build(deps): Bump dotenv from 16.6.1 to 17.3.1 in /packages/agent-os/extensions/copilot#13
Merged
imran-siddique merged 1 commit intoMar 4, 2026
Conversation
Bumps [dotenv](https://github.com/motdotla/dotenv) from 16.6.1 to 17.3.1. - [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md) - [Commits](motdotla/dotenv@v16.6.1...v17.3.1) --- updated-dependencies: - dependency-name: dotenv dependency-version: 17.3.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
deleted the
dependabot/npm_and_yarn/packages/agent-os/extensions/copilot/dotenv-17.3.1
branch
imran-siddique
added a commit
that referenced
this pull request
Apr 20, 2026
* feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs #1017 and #1020 (#1125) PRs #1017 and #1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR #1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR #1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#7) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (#8) * feat(openshell): add governance skill package and runnable example (#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (#950) Reflects new capabilities added in PRs #947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (#954) Closes #952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from #772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (#908) 15 curated ATR detection rules + sync script. Closes #901. * fix(docs): correct npm package name and stale version refs across 21 files (#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (#1044) Addresses the #1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co> * docs: address external critic gaps in limitations and threat model (#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix!: standardize DID method to did:agentmesh across all SDKs (#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): address all 14 open code scanning alerts (#13) * fix: address 6 Dependabot security vulnerabilities - python-multipart 0.0.22 → 0.0.26 (DoS via large preamble/epilogue) - pytest 8.4.1 → 9.0.3 (tmpdir handling vulnerability) - langchain-core 1.2.11 → 1.2.28 (SSRF, path traversal, f-string validation) - langchain-core >=0.2.0,<1.0 → >=1.2.28 in langchain-agentmesh pyproject.toml - tsup 8.0.0 → 8.5.1 (DOM clobbering vulnerability) - rand 0.8.5: dismissed #176 as inaccurate (vuln affects rand::rng() 0.9.x API only) Fixes Dependabot alerts: #177, #175, #166, #164, #157, #156 Dismissed: #176 (not applicable to rand 0.8.x) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): address all 14 open code scanning alerts Scorecard HIGH: - publish-containers.yml: scope packages:write to job level (#316) Scorecard MEDIUM (pinned dependencies): - docs.yml: pin 4 GitHub Actions by SHA hash (#311-314) - docs.yml: use requirements.txt for pip install (#315) - agent-mesh Dockerfile: pin python:3.11-slim by SHA (#317,#318) - agent-os Dockerfile.sidecar: pin python:3.14-slim by SHA (#295,#296) - dashboard Dockerfile: pin python:3.12-slim by SHA (#291,#293) CodeQL: - test_time_decay.py: timedelta(days=365) -> 366 for leap safety (#289,#290) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>
imran-siddique
pushed a commit
that referenced
this pull request
May 11, 2026
…ify, heartbeat (#2090) * feat(mesh-client): add onError, onDisconnect, onE2EVerified event hooks Adds three observer-registration methods to MeshClient to align with the AzureClaw vendored AgentMesh SDK surface so consumers can swap providers behind a single transport interface: onError(handler) — fires on ws errors and decrypt failures onDisconnect(handler) — fires on ws.close with reason+code onE2EVerified(handler) — fires on first successful decrypt per peer Pure additions; no behaviour change for existing flows. Decrypt-failure and missing-session paths now drop the message AND notify error observers instead of silently dropping (still safe — unhandled events are swallowed). Tests: 8 new in mesh-client-event-hooks.test.ts; full suite 387/387 green. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(mesh-client): close gaps G1 (KNOCK auto-bootstrap) and G2 (auto-reconnect) Two protocol-level gaps were identified during the AzureClaw vendored-SDK audit (see Azure/kars#245 docs/agt-vs-vendored-sdk.md). Both block moving fully off the vendored agentmesh-sdk fork onto upstream AGT. ## G1: receiver-side X3DH auto-bootstrap from KNOCK Before: the responder side of an encrypted session was created only by calling acceptSession(peerId, establishment) explicitly. But the ChannelEstablishment was never carried on the wire — neither in knock_accept nor in the first message frame — so the receiver had no way to obtain it. Result: any fresh encrypted session failed with "No encrypted session" the first time a ciphertext arrived. Mirrors vendored agentmesh-sdk patch #4b. Behavior: - Sender (establishSession): builds the SecureChannel first, then sends KNOCK with the ChannelEstablishment embedded as { ik: base64, ek: base64, otk?: number }. - Receiver (handleKnock): if the knock contains `establishment` AND no prior session exists, deserialize and call acceptSession() automatically before responding with knock_accept. On bad establishment data, the knock is rejected and onError("knock", ...) fires. - Backwards-compatible: legacy peers that don't embed establishment continue to work; caller must invoke acceptSession() manually as before. ## G2: auto-reconnect on transport drop Before: MeshClient.reconnect() existed but was never called automatically. Network blips, relay restarts, AKS node OOM-evicts left the client disconnected forever — agents went mesh-deaf. Mirrors vendored agentmesh-sdk patch #9. Behavior: - New options: autoReconnect (default true), maxReconnectAttempts (default Number.POSITIVE_INFINITY), reconnectBaseDelayMs (default 1000), reconnectMaxDelayMs (default 60000). - On non-1000 ws.onclose: schedule reconnect with exponential backoff capped at reconnectMaxDelayMs. Light jitter (±20%) avoids thundering-herd reconnects across many sandboxes. - onDisconnect handlers fire BEFORE the reconnect is scheduled so observers can see the drop. - After maxReconnectAttempts, fires onError("ws", ..., "auto-reconnect gave up after N attempts") and stops. - disconnect() cancels any pending reconnect timer. - A connect() failure inside the reconnect path schedules another retry via the existing onclose path (and recursively from the catch handler in scheduleReconnect for the case where ws.onopen never fired). ## Tests 11 new tests across two files: - tests/mesh-client-knock-bootstrap.test.ts: 5 tests covering sender-side embedding, receiver auto-bootstrap, legacy fallback, malformed establishment, and end-to-end happy-path encrypted send. - tests/mesh-client-auto-reconnect.test.ts: 6 tests covering server-close reconnect, client-close no-reconnect, opt-out, give-up after max attempts, disconnect cancels pending timer, no duplicate scheduling. Full AGT TS suite: 398/398 pass (was 387 before this commit). Build clean. Both gaps were identified in the AzureClaw audit doc: docs/agt-vs-vendored-sdk.md (Patch-by-patch audit section). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(mesh): close vendored-parity gaps G3, G4, G5 G3 — session-desync teardown (vendored agentmesh-sdk patch #13 equiv): when Double Ratchet decryption fails for an existing session, the local ratchet state is irrecoverable. Previously we only fired onError('decrypt'); now we tear down the session (delete from this.sessions; clear knockAccepted) and fire a distinct onError('session_desync') so callers can re-run establishSession() and resume communication. G4 — pre-KNOCK encrypted-message buffer (vendored agentmesh-sdk patch #16 equiv): under transport reordering the relay can deliver an encrypted 'message' frame BEFORE the matching 'knock' arrives. Without buffering, that first frame was dropped silently. Now MeshClient buffers encrypted frames per-peer (default cap 5, TTL 3000ms), replays them when the corresponding knock is accepted, and drops them when rejected or on disconnect. Disabled by setting preKnockBufferSize: 0. G5 — eager ghost-connection close on rebind (vendored agentmesh-relay patch #2 equiv): when an agent reconnects with the same DID, the prior 'ghost' WebSocket is now closed eagerly with code 1000 'session_replaced' instead of waiting for the 90s heartbeat-eviction timer. The 'finally' cleanup now compares socket identity to avoid removing the freshly rebound connection when the old socket's handler unwinds. Tests: +5 (G4 pre-knock buffer behaviour), +2 (G3 type + lifecycle safety), +1 (G5 ghost rebind). 405 TS tests pass; 18 relay tests pass. NOTE: held local-only on branch azureclaw-meshclient-event-hooks; will be coordinated upstream with the AGT team. * feat(mesh): add RegistryClient and auto-register on MeshClient.connect() Closes the structural gap where MeshClientOptions declared registryUrl but no code path ever used it. Without this, agents can connect to the relay and exchange ciphertext but are invisible to peers — they never appear in /v1/discover and no one can fetch their X3DH pre-key bundle. This commit adds the missing registry-side glue, in upstream-quality shape, so AGT MeshClient becomes a drop-in replacement for vendored forks that wired their own registry calls (e.g. AzureClaw vendor/agentmesh-sdk). What's new: - src/encryption/registry-client.ts: typed HTTP client wrapping the AgentMesh registry's REST surface (POST /v1/agents, PUT/GET /v1/agents/{did}/prekeys, GET /v1/discover, GET/DELETE /v1/agents/{did}). base64url <-> Uint8Array marshalling, optional Ed25519-Timestamp Authorization signer, configurable retry/timeout. - src/encryption/mesh-client.ts: * New options: registryClient, registryClientOptions, capabilities, registrationMetadata, oneTimePrekeyCount, autoRegister. * connect() now calls registerSelf() at the end of a successful WS handshake when autoRegister is true (default) and a registry is configured. Idempotent — 409 (already registered) is treated as success; reconnect doesn't re-register. * registerSelf(): generates signed-prekey + N one-time prekeys via keyManager, then POSTs /v1/agents (capabilities = [displayName, ...options.capabilities]) and PUTs the prekey bundle. * discover(capability): wraps registry.discover. * establishSessionWithPeer(peerId): fetches peer prekeys from the registry and calls existing establishSession. * getRegistry(): exposes the underlying client for advanced cases. - tests/registry-client.test.ts: 11 new tests covering wire format, base64url round-trip, idempotent register (409), 5xx retry, and Authorization header. Also covers MeshClient auto-register on connect end-to-end with a fake fetch + fake WebSocket. - tests/mesh-client-*.test.ts: existing fixtures updated to pass autoRegister: false (no registry available in those tests). Behavior unchanged for the production path. All 71 tests pass (60 previously + 11 new). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(registry): add POST /v1/agents/{did}/heartbeat to bump last_seen The registry's last_seen field is set on registration but never updated by any HTTP handler — update_last_seen() exists in store.py but is dead code in production. As a result, every registered agent looks 'offline' (online=false on /presence) 90s after spawn, and any client-side discover stale-filter rejects all live agents. Add an unauthenticated POST /v1/agents/{did}/heartbeat that calls store.update_last_seen(). Idempotent. Returns 404 for unknown DIDs so callers can detect a registry restart and re-register. Mirrors the agent-side ping cadence (30s, well within the 90s presence threshold). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(mesh): include Ed25519 identity_key_ed in prekey bundle so verifyBundle() works PreKeyBundle.identityKeyEd was previously aliased to the X25519 identity_key because the registry didn't store the Ed25519 signing key. As a result, verifyBundle() either passed only because the stub test never exercised it, or quietly accepted any signed pre-key — a soundness gap in the X3DH wrapper. This commit threads identityKeyEd through the full path: - agent-mesh/registry/store.py (AgentRecord): add identity_key_ed field (X25519 long-term key already present as identity_key; Ed25519 distinct). - agent-governance-typescript/src/encryption/x3dh.ts: expose X3DHKeyManager.identityKeyEd getter. - agent-governance-typescript/src/encryption/registry-client.ts: uploadPrekeys() now accepts identityKeyEd (32 bytes, validated) and serializes it as identity_key_ed; fetchPrekeys() deserializes it back into PreKeyBundle.identityKeyEd. Older bundles without the field fall back to the X25519 key — verifyBundle() will then correctly reject (forensic visibility, no silent bypass). - agent-governance-typescript/src/encryption/mesh-client.ts: registerSelf() passes keyManager.identityKeyEd through to the registry. - tests/registry-client.test.ts + tests/test_registry.py: assert the new field is round-tripped on PUT/GET. Wire compatibility: PUT now requires identity_key_ed; GET emits it when set. Existing AGT clients that don't upload it will get verifyBundle() rejection on the receiving side — peers must upgrade together. (No silent regression on the wire — the field is new, not a breaking change to existing fields.) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(mesh): set autoRegister:false in upstream knock + malformed-frame tests These two upstream tests construct MeshClient without autoRegister:false, which now triggers a real fetch to the registry on connect() (added by our registry-client commit). The tests have no fake registry, so they fail with 'fetch failed'. autoRegister:false skips the auto-registration path and matches the pattern used in our 6 sibling mesh-client-*.test.ts files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Pal Lakatos-Toth <pallakatos@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…crosoft#13) Bumps [dotenv](https://github.com/motdotla/dotenv) from 16.6.1 to 17.3.1. - [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md) - [Commits](motdotla/dotenv@v16.6.1...v17.3.1) --- updated-dependencies: - dependency-name: dotenv dependency-version: 17.3.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
* feat(dotnet): add MCP security namespace — completes cross-language MCP parity * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Entra Agent ID bridge tutorial (Tutorial 31) (microsoft#10) * fix(pipeline): run NuGet ESRP signing on Windows agent (microsoft#1022) The EsrpCodeSigning@5 task constructs internal paths (batchSignPolicyFile, ciPolicyFile) using Windows-style backslashes. Running on ubuntu-latest produced garbled mixed paths like '/home/vsts/work/1/s/src\myapp\'. Changes: - Add per-job pool override: PublishNuGet runs on windows-latest - Convert FolderPath and all shell commands to Windows paths - Replace bash scripts with PowerShell for the Windows agent - PyPI and npm stages remain on ubuntu-latest (unchanged) - Add comment to delete orphaned ESRP_DOMAIN_TENANT_ID ADO variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: reland empty-merge changes from PRs microsoft#1017 and microsoft#1020 (microsoft#1125) PRs microsoft#1017 and microsoft#1020 were squash-merged as empty commits (0 file changes). This commit re-applies the intended documentation updates. From PR microsoft#1017 (critic gaps): - LIMITATIONS.md: add sections 7 (knowledge governance gap), 8 (credential persistence gap), 9 (initialization bypass risk) - LIMITATIONS.md: add knowledge governance and enforcement infra rows to 'What AGT Is Not' table - THREAT_MODEL.md: add knowledge flow and credential persistence to residual risks, add configuration bypass vectors table, remove stale '10/10' qualifier From PR microsoft#1020 (SOC2 resolved gaps): - soc2-mapping.md: mark kill switch as resolved (saga handoff implemented in kill_switch.py:69-178) - soc2-mapping.md: mark DeltaEngine verify_chain() as resolved (SHA-256 chain verification in delta.py:67-127) - soc2-mapping.md: add Resolved section to gaps summary, update Processing Integrity to 2 of 4 defects (was 3 of 4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add MCP security namespace — completes cross-language MCP parity (microsoft#1021) * fix(ci): add path filters and concurrency; announce v3.1.0 release CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 * docs: update SOC2 mapping for resolved kill switch and DeltaEngine gaps - Kill switch is no longer placeholder: now implements saga handoff with handoff_success_count tracking (kill_switch.py:69-178) - DeltaEngine verify_chain() is no longer a stub: now performs SHA-256 chain verification (delta.py:67-127) - Move both from Critical/High gaps to new 'Resolved' section - Update Processing Integrity coverage (2 of 4 defects, not 3 of 4) - Update evidence table with current line ranges * feat(dotnet): add MCP security namespace with scanner, gateway, redactor, and sanitizer Add AgentGovernance.Mcp namespace implementing full MCP security parity with TypeScript and Rust SDKs: - McpSecurityScanner: tool poisoning, typosquatting, hidden instructions, rug pull, schema abuse, cross-server attack, and description injection detection - McpCredentialRedactor: regex-based redaction of API keys, bearer tokens, connection strings, and secret assignments - McpResponseSanitizer: response scanning for prompt injection tags, imperative phrasing, credential leakage, and exfiltration URLs - McpGateway: policy enforcement pipeline with deny/allow lists, payload sanitization, rate limiting, and human approval gates Includes 46 xUnit tests covering all threat categories. Updates SDK-FEATURE-MATRIX.md to flip .NET MCP Security from — to ✅. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: address external critic gaps (microsoft#1025) * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#5) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add 26 xUnit tests - Update README Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#6) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#7) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code (microsoft#8) * feat(openshell): add governance skill package and runnable example (microsoft#942) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(typescript): add MCP security scanner and lifecycle management to TS SDK (microsoft#947) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: update SDK feature matrix after parity pass (microsoft#950) Reflects new capabilities added in PRs microsoft#947 (TS), .NET, Rust, Go: - TypeScript: MCP security scanner + lifecycle management (was 5/14, now 7/14) - .NET: Kill switch + lifecycle management (was 8/14, now 10/14) - Rust: Execution rings + lifecycle management (was 6/14, now 8/14) - Go: MCP security + rings + lifecycle (was 4/14, now 7/14) All SDKs now have lifecycle management. Core governance (policy, identity, trust, audit) + lifecycle = 5 primitives shared across all 5 languages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add LIMITATIONS.md - honest design boundaries and layered defense (microsoft#953) Addresses valid external critique of AGT's architectural blind spots: 1. Action vs Intent: AGT governs individual actions, not reasoning or action sequences. Documents the compound-action gap explicitly and recommends content policies + model safety layers. 2. Audit logs record attempts, not outcomes: Documents that post-action state verification is the user's responsibility today, with hooks planned. 3. Performance honesty: README now notes that <0.1ms is policy-eval only; distributed mesh adds 5-50ms. Full breakdown in LIMITATIONS.md. 4. Complexity spectrum: Documents the minimal path (just PolicyEvaluator, no mesh/crypto) vs full enterprise stack. 5. Vendor independence: Documents zero cloud dependencies in core, standard formats for all state, migration path. 6. Recommended layered defense architecture diagram showing AGT as one layer alongside model safety, application logic, and infrastructure. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): rewrite OpenClaw sidecar deployment with working K8s manifests (microsoft#954) Closes microsoft#952 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: reversibility checker, trust calibration guide, escalation tests (microsoft#955) ReversibilityChecker with 4 levels and compensation plans. Trust score calibration guide with weights, decay, thresholds. 19 tests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: AGT Lite — zero-config governance in 3 lines + fix broken quickstart (microsoft#956) agent_os.lite: govern() factory, sub-ms enforcement, 16 tests. Fixed quickstart that called nonexistent add_rules(). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: bump all runtime versions to 3.1.0 and fix CI lint/test failures (microsoft#957) - Bump __version__ in 29 Python __init__.py files from 3.0.2 to 3.1.0 - Bump version= in 6 setup.py files from 3.0.2 to 3.1.0 - Bump meter version strings in _mcp_metrics.py - Bump 9 package.json files from 3.0.2 to 3.1.0 - Bump .NET csproj Version from 3.0.2 to 3.1.0 - Bump Rust workspace Cargo.toml from 3.0.2 to 3.1.0 - Create Go sdk doc.go with version marker 3.1.0 - Fix ruff W292 (missing newline at EOF) in data_classification.py - Fix CLI init regex to allow dots in agent names (test_init_special_characters) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(openclaw): critical honesty pass — document what works vs what's planned (microsoft#958) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging - use workspace root with -p agentmesh (microsoft#959) * fix(openclaw): critical honesty pass — document what works vs what's planned Server (__main__.py): - Add --host/--port argparse + env var support (was hardcoded 127.0.0.1:8080) Dockerfile.sidecar: - Copy modules/ directory (was missing, causing build failure) - Use 0.0.0.0 for container binding (127.0.0.1 is wrong inside containers) - Remove phantom port 9091 (no separate metrics listener exists) openclaw-sidecar.md — full honesty rewrite: - Add status banner: transparent interception is NOT yet implemented - Document actual sidecar API endpoints (health, detect/injection, execute, metrics) - Fix Docker Compose to use Dockerfile.sidecar (was using wrong Dockerfile) - Remove GOVERNANCE_PROXY claim (OpenClaw doesn't natively read this) - Replace fictional SLO/Grafana sections with real /api/v1/metrics docs - Add Roadmap section listing what's planned vs shipped openshell.md: - Remove references to non-existent shell scripts - Fix python -m agentmesh.server to python -m agent_os.server - Add note that sidecar doesn't transparently intercept (must call API) - Replace pip install agentmesh-platform with Python skill library usage Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix Rust crate packaging — use workspace root with -p agentmesh cargo package in a workspace writes .crate files to the workspace root's target/package/, not the individual crate's directory. The pipeline was running from the crate subdirectory and couldn't find the output. Fix: change workingDirectory from packages/agent-mesh/sdks/rust/agentmesh to packages/agent-mesh/sdks/rust (workspace root) and add -p agentmesh to all cargo commands to target the specific crate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(adr): ADR 0005 — Liveness attestation extension for TrustHandshake (microsoft#948) Proposes liveness attestation as opt-in gate for TrustHandshake. Addresses ghost-agent and ungraceful-handoff gaps from microsoft#772. Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> * blog: MCP Security — Why Your AI Agent Tool Calls Need a Firewall (microsoft#899) Co-authored-by: aymenhmaidiwastaken <63942652+aymenhmaidiwastaken@users.noreply.github.com> * feat: add LotL prevention policy for security measures (microsoft#949) YAML policy template for Living-off-the-Land detection and prevention. * feat(examples): add ATR community security rules for PolicyEvaluator (microsoft#908) 15 curated ATR detection rules + sync script. Closes microsoft#901. * fix(docs): correct npm package name and stale version refs across 21 files (microsoft#960) - Fix @agentmesh/sdk → @microsoft/agentmesh-sdk in 13 markdown files (README, QUICKSTART, tutorials, SDK docs, i18n, changelog) - Fix broken demo path in agent-os README (agent-os/demo.py → demo/maf_governance_demo.py) - Remove stale v1.0.0 labels from extension status table - Bump AGT Version refs 3.0.2 → 3.1.0 in case study templates and ATF conformance assessment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use ESRP Release for NuGet signing (microsoft#961) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing (microsoft#962) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add missing packages to ESRP pipeline and fix Go version tag (microsoft#963) * fix(ci): add missing packages to ESRP pipeline and fix Go version tag Three gaps found during publish verification: 1. PyPI: add agentmesh-marketplace (8th package, was missing from matrix) 2. Rust: build+publish both workspace crates (agentmesh + agentmesh-mcp) - Changed from single-crate to workspace build (--workspace) - Package loop builds both .crate files - Renamed artifact from 'rust-agentmesh' to 'rust-crates' 3. Go: add 'v' prefix to version in doc.go (3.1.0 → v3.1.0) - Go module tags require semver with v prefix - Pipeline grep expects '// Version: v...' format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): correct ESRP NuGet contenttype casing — 'NuGet' not 'Nuget' ESRP Release rejected 'Nuget' with: 'The value provided for ReleaseContentType property is invalid.' ErrorCode 2254. ESRP content types are case-sensitive. Fix: 'Nuget' -> 'NuGet'. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use EsrpCodeSigning + dotnet push for NuGet (microsoft#965) EsrpRelease@11 does not support NuGet as a contenttype — it's for PyPI/npm/Maven/crates.io package distribution. NuGet packages must be signed with EsrpCodeSigning@5 first, then pushed with dotnet nuget push. New flow: 1. EsrpCodeSigning@5 with NuGetSign + NuGetVerify operations (CP-401405) 2. dotnet nuget push with the signed .nupkg to nuget.org This matches the standard Microsoft NuGet ESRP signing pattern used by azure-sdk, dotnet runtime, and other Microsoft OSS projects. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): upgrade axios to 1.15.0 - CVE-2026-40175, CVE-2025-62718 (microsoft#966) Critical S360 action items for SFI-ES5.2 1ES Open Source Vulnerabilities. CVE-2026-40175 (CVSS 9.9): Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — prototype pollution gadget enables CRLF injection in HTTP headers, bypassing AWS IMDSv2 session tokens. CVE-2025-62718: NO_PROXY Bypass via Hostname Normalization — trailing dots and IPv6 literals skip NO_PROXY matching, enabling SSRF through attacker-controlled proxy. Upgraded in 3 packages: - extensions/copilot: 1.14.0 → 1.15.0 - extensions/cursor: 1.13.5 → 1.15.0 - agent-os-vscode: 1.13.6 → 1.15.0 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): resolve ESRP_DOMAIN_TENANT_ID cyclical reference (microsoft#967) The ADO variable ESRP_DOMAIN_TENANT_ID had a cyclical self-reference, preventing ESRP authentication across ALL publishing stages (PyPI, npm, NuGet, crates.io). Fix: Define MICROSOFT_TENANT_ID as a pipeline-level variable with the well-known Microsoft corporate tenant ID (72f988bf-..., same default used by ESRP Release action.yml). This is a public value, not a secret. Also: NuGet publishing requires Microsoft as co-owner of the package on NuGet.org. See https://aka.ms/Microsoft-NuGet-Compliance Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: sync audit redaction status and framing with current code - Update SOC2 mapping to reflect CredentialRedactor now redacts credential-like secrets before audit persistence (API keys, tokens, JWTs, connection strings, etc.). Remaining gap: non-credential PII (email, phone, addresses) not yet redacted in audit entries. - Replace 'kernel-level enforcement' with 'policy-layer enforcement' in README, OWASP compliance, and architecture overview to match the existing 'application-level governance' framing in README Security section and LIMITATIONS.md. - Qualify 10/10 OWASP coverage claim in COMPARISON.md with footnote clarifying this means mitigation components exist per risk category, not full elimination. - Update owasp-llm-top10-mapping.md LLM06 row for credential redaction. Addresses doc/code inconsistencies identified in external review. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> * fix(lint): resolve agent-mesh lint errors in eu_ai_act.py (microsoft#1028) - Remove unused variable profiling_override (F841) - Remove f-string without placeholders (F541) - Fix whitespace in docstrings (W293) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): add path filters and concurrency; announce v3.1.0 release (microsoft#1039) CI optimization: - Add paths-ignore for docs to 5 code-only workflows - Add paths filter to Link Check (only run on docs changes) - Add concurrency groups to 7 heavy workflows - Docs-only PRs drop from ~14 checks to ~4 README: - Add v3.1.0 release announcement callout - Add PyPI version badge - Update tutorial count to 31 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add ADOPTERS.md and make deployment guides multi-cloud (microsoft#1040) - New ADOPTERS.md following Backstage/Flatcar pattern with Production, Evaluation, and Academic tables + instructions for adding your org - Rewrite docs/deployment/README.md from Azure-only to multi-cloud: Azure (AKS, Foundry, Container Apps), AWS (ECS/Fargate), GCP (GKE), Docker Compose, self-hosted. Updated architecture diagram to show cloud-agnostic deployment patterns. - Fix broken AWS/GCP links (pointed to non-existent paths) - README now links to 'Deployment Guides' (multi-cloud) instead of 'Azure Deployment' - README Contributing section invites adopters to add their org Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add AGT Lite — zero-config governance in 3 lines, fix broken quickstart (microsoft#1044) Addresses the microsoft#1 developer experience criticism: AGT is too complex to start. New: agent_os.lite — lightweight governance module - govern() factory: one line to create a governance gate - check(action): one line to enforce — raises GovernanceViolation or returns True - check.is_allowed(action): non-raising bool version - Allow lists, deny lists, regex patterns, content filtering, rate limiting - Built-in audit trail and stats - Sub-millisecond evaluation (0.003ms avg, 1000 evals in <100ms) - Zero dependencies beyond stdlib (re, time, datetime) - 16 tests passing Fix: govern_in_60_seconds.py quickstart - BROKEN: was calling PolicyEvaluator.add_rules() which does not exist - FIXED: now uses agent_os.lite.govern() which actually works - Verified end-to-end: script runs and produces correct output The lite module is for developers who just want basic governance without learning PolicyEvaluator, YAML, OPA/Rego, trust mesh, etc. Upgrade to the full stack when you need it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(ci): enhance weekly security audit with 7 new scan jobs (microsoft#1051) Add comprehensive security checks based on issues found during the MSRC-111178 security audit and ongoing post-merge reviews: - Workflow security regression (MSRC-111178 pull_request_target check) - Expression injection scan (github.event.* in run: blocks) - Docker security (root containers, wildcard CORS, hardcoded passwords, 0.0.0.0 bindings) - XSS and unsafe DOM (innerHTML, eval, yaml.load, shell=True) - Action SHA pinning compliance - Version pinning (pyproject.toml upper bounds, Docker :latest tags, license field format) - Dependency confusion with --strict mode (pyproject.toml + package.json) - Retention days updated to 180 (EU AI Act Art. 26(6)) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): fix OpenShell integration CI — spelling, link check, policy validation (microsoft#1057) - Add OpenShell/NVIDIA terms to cspell dictionary (Landlock, seccomp, syscall, etc.) - Fix broken link: openclaw-skill -> openshell-skill in docs/integrations/openshell.md - Fix policy validation: replace starts_with (invalid) with matches + regex Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add reversibility checker, trust calibration guide, and escalation/reversibility tests (microsoft#1061) Addresses critical review feedback: 1. Rollback/reversibility (agent_os.reversibility) - ReversibilityChecker: pre-execution assessment of action reversibility - 4 levels: fully_reversible, partially_reversible, irreversible, unknown - CompensatingAction: structured undo plans for each action type - Built-in rules for 12 common actions (write, deploy, delete, email, etc.) - block_irreversible mode for strict environments 2. Trust score calibration guide (docs/security/trust-score-calibration.md) - Score component weights (compliance 35%, task 25%, behavior 25%, identity 15%) - Decay functions with tier floors - Initial score assignments by agent origin - Threshold recommendations (conservative/moderate/permissive) - Anti-gaming measures and operational playbook 3. Tests: 19 passing (10 escalation + 9 reversibility) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: deployment runtime (Docker/AKS) and shared trust core types (microsoft#1062) agent-runtime: Evolve from thin re-export shim to deployment runtime - DockerDeployer: container deployment with security hardening (cap-drop ALL, no-new-privileges, read-only rootfs) - KubernetesDeployer: AKS pod deployment with governance sidecars (runAsNonRoot, seccompProfile, resource limits) - GovernanceConfig: policy/trust/audit config injected as env vars - DeploymentTarget protocol for extensibility (ADC, nono, etc.) - 24 tests (all subprocess calls mocked) agent-mesh: Extract shared trust types into agentmesh.trust_types - TrustScore, AgentProfile, TrustRecord, TrustTracker - Canonical implementations replacing ~800 lines of duplicated code across 6+ integration packages - 25 tests covering clamping, scoring, history, capabilities Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(dotnet): add kill switch and lifecycle management to .NET SDK (microsoft#1065) - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(go): add MCP security, execution rings, and lifecycle management to Go SDK (microsoft#1066) - mcp.go: MCP security scanner detecting tool poisoning, typosquatting, hidden instructions (zero-width chars, homoglyphs), and rug pulls - rings.go: Execution privilege ring model (Admin/Standard/Restricted/Sandboxed) with default-deny access control - lifecycle.go: Eight-state agent lifecycle manager with validated transitions - Full test coverage for all three modules - Updated README with API docs and examples Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK (microsoft#1067) * feat(dotnet): add kill switch and lifecycle management to .NET SDK - Add KillSwitch with arm/disarm, event history, and subscriber notifications - Add LifecycleManager with 8-state machine and validated transitions - Add comprehensive xUnit tests for both components (26 tests) - Update .NET SDK README with usage documentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(rust): add execution rings and lifecycle management to Rust SDK Add two new modules to the agentmesh Rust crate: - rings.rs: Four-level execution privilege ring model (Admin/Standard/ Restricted/Sandboxed) with per-agent assignment and per-ring action permissions, ported from the Python hypervisor enforcer. - lifecycle.rs: Eight-state agent lifecycle manager (Provisioning through Decommissioned) with validated state transitions and event history, matching the lifecycle model used across other SDK languages. Both modules include comprehensive unit tests and are re-exported from the crate root. README updated with API tables and usage examples. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: align lotl_prevention_policy.yaml with PolicyDocument schema The policy file used an incompatible schema format (id, parameter, regex_match, effect) instead of the expected PolicyDocument fields (name, condition.field, operator, action). This caused the validate-policies CI check to fail for all PRs. Changes: - id → name - condition.parameter → condition.field - operator: regex_match → operator: matches - action at rule level (shell_exec/file_read) → action: deny - effect: DENY → removed (redundant with action: deny) - Added version, name, description, disclaimer at top level Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve .NET ESRP signing issues blocking NuGet publish GitHub Actions (publish.yml): - Fix broken if-guards on signing steps: env.ESRP_AAD_ID was set in step-level env (invisible to if-expressions). Replace with job-level ESRP_CONFIGURED env derived from secrets. - Add missing ESRP_CERT_IDENTIFIER to signing step env blocks. - Gate the publish step on ESRP_CONFIGURED so unsigned packages are never pushed to NuGet.org under the Microsoft.* prefix. - Make stub signing steps fail-fast (exit 1) instead of silently succeeding, preventing unsigned packages from reaching NuGet push. ADO Pipeline (esrp-publish.yml): - Add UseDotNet@2 task to Publish_NuGet stage so dotnet nuget push has a guaranteed SDK version on the Windows agent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1163) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(docs): fix OpenClaw sidecar demo and add limitations callout (microsoft#1164) The docker-compose example in openclaw-sidecar.md was illustrative only and did not work — it referenced a non-existent OpenClaw image and lacked healthchecks. Users were hitting this and getting confused. Changes: - Add working demo at demo/openclaw-governed/ with docker-compose.yaml that builds and runs the governance sidecar from source - Replace the inline docker-compose in the doc with a link to the demo plus a clearly-labeled reference template for custom deployments - Add prominent WARNING callout listing known limitations (no native OpenClaw integration, no published images, explicit API required) - Remove stale orphaned curl snippet after the docker-compose block - Add healthcheck to docker-compose governance-sidecar service - Fix OpenClaw image reference from ghcr.io/openclaw/openclaw:latest to a placeholder users must replace with their own image Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(ci): use PME tenant ID for ESRP cert signing The ESRP signing cert lives in the PME (Partner Managed Engineering) tenant (975f013f), not the Microsoft corporate tenant (72f988bf). Using the wrong tenant ID causes ESRP signing to fail when looking up the cert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: Add Scaling AI Agents article to COMMUNITY.md (microsoft#857) Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> * Add runtime evidence mode to agt verify (microsoft#969) * Track agt verify evidence plan * Add runtime evidence mode to agt verify * Add runtime evidence verifier tests * Add CLI tests for agt verify evidence mode * Document evidence mode for compliance verification * Remove local implementation notes * Document agt verify evidence mode * Harden evidence path handling in verify --------- Co-authored-by: T. Smith <smith@antiparty.co> * docs: add Entra Agent ID bridge tutorial with R&R matrix and DID fix - Add Tutorial 31: Bridging AGT Identity with Microsoft Entra Agent ID - Detailed roles & responsibilities between AGT and Entra/Agent365 - Architecture diagram showing the identity bridge - Step-by-step: DID creation, Entra binding, AKS workload identity, token validation, lifecycle sync, access verification - Known gaps and limitations table - Platform independence note (AWS, GCP, Okta patterns) - Fix DID prefix in .NET MCP gateway tests (did:agentmesh → did:mesh for consistency with Python reference implementation and .NET SDK) - Update tutorials README with Enterprise Identity section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co> * docs: address external critic gaps in limitations and threat model (microsoft#11) Add three new sections to LIMITATIONS.md addressing gaps identified in public criticism and external security analysis: - §10 Physical AI and Embodied Agent Governance: documents that AGT governs software agents not physical actuators, with mitigations - §11 Streaming Data and Real-Time Assurance: documents that AGT evaluates per-action not continuously over data streams - §12 DID Method Inconsistency Across SDKs: documents the did:mesh vs did:agentmesh split with migration plan for v4.0 Update THREAT_MODEL.md residual risks to reference all three new limitation sections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix!: standardize DID method to did:agentmesh across all SDKs (microsoft#12) * fix!: standardize DID method to did:agentmesh across all SDKs BREAKING CHANGE: All agent DIDs now use the did:agentmesh: prefix. The legacy did:mesh: prefix used by Python and .NET has been migrated to match the did:agentmesh: convention already used by TypeScript, Rust, and Go SDKs. Changes: - Python: agent_id.py, delegation.py, entra.py, all integrations - .NET: AgentIdentity.cs, Jwk.cs, GovernanceKernel.cs, all tests - Docs: README, tutorials, identity docs, FAQ, compliance docs - Tests: all test fixtures updated across Python, .NET, TS, VSCode - Version bump: 3.1.0 → 3.2.0 (.NET, Python agent-mesh, TypeScript) Migration: replace did:mesh: with did:agentmesh: in your policies, identity registries, and agent configurations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add Q11-Q13 to FAQ — AGT scope, Agent 365, and DLP comparison Adds three new customer Q&As: - Q11: Is AGT for Foundry agents or any agent type? (any) - Q12: Relationship between AGT and Agent 365 (different layers) - Q13: How is AGT different from DLP/communication compliance (content vs action governance) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): address all 14 open code scanning alerts (microsoft#13) * fix: address 6 Dependabot security vulnerabilities - python-multipart 0.0.22 → 0.0.26 (DoS via large preamble/epilogue) - pytest 8.4.1 → 9.0.3 (tmpdir handling vulnerability) - langchain-core 1.2.11 → 1.2.28 (SSRF, path traversal, f-string validation) - langchain-core >=0.2.0,<1.0 → >=1.2.28 in langchain-agentmesh pyproject.toml - tsup 8.0.0 → 8.5.1 (DOM clobbering vulnerability) - rand 0.8.5: dismissed microsoft#176 as inaccurate (vuln affects rand::rng() 0.9.x API only) Fixes Dependabot alerts: microsoft#177, microsoft#175, microsoft#166, microsoft#164, microsoft#157, microsoft#156 Dismissed: microsoft#176 (not applicable to rand 0.8.x) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): address all 14 open code scanning alerts Scorecard HIGH: - publish-containers.yml: scope packages:write to job level (microsoft#316) Scorecard MEDIUM (pinned dependencies): - docs.yml: pin 4 GitHub Actions by SHA hash (microsoft#311-314) - docs.yml: use requirements.txt for pip install (microsoft#315) - agent-mesh Dockerfile: pin python:3.11-slim by SHA (microsoft#317,microsoft#318) - agent-os Dockerfile.sidecar: pin python:3.14-slim by SHA (microsoft#295,microsoft#296) - dashboard Dockerfile: pin python:3.12-slim by SHA (microsoft#291,microsoft#293) CodeQL: - test_time_decay.py: timedelta(days=365) -> 366 for leap safety (microsoft#289,microsoft#290) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kevinkaylie <129134148+kevinkaylie@users.noreply.github.com> Co-authored-by: Aymen Hmaidi <63942652+aymenhmaidiwastaken@users.noreply.github.com> Co-authored-by: harshnair75567-cloud <harshnair75567@gmail.com> Co-authored-by: Adamthereal <imadam4real@gmail.com> Co-authored-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: lawcontinue <134219708+lawcontinue@users.noreply.github.com> Co-authored-by: deepsearch <deepsearch@deepsearchdeMac-mini.local> Co-authored-by: ewmh <tionne@gmail.com> Co-authored-by: T. Smith <smith@antiparty.co>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…ify, heartbeat (microsoft#2090) * feat(mesh-client): add onError, onDisconnect, onE2EVerified event hooks Adds three observer-registration methods to MeshClient to align with the AzureClaw vendored AgentMesh SDK surface so consumers can swap providers behind a single transport interface: onError(handler) — fires on ws errors and decrypt failures onDisconnect(handler) — fires on ws.close with reason+code onE2EVerified(handler) — fires on first successful decrypt per peer Pure additions; no behaviour change for existing flows. Decrypt-failure and missing-session paths now drop the message AND notify error observers instead of silently dropping (still safe — unhandled events are swallowed). Tests: 8 new in mesh-client-event-hooks.test.ts; full suite 387/387 green. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(mesh-client): close gaps G1 (KNOCK auto-bootstrap) and G2 (auto-reconnect) Two protocol-level gaps were identified during the AzureClaw vendored-SDK audit (see Azure/kars#245 docs/agt-vs-vendored-sdk.md). Both block moving fully off the vendored agentmesh-sdk fork onto upstream AGT. ## G1: receiver-side X3DH auto-bootstrap from KNOCK Before: the responder side of an encrypted session was created only by calling acceptSession(peerId, establishment) explicitly. But the ChannelEstablishment was never carried on the wire — neither in knock_accept nor in the first message frame — so the receiver had no way to obtain it. Result: any fresh encrypted session failed with "No encrypted session" the first time a ciphertext arrived. Mirrors vendored agentmesh-sdk patch #4b. Behavior: - Sender (establishSession): builds the SecureChannel first, then sends KNOCK with the ChannelEstablishment embedded as { ik: base64, ek: base64, otk?: number }. - Receiver (handleKnock): if the knock contains `establishment` AND no prior session exists, deserialize and call acceptSession() automatically before responding with knock_accept. On bad establishment data, the knock is rejected and onError("knock", ...) fires. - Backwards-compatible: legacy peers that don't embed establishment continue to work; caller must invoke acceptSession() manually as before. ## G2: auto-reconnect on transport drop Before: MeshClient.reconnect() existed but was never called automatically. Network blips, relay restarts, AKS node OOM-evicts left the client disconnected forever — agents went mesh-deaf. Mirrors vendored agentmesh-sdk patch microsoft#9. Behavior: - New options: autoReconnect (default true), maxReconnectAttempts (default Number.POSITIVE_INFINITY), reconnectBaseDelayMs (default 1000), reconnectMaxDelayMs (default 60000). - On non-1000 ws.onclose: schedule reconnect with exponential backoff capped at reconnectMaxDelayMs. Light jitter (±20%) avoids thundering-herd reconnects across many sandboxes. - onDisconnect handlers fire BEFORE the reconnect is scheduled so observers can see the drop. - After maxReconnectAttempts, fires onError("ws", ..., "auto-reconnect gave up after N attempts") and stops. - disconnect() cancels any pending reconnect timer. - A connect() failure inside the reconnect path schedules another retry via the existing onclose path (and recursively from the catch handler in scheduleReconnect for the case where ws.onopen never fired). ## Tests 11 new tests across two files: - tests/mesh-client-knock-bootstrap.test.ts: 5 tests covering sender-side embedding, receiver auto-bootstrap, legacy fallback, malformed establishment, and end-to-end happy-path encrypted send. - tests/mesh-client-auto-reconnect.test.ts: 6 tests covering server-close reconnect, client-close no-reconnect, opt-out, give-up after max attempts, disconnect cancels pending timer, no duplicate scheduling. Full AGT TS suite: 398/398 pass (was 387 before this commit). Build clean. Both gaps were identified in the AzureClaw audit doc: docs/agt-vs-vendored-sdk.md (Patch-by-patch audit section). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(mesh): close vendored-parity gaps G3, G4, G5 G3 — session-desync teardown (vendored agentmesh-sdk patch microsoft#13 equiv): when Double Ratchet decryption fails for an existing session, the local ratchet state is irrecoverable. Previously we only fired onError('decrypt'); now we tear down the session (delete from this.sessions; clear knockAccepted) and fire a distinct onError('session_desync') so callers can re-run establishSession() and resume communication. G4 — pre-KNOCK encrypted-message buffer (vendored agentmesh-sdk patch microsoft#16 equiv): under transport reordering the relay can deliver an encrypted 'message' frame BEFORE the matching 'knock' arrives. Without buffering, that first frame was dropped silently. Now MeshClient buffers encrypted frames per-peer (default cap 5, TTL 3000ms), replays them when the corresponding knock is accepted, and drops them when rejected or on disconnect. Disabled by setting preKnockBufferSize: 0. G5 — eager ghost-connection close on rebind (vendored agentmesh-relay patch microsoft#2 equiv): when an agent reconnects with the same DID, the prior 'ghost' WebSocket is now closed eagerly with code 1000 'session_replaced' instead of waiting for the 90s heartbeat-eviction timer. The 'finally' cleanup now compares socket identity to avoid removing the freshly rebound connection when the old socket's handler unwinds. Tests: +5 (G4 pre-knock buffer behaviour), +2 (G3 type + lifecycle safety), +1 (G5 ghost rebind). 405 TS tests pass; 18 relay tests pass. NOTE: held local-only on branch azureclaw-meshclient-event-hooks; will be coordinated upstream with the AGT team. * feat(mesh): add RegistryClient and auto-register on MeshClient.connect() Closes the structural gap where MeshClientOptions declared registryUrl but no code path ever used it. Without this, agents can connect to the relay and exchange ciphertext but are invisible to peers — they never appear in /v1/discover and no one can fetch their X3DH pre-key bundle. This commit adds the missing registry-side glue, in upstream-quality shape, so AGT MeshClient becomes a drop-in replacement for vendored forks that wired their own registry calls (e.g. AzureClaw vendor/agentmesh-sdk). What's new: - src/encryption/registry-client.ts: typed HTTP client wrapping the AgentMesh registry's REST surface (POST /v1/agents, PUT/GET /v1/agents/{did}/prekeys, GET /v1/discover, GET/DELETE /v1/agents/{did}). base64url <-> Uint8Array marshalling, optional Ed25519-Timestamp Authorization signer, configurable retry/timeout. - src/encryption/mesh-client.ts: * New options: registryClient, registryClientOptions, capabilities, registrationMetadata, oneTimePrekeyCount, autoRegister. * connect() now calls registerSelf() at the end of a successful WS handshake when autoRegister is true (default) and a registry is configured. Idempotent — 409 (already registered) is treated as success; reconnect doesn't re-register. * registerSelf(): generates signed-prekey + N one-time prekeys via keyManager, then POSTs /v1/agents (capabilities = [displayName, ...options.capabilities]) and PUTs the prekey bundle. * discover(capability): wraps registry.discover. * establishSessionWithPeer(peerId): fetches peer prekeys from the registry and calls existing establishSession. * getRegistry(): exposes the underlying client for advanced cases. - tests/registry-client.test.ts: 11 new tests covering wire format, base64url round-trip, idempotent register (409), 5xx retry, and Authorization header. Also covers MeshClient auto-register on connect end-to-end with a fake fetch + fake WebSocket. - tests/mesh-client-*.test.ts: existing fixtures updated to pass autoRegister: false (no registry available in those tests). Behavior unchanged for the production path. All 71 tests pass (60 previously + 11 new). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(registry): add POST /v1/agents/{did}/heartbeat to bump last_seen The registry's last_seen field is set on registration but never updated by any HTTP handler — update_last_seen() exists in store.py but is dead code in production. As a result, every registered agent looks 'offline' (online=false on /presence) 90s after spawn, and any client-side discover stale-filter rejects all live agents. Add an unauthenticated POST /v1/agents/{did}/heartbeat that calls store.update_last_seen(). Idempotent. Returns 404 for unknown DIDs so callers can detect a registry restart and re-register. Mirrors the agent-side ping cadence (30s, well within the 90s presence threshold). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(mesh): include Ed25519 identity_key_ed in prekey bundle so verifyBundle() works PreKeyBundle.identityKeyEd was previously aliased to the X25519 identity_key because the registry didn't store the Ed25519 signing key. As a result, verifyBundle() either passed only because the stub test never exercised it, or quietly accepted any signed pre-key — a soundness gap in the X3DH wrapper. This commit threads identityKeyEd through the full path: - agent-mesh/registry/store.py (AgentRecord): add identity_key_ed field (X25519 long-term key already present as identity_key; Ed25519 distinct). - agent-governance-typescript/src/encryption/x3dh.ts: expose X3DHKeyManager.identityKeyEd getter. - agent-governance-typescript/src/encryption/registry-client.ts: uploadPrekeys() now accepts identityKeyEd (32 bytes, validated) and serializes it as identity_key_ed; fetchPrekeys() deserializes it back into PreKeyBundle.identityKeyEd. Older bundles without the field fall back to the X25519 key — verifyBundle() will then correctly reject (forensic visibility, no silent bypass). - agent-governance-typescript/src/encryption/mesh-client.ts: registerSelf() passes keyManager.identityKeyEd through to the registry. - tests/registry-client.test.ts + tests/test_registry.py: assert the new field is round-tripped on PUT/GET. Wire compatibility: PUT now requires identity_key_ed; GET emits it when set. Existing AGT clients that don't upload it will get verifyBundle() rejection on the receiving side — peers must upgrade together. (No silent regression on the wire — the field is new, not a breaking change to existing fields.) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(mesh): set autoRegister:false in upstream knock + malformed-frame tests These two upstream tests construct MeshClient without autoRegister:false, which now triggers a real fetch to the registry on connect() (added by our registry-client commit). The tests have no fake registry, so they fail with 'fetch failed'. autoRegister:false skips the auto-registration path and matches the pattern used in our 6 sibling mesh-client-*.test.ts files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Pal Lakatos-Toth <pallakatos@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps dotenv from 16.6.1 to 17.3.1.
Changelog
Sourced from dotenv's changelog.
... (truncated)
Commits
7bc16a417.3.127303fdupdate README-es6379eb2update READMEb6d7339fix spelling5febe3517.3.0f61f383changelog 🪵dec94adupdate README4856950update README6351887update README23bd017update READMEDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)