feat: add AgentMesh component container images and GHCR publishing by imran-siddique · Pull Request #1192 · microsoft/agent-governance-toolkit

imran-siddique · 2026-04-17T03:30:19Z

Summary

Add FastAPI server entrypoints, Dockerfiles, and GHCR publishing workflow for all four AgentMesh components that were referenced in the Helm chart but never had actual container images.

Components

Component	Port	Description
trust-engine	8443	Agent identity verification, IATP handshakes
policy-server	8444	Governance policy evaluation from YAML/JSON
audit-collector	8445	Merkle-chained audit logging with FileAuditSink persistence
api-gateway	8446	Reverse proxy with per-agent rate limiting

What's Included

6 new Python modules in \packages/agent-mesh/src/agentmesh/server/\
Single Dockerfile with \COMPONENT\ build arg (non-root user, tini, health checks)
GitHub Actions workflow (.github/workflows/publish-containers.yml) for GHCR publishing with multi-arch (amd64/arm64), provenance attestation
Helm chart updated — image repos now point to \ghcr.io/microsoft/agentmesh/*\
28 integration tests covering all server endpoints

Motivation

These images were referenced in the Helm chart (\�alues.yaml) but had no Dockerfiles, no published images, and no server entrypoints. Users trying to deploy the full AgentMesh cluster (not just sidecar mode) couldn't proceed. This unblocks full cluster deployment.

…CP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(pipeline): run NuGet ESRP signing on Windows agent (#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs #1017 and #1020 (#1125) PRs #1017 and #1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR #1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR #1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (#950) Reflects new capabilities added in PRs #947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (#954) Closes #952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from #772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (#908) 15 curated ATR detection rules + sync script. Closes #901. * fix(docs): correct npm package name and stale version refs across 21 files (#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>

Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Two CI failures on main: 1. lint (agent-compliance): W293/W292 trailing whitespace and missing newlines in agt.py and verify.py — fixed. 2. dependency-scan: pi-mono-agentmesh references unregistered npm packages — removed entire pi-mono integration that was merged from draft PR #970 without proper review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Add FastAPI server entrypoints for all four AgentMesh components: - trust-engine (port 8443): Agent identity verification, IATP handshakes - policy-server (port 8444): Governance policy evaluation from YAML/JSON - audit-collector (port 8445): Merkle-chained audit logging with persistence - api-gateway (port 8446): Reverse proxy with per-agent rate limiting Infrastructure: - Single Dockerfile with COMPONENT build arg (non-root, tini, health checks) - GitHub Actions workflow for GHCR publishing (multi-arch amd64/arm64) - Helm chart updated to reference ghcr.io/microsoft/agentmesh/* images - 28 integration tests covering all server endpoints Resolves the missing container images that blocked full AgentMesh cluster deployment (images were referenced in Helm chart but never built). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

github-actions · 2026-04-17T03:30:42Z

🤖 AI Agent: docs-sync-checker — Issues Found

📝 Documentation Sync Report

Issues Found

❌ New public APIs without docstrings:
- packages/agent-mesh/src/agentmesh/server/ — The 6 new Python modules added in this PR do not appear to have any docstrings for their public functions, classes, or methods. These should include explanations of purpose, parameters, return values, and exceptions.
⚠️ README sections out of date:
- packages/agent-mesh/README.md — The README does not mention the new container images, FastAPI server entrypoints, or the updated Helm chart configuration. These updates should be documented to reflect the new functionality.
⚠️ CHANGELOG missing entries:
- CHANGELOG.md — There is no entry for the addition of the AgentMesh container images, FastAPI server entrypoints, or the GitHub Actions workflow for GHCR publishing. These are significant changes and should be documented in the changelog.
⚠️ Example code outdated:
- The example code in packages/agent-governance-dotnet/src/AgentGovernance/ has been updated to use the new did:agentmesh:* format for decentralized identifiers (DIDs). However, there is no indication that corresponding updates have been made to example code in other SDKs or in the examples/ directory. This should be verified and updated for consistency.
⚠️ Type hints:
- The new Python modules in packages/agent-mesh/src/agentmesh/server/ do not appear to have complete type annotations for their public APIs. Type hints should be added to ensure clarity and maintainability.

Suggestions

💡 Add docstrings for all public functions, classes, and methods in the new Python modules under packages/agent-mesh/src/agentmesh/server/.
💡 Update packages/agent-mesh/README.md to include:
- Details about the new container images and their purposes.
- Instructions for using the FastAPI server entrypoints.
- Information on the updated Helm chart configuration.
💡 Add an entry to CHANGELOG.md summarizing:
- The addition of AgentMesh container images.
- The new FastAPI server entrypoints.
- The GitHub Actions workflow for GHCR publishing.
💡 Verify and update example code in the examples/ directory and other SDKs to reflect the new did:agentmesh:* format for DIDs.
💡 Add type hints to all public APIs in the new Python modules.

Additional Notes

The updates to the docs/FAQ.md, docs/LIMITATIONS.md, and docs/THREAT_MODEL.md files are thorough and align with the changes introduced in this PR.
The version bump in AgentGovernance.csproj from 3.1.0 to 3.2.0 is appropriate given the changes to the .NET SDK.

Conclusion

The PR introduces significant new functionality and updates to the repository. However, there are several documentation and type hinting issues that need to be addressed before the documentation can be considered fully in sync.

Please address the issues and suggestions listed above to ensure the repository remains well-documented and maintainable.

github-actions · 2026-04-17T03:30:42Z

🤖 AI Agent: breaking-change-detector — Summary

🔍 API Compatibility Report

Summary

This pull request primarily introduces new components, container images, and publishing workflows for the AgentMesh system. While the changes are extensive, they do not appear to introduce breaking changes to the existing Python APIs. The modifications to the .NET SDK involve updates to the DID format (did:mesh:* → did:agentmesh:*), which may impact downstream users relying on the old format. However, this change is not directly related to the Python packages published to PyPI.

Findings

Severity	Package	Change	Impact
🔵	agent-mesh	Addition of FastAPI server entrypoints	New functionality, no breaking changes
🔵	agent-mesh	Addition of Dockerfiles and GHCR publishing workflow	Infrastructure addition, no API impact
🔵	agent-compliance	Minor formatting fixes (e.g., newline removal)	No functional impact
🔵	agent-governance-dotnet	DID format changed from `did:mesh:` to `did:agentmesh:`	Potential impact on .NET SDK users, unrelated to Python APIs

Migration Guide

For .NET SDK Users:

Update any code or configurations that rely on the old DID format (did:mesh:*) to use the new format (did:agentmesh:*).
Ensure any cross-SDK integrations account for the DID format change.

Conclusion

✅ No breaking changes detected for Python packages published to PyPI.

github-actions · 2026-04-17T03:30:45Z

🤖 AI Agent: test-generator — `packages/agent-compliance/src/agent_compliance/cli/agt.py`

🧪 Test Coverage Analysis

`packages/agent-compliance/src/agent_compliance/cli/agt.py`

✅ Existing coverage: Basic CLI functionality and argument parsing are likely covered by existing tests in tests/agent_compliance/cli/test_agt.py.
❌ Missing coverage: No specific changes were made to this file in the diff, but the lack of a newline at the end of the file suggests no functional changes. However, if there are any untested CLI commands or edge cases, they may remain uncovered.
💡 Suggested test cases:
1. test_main_no_arguments — Ensure the CLI handles cases where no arguments are provided gracefully.
2. test_main_invalid_arguments — Test the behavior when invalid or unexpected arguments are passed to the CLI.

`packages/agent-compliance/src/agent_compliance/verify.py`

✅ Existing coverage: Core verification logic and _check_control method are likely covered by tests in tests/agent_compliance/test_verify.py.
❌ Missing coverage: No functional changes were made to this file in the diff, but edge cases for _check_control may not be fully tested.
💡 Suggested test cases:
1. test_check_control_missing_module — Simulate a missing module scenario and verify the error handling logic.
2. test_check_control_invalid_spec — Test _check_control with malformed or incomplete spec dictionaries.

`packages/agent-mesh/src/agentmesh/server/init.py`

✅ Existing coverage: This file likely serves as a package initializer and may not contain significant logic to test.
❌ Missing coverage: No functional changes were made, so no new coverage gaps are introduced.
💡 Suggested test cases: None specific to this file.

`packages/agent-mesh/src/agentmesh/server/main.py`

✅ Existing coverage: Entry point logic for starting the server may be covered by integration tests.
❌ Missing coverage: Edge cases for server startup (e.g., invalid configurations, missing environment variables) may not be fully tested.
💡 Suggested test cases:
1. test_main_invalid_config — Simulate invalid configuration scenarios and verify error handling.
2. test_main_missing_env_vars — Test behavior when required environment variables are not set.

`packages/agent-mesh/src/agentmesh/server/api_gateway.py`

✅ Existing coverage: Core API gateway functionality, such as reverse proxying and rate limiting, is likely covered by tests in tests/agentmesh/server/test_api_gateway.py.
❌ Missing coverage: Edge cases for rate limiting and malformed requests may not be fully tested.
💡 Suggested test cases:
1. test_rate_limit_exceeded — Verify behavior when an agent exceeds its rate limit.
2. test_malformed_request — Test handling of malformed HTTP requests or payloads.

`packages/agent-mesh/src/agentmesh/server/audit_collector.py`

✅ Existing coverage: Core audit logging functionality is likely covered by tests in tests/agentmesh/server/test_audit_collector.py.
❌ Missing coverage: Edge cases for Merkle chain integrity and file persistence errors may not be fully tested.
💡 Suggested test cases:
1. test_merkle_chain_integrity — Verify that the Merkle chain remains consistent after multiple log entries.
2. test_file_persistence_error — Simulate file write errors and verify error handling.

`packages/agent-mesh/src/agentmesh/server/policy_server.py`

✅ Existing coverage: Core policy evaluation logic is likely covered by tests in tests/agentmesh/server/test_policy_server.py.
❌ Missing coverage: Boundary conditions, conflicting policies, and policy bypass attempts may not be fully tested.
💡 Suggested test cases:
1. test_conflicting_policies — Test behavior when two policies conflict (e.g., one allows and one denies the same action).
2. test_policy_bypass_attempt — Simulate an attempt to bypass a policy using unexpected input formats or edge cases.

`packages/agent-mesh/src/agentmesh/server/trust_engine.py`

✅ Existing coverage: Trust scoring logic and identity verification are likely covered by tests in tests/agentmesh/server/test_trust_engine.py.
❌ Missing coverage: Edge cases for trust scores (e.g., 0.0, 1.0), expired certificates, and revoked trust may not be fully tested.
💡 Suggested test cases:
1. test_trust_score_zero — Verify behavior when an agent's trust score is 0.0.
2. test_expired_certificate — Test behavior when an agent presents an expired certificate.
3. test_revoked_trust — Simulate a scenario where an agent's trust is revoked and verify that actions are blocked.

General Recommendations

Ensure that all new functionality introduced in the agent-mesh components (e.g., FastAPI server entry points) is covered by integration tests.
Focus on domain-specific edge cases, such as policy conflicts, trust score boundaries, and error handling in distributed systems.
Add chaos experiments to test timeout handling, partial failures, and cascading failures in the api_gateway, audit_collector, and policy_server components.
Verify concurrency safety in shared state management, particularly in trust_engine and policy_server.

Let me know if you need further details or assistance!

github-actions

🤖 AI Agent: code-reviewer

Review Summary

This pull request introduces containerized FastAPI server entrypoints for the AgentMesh components, along with a GitHub Actions workflow for publishing these containers to GHCR. It also includes updates to the Helm chart, documentation, and minor code changes across multiple packages. While the changes are generally well-structured and address a critical gap in the project, there are several areas that require attention to ensure security, correctness, and backward compatibility.

🔴 CRITICAL: Security Issues

Insufficient Validation of User Input in FastAPI Endpoints
- Issue: The PR does not include the implementation of the FastAPI server entrypoints, but it mentions that they are added. If these endpoints do not validate user input properly, it could lead to injection attacks, including SQL injection, command injection, or other vulnerabilities.
- Action: Ensure that all input to the FastAPI endpoints is validated using Pydantic models with strict type definitions. Additionally, sanitize inputs to prevent injection attacks.
Lack of Explicit Non-Root User Enforcement in Dockerfile
- Issue: While the PR mentions the use of a non-root user in the Dockerfile, the actual Dockerfile is not included in the diff. Running containers as root is a critical security risk.
- Action: Verify that the Dockerfile explicitly switches to a non-root user using the USER directive. Ensure that the non-root user has the minimum required permissions.
Potential for Credential Leakage in GitHub Actions Workflow
- Issue: The GitHub Actions workflow uses ${{ secrets.GITHUB_TOKEN }} for authentication with GHCR. If this token is not scoped correctly, it could lead to unauthorized access or credential leakage.
- Action: Ensure that the GitHub token is scoped to the minimum permissions required for the workflow. Additionally, consider using OpenID Connect (OIDC) for authentication with GHCR to avoid long-lived tokens.
Provenance Attestation Failure Handling
- Issue: The attest-build-provenance step in the GitHub Actions workflow uses continue-on-error: true. This could allow builds with failed provenance attestation to be published, which is a security risk.
- Action: Remove continue-on-error: true and ensure that the workflow fails if provenance attestation does not succeed.
DID Method Inconsistency
- Issue: The inconsistency between did:mesh:* and did:agentmesh:* across SDKs could lead to policy mismatches and security gaps.
- Action: Expedite the standardization of the DID method to did:agentmesh:* across all SDKs. Until then, provide clear documentation and tooling to handle normalization.

🟡 WARNING: Potential Breaking Changes

DID Format Change in .NET SDK
- Issue: The change from did:mesh:* to did:agentmesh:* in the .NET SDK is a breaking change for users who rely on the old format.
- Action: Provide a migration guide and consider supporting both formats temporarily to ensure backward compatibility.
Helm Chart Updates
- Issue: The Helm chart now points to new GHCR-hosted images. This change will break deployments for users relying on the old image locations.
- Action: Clearly document this change in the release notes and provide a migration path for users to update their Helm chart configurations.

💡 Suggestions for Improvement

Add Unit Tests for FastAPI Endpoints
- Rationale: While the PR includes 28 integration tests, unit tests for individual FastAPI endpoints are not mentioned. These tests are crucial for ensuring endpoint correctness and input validation.
- Action: Add unit tests for all FastAPI endpoints, focusing on edge cases and invalid inputs.
Improve Documentation for New Components
- Rationale: The PR adds significant functionality but does not include detailed documentation for the new FastAPI server entrypoints or the Dockerfiles.
- Action: Update the documentation to include:
  - API specifications for each FastAPI endpoint.
  - Instructions for building and running the Docker containers locally.
  - Details on the health checks implemented in the Dockerfiles.
Enhance Logging and Monitoring
- Rationale: The PR does not mention logging or monitoring for the new components. These are critical for debugging and security auditing.
- Action: Ensure that the FastAPI server entrypoints include structured logging and integrate with OpenTelemetry for distributed tracing.
Concurrency and Thread Safety
- Rationale: The PR does not address thread safety or concurrency concerns for the new FastAPI server components.
- Action: Review the implementation of the FastAPI server entrypoints to ensure they are thread-safe, especially if they handle shared resources or state.
Sandboxing for Agent Execution
- Rationale: The PR does not mention any sandboxing mechanisms for the new components. This could lead to potential sandbox escape vulnerabilities.
- Action: Consider using container-level sandboxing (e.g., seccomp, AppArmor) and application-level sandboxing to isolate agent execution.
Backward Compatibility Testing
- Rationale: The PR introduces changes to the .NET SDK and Helm chart that could break existing deployments.
- Action: Add backward compatibility tests to ensure that existing users are not affected by these changes.

Final Assessment

Security: 🔴 Critical issues identified, particularly around input validation, Dockerfile configuration, and GitHub Actions workflow.
Backward Compatibility: 🟡 Breaking changes in the .NET SDK and Helm chart require mitigation.
Code Quality: 💡 Suggestions provided for improving test coverage, documentation, and thread safety.

Action Items

Address the critical security issues, especially input validation and Dockerfile configuration.
Provide a migration guide for the DID format change and Helm chart updates.
Add unit tests for FastAPI endpoints and backward compatibility tests.
Enhance documentation and logging for the new components.
Review thread safety and sandboxing mechanisms for the new server components.

Please address these issues and resubmit the PR for further review.

github-actions · 2026-04-17T03:30:52Z

🤖 AI Agent: security-scanner — Security Review of Pull Request: feat: add AgentMesh component container images and GHCR publishing

Security Review of Pull Request: feat: add AgentMesh component container images and GHCR publishing

Findings

1. Prompt Injection Defense Bypass

Rating: 🔴 CRITICAL
Issue:
The FastAPI server entrypoints for the AgentMesh components (trust-engine, policy-server, audit-collector, api-gateway) do not appear to include explicit defenses against prompt injection attacks. These components are critical for governance, and any bypass here could allow malicious agents to circumvent policies or inject unauthorized commands.

Attack Vector:
An attacker could craft malicious input that exploits weaknesses in input validation or sanitization, potentially bypassing governance rules enforced by the policy-server or injecting unauthorized commands into the trust-engine.

Recommendation:

Implement strict input validation and sanitization for all endpoints in the FastAPI server.
Add a dedicated PromptInjectionDetector middleware to inspect incoming requests for known prompt injection patterns.
Include unit tests to validate the effectiveness of the prompt injection defenses.

2. Policy Engine Circumvention

Rating: 🔴 CRITICAL
Issue:
The policy evaluation logic in the PolicyEngine class does not appear to include safeguards against policy circumvention via malformed or incomplete requests. Additionally, the DID format inconsistency (did:mesh:* vs. did:agentmesh:*) could lead to policy mismatches, allowing unauthorized actions to bypass governance.

Attack Vector:
An attacker could exploit the DID inconsistency to craft requests that bypass policy checks, especially in cross-SDK environments where policies rely on matching specific DID prefixes.

Recommendation:

Standardize the DID format across all SDKs to did:agentmesh:*.
Implement strict validation of DIDs in the PolicyEngine to ensure that malformed or inconsistent DIDs are rejected.
Add tests to verify that policies are enforced correctly across all SDKs and DID formats.

3. Trust Chain Weaknesses

Rating: 🟠 HIGH
Issue:
The trust-engine component is responsible for agent identity verification and IATP handshakes. However, there is no mention of SPIFFE/SVID validation or certificate pinning in the FastAPI server entrypoints or Dockerfiles.

Attack Vector:
An attacker could exploit weak or missing trust chain validation to impersonate an agent or inject malicious certificates, compromising the entire governance layer.

Recommendation:

Implement SPIFFE/SVID validation in the trust-engine to ensure that all agent identities are verified against a trusted certificate authority.
Add certificate pinning to prevent man-in-the-middle attacks.
Include integration tests to validate trust chain integrity.

4. Credential Exposure

Rating: 🟠 HIGH
Issue:
The GitHub Actions workflow (publish-containers.yml) uses the GITHUB_TOKEN secret for authentication but does not explicitly restrict its scope. Additionally, the workflow logs sensitive information such as image tags and metadata, which could inadvertently expose credentials or internal details.

Attack Vector:
An attacker with access to the CI/CD logs could extract sensitive information, such as image tags or metadata, to craft targeted attacks against the container registry or the published images.

Recommendation:

Restrict the scope of the GITHUB_TOKEN to only the permissions required for publishing containers.
Mask sensitive information in the workflow logs using echo ::add-mask:: for any potentially sensitive variables.
Rotate the GITHUB_TOKEN regularly and monitor its usage for anomalies.

5. Sandbox Escape

Rating: 🔴 CRITICAL
Issue:
The Dockerfiles for the AgentMesh components do not include explicit measures to prevent sandbox escapes, such as seccomp profiles, AppArmor, or SELinux policies.

Attack Vector:
An attacker could exploit vulnerabilities in the container runtime or the application code to escape the container and gain access to the host system.

Recommendation:

Add seccomp profiles, AppArmor, or SELinux policies to the Dockerfiles to restrict container capabilities.
Run containers with the --security-opt=no-new-privileges flag to prevent privilege escalation.
Use a non-root user for all containers (already partially implemented).

6. Deserialization Attacks

Rating: 🟠 HIGH
Issue:
The policy-server component processes governance policies from YAML/JSON files, but there is no mention of safe deserialization practices.

Attack Vector:
An attacker could craft malicious YAML/JSON payloads to exploit unsafe deserialization, potentially executing arbitrary code or injecting malicious data into the policy engine.

Recommendation:

Use safe YAML/JSON parsers (e.g., PyYAML.safe_load for YAML).
Validate the structure and content of deserialized data against a strict schema using libraries like pydantic.
Add unit tests to ensure that only valid policies are accepted.

7. Race Conditions

Rating: 🟡 MEDIUM
Issue:
The policy-server and trust-engine components may be vulnerable to race conditions in concurrent policy evaluations or trust checks, especially under high load.

Attack Vector:
An attacker could exploit timing discrepancies in policy evaluation or trust checks to bypass governance rules, particularly in distributed environments.

Recommendation:

Implement locking mechanisms or atomic operations for critical sections in the policy-server and trust-engine.
Use thread-safe data structures for policy storage and evaluation.
Conduct stress testing to identify and mitigate race conditions.

8. Supply Chain Risks

Rating: 🟠 HIGH
Issue:
The Dockerfiles and Python modules rely on external dependencies, but there is no mention of dependency pinning or verification against typosquatting or dependency confusion attacks.

Attack Vector:
An attacker could introduce malicious packages into the supply chain via typosquatting or dependency confusion, compromising the entire AgentMesh governance layer.

Recommendation:

Pin all dependencies to specific versions in requirements.txt or pyproject.toml.
Use tools like pip-audit or safety to scan for vulnerabilities in dependencies.
Verify the integrity of all dependencies using checksums or signatures.

Summary of Findings

Category	Rating	Fix Priority
Prompt Injection Defense Bypass	🔴 CRITICAL	Immediate
Policy Engine Circumvention	🔴 CRITICAL	Immediate
Trust Chain Weaknesses	🟠 HIGH	High
Credential Exposure	🟠 HIGH	High
Sandbox Escape	🔴 CRITICAL	Immediate
Deserialization Attacks	🟠 HIGH	High
Race Conditions	🟡 MEDIUM	Medium
Supply Chain Risks	🟠 HIGH	High

Action Plan

Immediate Fixes: Address prompt injection defenses, policy engine circumvention, and sandbox escape vulnerabilities.
High Priority Fixes: Implement trust chain validation, safe deserialization, and supply chain protections.
Medium Priority Fixes: Investigate and mitigate potential race conditions.
Ongoing Improvements: Regularly audit dependencies and CI/CD workflows for security risks.

…icrosoft#1192) * feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (microsoft#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (microsoft#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs microsoft#1017 and microsoft#1020 (microsoft#1125) PRs microsoft#1017 and microsoft#1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR microsoft#1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR microsoft#1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (microsoft#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (microsoft#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (microsoft#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (microsoft#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (microsoft#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (microsoft#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (microsoft#1044) Addresses the microsoft#1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (microsoft#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (microsoft#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (microsoft#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (microsoft#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (microsoft#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (microsoft#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co> * docs: address external critic gaps in limitations and threat model (microsoft#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix!: standardize DID method to did:agentmesh across all SDKs (microsoft#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix lint errors and remove pi-mono breaking dep scan Two CI failures on main: 1. lint (agent-compliance): W293/W292 trailing whitespace and missing newlines in agt.py and verify.py — fixed. 2. dependency-scan: pi-mono-agentmesh references unregistered npm packages — removed entire pi-mono integration that was merged from draft PR microsoft#970 without proper review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AgentMesh component container images and GHCR publishing Add FastAPI server entrypoints for all four AgentMesh components: - trust-engine (port 8443): Agent identity verification, IATP handshakes - policy-server (port 8444): Governance policy evaluation from YAML/JSON - audit-collector (port 8445): Merkle-chained audit logging with persistence - api-gateway (port 8446): Reverse proxy with per-agent rate limiting Infrastructure: - Single Dockerfile with COMPONENT build arg (non-root, tini, health checks) - GitHub Actions workflow for GHCR publishing (multi-arch amd64/arm64) - Helm chart updated to reference ghcr.io/microsoft/agentmesh/* images - 28 integration tests covering all server endpoints Resolves the missing container images that blocked full AgentMesh cluster deployment (images were referenced in Helm chart but never built). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>

imran-siddique and others added 9 commits April 15, 2026 09:46

Merge branch 'microsoft:main' into main

2a9b6d0

Merge branch 'microsoft:main' into main

c920c0a

Merge branch 'microsoft:main' into main

68835db

github-actions Bot added documentation Improvements or additions to documentation dependencies Pull requests that update a dependency file tests agent-mesh agent-mesh package ci/cd CI/CD and workflows labels Apr 17, 2026

imran-siddique merged commit 84627e4 into microsoft:main Apr 17, 2026
24 of 27 checks passed

github-actions Bot added the size/XL Extra large PR (500+ lines) label Apr 17, 2026

imran-siddique deleted the feat/agentmesh-container-images branch April 17, 2026 03:30

github-actions Bot reviewed Apr 17, 2026

View reviewed changes

Conversation

imran-siddique commented Apr 17, 2026

Summary

Components

What's Included

Motivation

Uh oh!

Uh oh!

github-actions Bot commented Apr 17, 2026

📝 Documentation Sync Report

Issues Found

Suggestions

Additional Notes

Conclusion

Uh oh!

github-actions Bot commented Apr 17, 2026

🔍 API Compatibility Report

Summary

Findings

Migration Guide

For .NET SDK Users:

Conclusion

Uh oh!

github-actions Bot commented Apr 17, 2026

🧪 Test Coverage Analysis

packages/agent-compliance/src/agent_compliance/cli/agt.py

packages/agent-compliance/src/agent_compliance/verify.py

packages/agent-mesh/src/agentmesh/server/__init__.py

packages/agent-mesh/src/agentmesh/server/__main__.py

packages/agent-mesh/src/agentmesh/server/api_gateway.py

packages/agent-mesh/src/agentmesh/server/audit_collector.py

packages/agent-mesh/src/agentmesh/server/policy_server.py

packages/agent-mesh/src/agentmesh/server/trust_engine.py

General Recommendations

Uh oh!

github-actions Bot left a comment

Choose a reason for hiding this comment

🤖 AI Agent: code-reviewer

Review Summary

🔴 CRITICAL: Security Issues

🟡 WARNING: Potential Breaking Changes

💡 Suggestions for Improvement

Final Assessment

Action Items

Uh oh!

github-actions Bot commented Apr 17, 2026

Security Review of Pull Request: feat: add AgentMesh component container images and GHCR publishing

Findings

1. Prompt Injection Defense Bypass

2. Policy Engine Circumvention

3. Trust Chain Weaknesses

4. Credential Exposure

5. Sandbox Escape

6. Deserialization Attacks

7. Race Conditions

8. Supply Chain Risks

Summary of Findings

Action Plan

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

`packages/agent-compliance/src/agent_compliance/cli/agt.py`

`packages/agent-compliance/src/agent_compliance/verify.py`

`packages/agent-mesh/src/agentmesh/server/init.py`

`packages/agent-mesh/src/agentmesh/server/main.py`

`packages/agent-mesh/src/agentmesh/server/api_gateway.py`

`packages/agent-mesh/src/agentmesh/server/audit_collector.py`

`packages/agent-mesh/src/agentmesh/server/policy_server.py`

`packages/agent-mesh/src/agentmesh/server/trust_engine.py`