers and customers (#313)
• Added integration author guide for contributors (#311)

📦 Dependencies

GitHub Actions

Package	From	To
actions/attest-sbom	2.2.0	4.1.0
actions/attest-build-provenance	2.4.0	4.1.0
actions/github-script	7.0.1	8.0.0
actions/setup-node	4.4.0	6.3.0
actions/stale	9.1.0	10.2.0
actions/upload-artifact	4.6.2	7.0.0
anchore/sbom-action	0.23.1	0.24.0
ossf/scorecard-action	2.4.0	2.4.3
sigstore/gh-action-sigstore-python	3.0.0	3.2.0

npm Dev Dependencies

• Bumped eslint (#387)
• Bumped typescript (#385, #386)
• Bumped yaml (#384)
• Bumped @typescript-eslint/eslint-plugin (#381, #292)
  ...

Agent Governance Toolkit v2.2.0

Agent Governance Toolkit v2.2.0

Important

Community Preview Release — All packages published from this repository (PyPI, npm, NuGet)
are community preview releases for testing and evaluation purposes only. They are not
official Microsoft-signed releases. Official Microsoft-signed packages published via ESRP
Release will be available in a future release.

What's New

ESRP Release Publishing Infrastructure

This release establishes the compliant publishing infrastructure required for future official
Microsoft-signed package releases:

• PyPI publishing migrated from GitHub Actions Trusted Publishers to Azure DevOps pipeline
  using EsrpRelease@11 (pipelines/pypi-publish.yml)
• npm publishing pipeline created using EsrpRelease@11 with @microsoft scope
  (pipelines/npm-publish.yml)
• GitHub Actions (publish.yml) now builds and attests packages only — actual publishing
  is done exclusively through ESRP Release ADO pipelines

Package Metadata Compliance

All package metadata has been updated to align with Microsoft Python team and npm publishing
policies:

Python (PyPI) — 7 packages:

• Author updated to Microsoft Corporation with team distribution list email
• Agent Governance Toolkit Team added as maintainer across all packages
• License classifier (License :: OSI Approved :: MIT License) added where missing
• Community Edition prefix added to all package descriptions
• agent-runtime build fixed (proper re-export wrapper for agent-hypervisor)

npm — 7 packages:

• All scoped packages renamed to @microsoft (from @agentmesh, @agent-os, unscoped)
• Author set to Microsoft Corporation across all packages
• License corrected to MIT where mismatched (2 packages had Apache-2.0)
• Repository URLs corrected to microsoft/agent-governance-toolkit
• Community Edition prefix added to all package descriptions

NuGet — 1 package:

• Existing ESRP signing configuration retained

Community Preview Disclaimers

Prominent disclaimers have been added to all user-facing documentation:

• Root README, CHANGELOG, PUBLISHING guide
• All 7 Python package READMEs
• All 3 npm package READMEs with user docs
• Both release notes (v1.0.0 and v2.1.0)
• PyPI and npm package descriptions (visible on registry pages)

Publishing Documentation

• New PUBLISHING.md at repo root — public-facing guide covering PyPI, npm, and NuGet
  publishing requirements, metadata standards, and naming conventions
• ADO pipeline configurations with placeholder ESRP values ready for onboarding

Packages

Python (PyPI)

Package	Version	Status
agent-os-kernel	2.2.0	Community Preview
agentmesh-platform	2.2.0	Community Preview
agent-hypervisor	2.2.0	Community Preview
agent-runtime	2.2.0	Community Preview
agent-sre	2.2.0	Community Preview
agent-governance-toolkit	2.2.0	Community Preview
agent-lightning	2.2.0	Community Preview

npm

Package	Version	Status
@microsoft/agentmesh-sdk	1.0.0	Community Preview
@microsoft/agentmesh-mcp-proxy	1.0.0	Community Preview
@microsoft/agentos-mcp-server	1.0.1	Community Preview
@microsoft/agentmesh-copilot-governance	0.1.0	Community Preview
@microsoft/agentmesh-mastra	0.1.0	Community Preview
@microsoft/agentmesh-api	0.1.0	Community Preview
@microsoft/agent-os-copilot-extension	1.0.0	Community Preview

NuGet

Package	Version	Status
Microsoft.AgentGovernance	2.2.0	Community Preview

What's Coming

• Official Microsoft-signed releases via ESRP Release (pending onboarding approval)
• PyPI package ownership transfer to microsoft account
• npm @microsoft scope activation via ESRP
• NuGet Authenticode + NuGet package signing

Full Changelog

See CHANGELOG.md for the complete list of changes.

v2.1.0 — Multi-Language SDK Readiness + TypeScript Parity

Agent Governance Toolkit v2.1.0

The missing security layer for AI agents — now in Python, TypeScript, and .NET.

Runtime policy enforcement, zero-trust identity, execution sandboxing, and SRE — 10/10 OWASP Agentic Top 10 coverage with 6,100+ tests across three languages.

🚀 What's New

Multi-Language SDK Readiness

The toolkit is now a polyglot governance layer. All three SDKs have first-class install instructions, quickstart code, and package metadata ready for registry publishing.

Language	Package	Install
Python	agent-governance[full]	pip install agent-governance[full]
TypeScript	@agentmesh/sdk	npm install @agentmesh/sdk
.NET	Microsoft.AgentGovernance	dotnet add package Microsoft.AgentGovernance

TypeScript SDK Full Parity (1.0.0)

The TypeScript SDK now has full feature parity with the Python PolicyEngine and AgentIdentity:

• PolicyEngine — rich policy evaluation with 4 conflict resolution strategies, expression evaluator (equality, inequality, numeric, in/not-in, boolean, and/or, nested paths), rate limiting, YAML/JSON policy document loading
• AgentIdentity — Ed25519 cryptographic identity with lifecycle management (active/suspended/revoked), capability wildcards, delegation chains, JWK/JWKS import/export, W3C DID Document export
• IdentityRegistry — agent registry with cascade revocation
• PolicyConflictResolver — 4 strategies: deny-overrides, allow-overrides, priority-first-match, most-specific-wins
• 136 tests passing (57 existing + 79 new parity tests)

.NET SDK Hardened for NuGet

Enhanced NuGet package metadata — authors, license, repository URL, package tags, and readme now included in the .csproj. The .NET SDK covers all 10 OWASP Agentic risks with policy enforcement, execution rings, saga orchestration, circuit breakers, SLO tracking, prompt injection detection, and OpenTelemetry metrics.

Framework Integrations Expanded

Now supports 13+ agent frameworks including new entries:

• Semantic Kernel — Native (.NET + Python) integration
• Azure AI Foundry — Deployment guide for agent governance in Foundry Agent Service

Plus existing integrations: Microsoft Agent Framework, LangChain, LangGraph, CrewAI, AutoGen, OpenAI Agents SDK, Google ADK, Dify, LlamaIndex, Haystack.

Performance Benchmarks Published

Metric	Latency (p50)	Throughput
Policy evaluation (1 rule)	0.012 ms	72K ops/sec
Policy evaluation (100 rules)	0.029 ms	31K ops/sec
Kernel enforcement	0.091 ms	9.3K ops/sec
Concurrent throughput (50 agents)	—	35,481 ops/sec

Full methodology: BENCHMARKS.md

Key Changes Since v1.1.0

Added

• TypeScript SDK full parity — PolicyEngine + Identity + 136 tests (#269)
• 5 standalone framework quickstarts — LangChain, CrewAI, AutoGen, OpenAI Agents, Google ADK
• Competitive comparison page — vs NeMo Guardrails, Guardrails AI, LiteLLM, Portkey
• GitHub Copilot Extension for agent governance code review
• Observability integrations — Prometheus, OTel, PagerDuty, Grafana (#49)
• NIST RFI mapping — NIST AI Agent Security RFI 2026-00206 (#29)
• 6 comprehensive governance tutorials (#187)
• Azure deployment guides — AKS, AI Foundry, Container Apps, OpenClaw

Fixed

• CostGuard input validation + org kill bypass prevention (#272)
• CostGuard thread safety — bound breach history + Lock (#253)
• .NET bug sweep — thread safety, error surfacing, caching, disposal (#252)
• Behavioral anomaly detection in RingBreachDetector
• ErrorBudget._events bounded with deque (#172)
• VectorClock thread safety (#243)
• Cross-package import errors (#222)
• OWASP-COMPLIANCE.md broken link (#270)

Infrastructure

• Architecture rename propagated across 52 files (#221)
• OpenSSF Scorecard improved to ~7.7 (#113, #137)
• agentmesh-integrations migrated into monorepo (#138)
• Phase 2 + Phase 3 architecture consolidation (#206, #207)

Security & Compliance

Framework	Coverage
OWASP Agentic Top 10 (2026)	10/10 risks
CSA Agentic Trust Framework	15/15 requirements
NIST AI RMF	Govern, Map, Measure, Manage
EU AI Act	Risk classification, audit trails, human oversight

Quick Start

# Python
pip install agent-governance[full]

# TypeScript
npm install @agentmesh/sdk

# .NET
dotnet add package Microsoft.AgentGovernance

from agent_os import PolicyEngine, CapabilityModel

engine = PolicyEngine(capabilities=CapabilityModel(
    allowed_tools=["web_search", "file_read"],
    denied_tools=["file_write", "shell_exec"],
))
decision = engine.evaluate(agent_id="researcher-1", action="tool_call", tool="web_search")

Full Changelog

See CHANGELOG.md for the complete list of changes.

License

MIT — © Microsoft Corporation

v1.1.0 — Enterprise Hardening Release

Agent Governance Toolkit v1.1.0 — Enterprise Hardening Release

Security First

This toolkit now covers 10/10 OWASP Agentic Security Initiative (ASI) 2026 controls — verified by an automated certification CLI that produces a signed attestation on every deployment. Run agent-compliance verify and get a machine-readable proof.

The threat model this release addresses:

Threat	Defense	Verified
Prompt injection smuggling tool calls	PolicyInterceptor + LlamaFirewall + OutputValidationMiddleware	✅ ASI-01
Tool renaming to bypass allowlists	ToolAliasRegistry — 30+ aliases across 7 canonical families	✅ ASI-02
Excessive agent autonomy	GovernancePolicy with capability caps + token budgets	✅ ASI-03
Unauthorized privilege escalation	EscalationPolicy with ESCALATE tier + human approval queues	✅ ASI-04
Trust boundary violation	CardRegistry with RevocationList + Ed25519 identity mesh	✅ ASI-05
Insufficient audit logging	AuditChain with Ed25519 signatures + hash-chain tamper detection	✅ ASI-06
Insecure agent identity	AgentIdentity with SPIFFE DIDs + key rotation	✅ ASI-07
Policy conflict bypass	4-strategy conflict resolver (DENY_OVERRIDES, MOST_SPECIFIC_WINS, ...)	✅ ASI-08
Supply chain tampering	IntegrityVerifier — SHA-256 module hashing + function bytecode verification	✅ ASI-09
Behavioral anomaly (rogue agents)	Statistical anomaly detection on tool call frequency + error rates	✅ ASI-10

Bootstrap integrity: The governance layer verifies its own integrity at startup — hashing 15 module source files and 4 critical enforcement function bytecodes against a published manifest. A supply chain attack on the toolkit itself is detectable before any policy evaluation occurs.

339+ tests. Not smoke tests — adversarial tests. Tamper detection, policy bypass attempts, synonym evasion, mid-session mutation, trust score crash recovery.

---

What Changed Since v1.0.1

15 issues closed · 339+ tests added · 12 features shipped in 72 hours.

Security & Adversarial Durability

• Policy conflict resolution — 4 strategies: DENY_OVERRIDES, ALLOW_OVERRIDES, PRIORITY_FIRST_MATCH, MOST_SPECIFIC_WINS with 3-tier scope (global → tenant → agent) and auditable resolution trace (#91)
• Session policy pinning — Deep-copy snapshots prevent mid-flight policy mutations from leaking into running sessions (#92)
• Tool alias registry — Canonical capability mapping blocks bing_search from dodging a web_search policy (#94)
• Human-in-the-loop escalation — Suspend-and-route-to-human for regulated industries (#81)
• Bootstrap integrity verification — Module + bytecode hashing against published manifest (#95)

Reliability & Operations

• Version compatibility matrix — doctor() detects silent inter-package version skew (#83)
• Credential lifecycle — RevocationList wired into CardRegistry.is_verified() (#82)
• File-backed trust persistence — Atomic JSON writes, survives restarts (#86)
• Policy schema versioning — apiVersion field with migration + deprecation warnings (#87)

Governance Certification CLI

agent-compliance verify           # OWASP ASI 2026 check → signed attestation
agent-compliance verify --json    # Machine-readable for CI pipelines
agent-compliance verify --badge   # Shields.io badge for your README
agent-compliance integrity --generate integrity.json  # Baseline manifest

Deep Governance (PR #90)

• SIGKILL-analog process isolation (#77)
• OpenTelemetry observability (#76)
• Async concurrency safety (#75)
• Policy-as-code CI pipeline (#74)
• LangChain/CrewAI/AutoGen deep integrations (#73)
• Ed25519-signed audit trail (#72)
• Behavioral anomaly detection (#71)

Infrastructure

• 7 production module ports (25,400+ lines) (#63–#69)
• 44 CodeQL scanning alerts resolved (#79)
• Copilot auto-review on all PRs (#70)

---

Install

pip install ai-agent-compliance[full]

v1.2 Roadmap

4 architectural items tracked for the next release:

• #80 — .NET SDK support
• #84 — XACML/Cedar policy interchange
• #88 — Behavioral chaos testing (deadlocks, contradictory instructions)
• #93 — Cross-organizational federation governance

Full changelog: CHANGELOG.md

v1.0.1 — First Public Release

Agent Governance Toolkit v1.0.1 — First Public Release

Added

• CODEOWNERS for review routing
• SBOM workflow — SPDX-JSON + CycloneDX-JSON on every release with GitHub attestation

Changed

• MIT license headers on 1,159 source files
• 215 URLs migrated to microsoft/ org
• Enhanced README, bumped all packages to 1.0.1

Security

• Clean secret scan, 0 pip-audit vulnerabilities, all prior CVEs resolved

Install

pip install ai-agent-compliance[full]

v1.0.0 — Initial Release

What's Changed

• Adding Microsoft SECURITY.MD by @microsoft-github-policy-service[bot] in #2

New Contributors

• @microsoft-github-policy-service[bot] made their first contribution in #2

Full Changelog: https://github.com/microsoft/agent-governance-toolkit/commits/v1.0.0