Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/microsoft/agent-governance-toolkit/llms.txt

Use this file to discover all available pages before exploring further.

This changelog covers every notable release of the Agent Governance Toolkit. The project is in public preview — releases are Microsoft-signed and production-quality but may have breaking changes before General Availability. For a machine-readable version, see CHANGELOG.md in the repository. For binary breaking changes and migration scripts, see BREAKING_CHANGES.md. All releases are tagged on the GitHub releases page. The format follows Keep a Changelog and the project adheres to Semantic Versioning.

[Unreleased]

Added

  • Agent sandbox nono provider — added NonoSandboxProvider to agt-sandbox, a Linux/macOS kernel-enforced sandbox backend via the nono-py bindings (Landlock / Seatbelt) with policy-driven egress proxying, host-side PolicyEvaluator gating, and AST pre-scan. Install with pip install "agt-sandbox[nono]". A non-empty tool_allowlist is refused at session creation (fail-closed) because nono has no in-sandbox tool channel — gate tools with policy rules on tool_name instead.
  • Command denylist enforcement in RingEnforcer — added check_command() method to RingEnforcer that validates subprocess commands against a global DENIED_COMMANDS list with case-insensitive matching and shell metacharacter stripping (;, &, |) to prevent injection bypasses.

Fixed

  • agent-os policy evaluator — folder-scoped backend decisions now include policy, backend, evaluation_ms, context_snapshot, and timestamp fields in audit_entry, matching the flat evaluation path and eliminating a parity gap when an external backend (OPA / Cedar) returns a decision under folder-scoped evaluation.

[4.0.0] — 2026-06-01

v4.0.0 package consolidation: 45 Python packages were consolidated into 5 top-level distributions (agent-governance-toolkit-core, -runtime, -sre, -cli, and [full]). Legacy package names (agent-os-kernel, agentmesh-platform, agentmesh-runtime, agent-sre, agent-discovery, agent-hypervisor, agentmesh-marketplace, agentmesh-lightning) remain installable as stub packages that redirect to the new consolidated distributions for migration continuity. If you pin to old package names in your requirements.txt, they will continue to work — but we recommend migrating to the new names.

Breaking Changes

  • Python package consolidation — 45 packages consolidated into 5 distributions (see note above). Update install commands from pip install agent-os-kernel agentmesh-platform ... to pip install agent-governance-toolkit[full].
  • Monorepo-wide v4 alignment — Python, TypeScript, .NET, Rust, and Go packages all bumped to 4.0.0. If you depend on specific language SDK versions, update your lockfiles.

Added

  • TEE keystore abstraction — async key-store primitives with TEEKeyHandle, SoftwareKeyHandle, LocalTEEKeyStore, and MockSKRKeyStore for attested and software-backed key management.
  • New governed CLI packages — first-party governance packages for OpenCode (@microsoft/agent-governance-opencode), Antigravity CLI (@microsoft/agent-governance-antigravity-cli), and Claude Code (@microsoft/agent-governance-claude-code).
  • Entra-signed JWT verification for AgentMesh — mesh-relay now validates Entra JWTs on the WebSocket connect frame; mesh-registry adds /v1/registry/verify for upgrading agents to verified tier.
  • Wire-protocol-aware policy evaluation across all SDKs — SQL- and Kubernetes-aware policy facets to TypeScript, Rust, Go, and .NET so decisions can key off protocol metadata instead of raw text alone.
  • LangGraph v1.0 governance adapter — added LangGraph 1.0 support plus stale-auth fingerprinting to catch reused or expired auth context.
  • AGT test replay engine — policy regression replay tooling for replaying captured decision traces against current evaluators.
  • Cedarling-AgentMesh integration — Cedarling community integration plus injected Cedarling-instance support and runnable examples.
  • Expanded audit fieldsarguments_hash, approver_did, policy_version, issued_at, completed_at added to audit entries.

Security

  • Broadened SSN PII regex — the dashed-only \b\d{3}-\d{2}-\d{4}\b pattern across LangChain, AutoGen, CrewAI, and Bedrock adapters was trivially bypassed by space-, dot-, or no-separator variants. Pattern updated to \b\d{3}[\s.-]?\d{2}[\s.-]?\d{4}\b.
  • Auth-bypass closed — when Entra verification is enabled (AGENTMESH_ENTRA_AUDIENCE set), empty/missing token on WebSocket connect is rejected immediately with no silent fallback to the legacy shared-secret path.
  • JWKS cache hardened — hard upper bound on stale JWKS cache via AGENTMESH_ENTRA_JWKS_MAX_STALE_SECS (default 24h); beyond the budget, refetch failures fail closed.
  • Algorithm confusion defence — JWT header alg is pre-validated against ALLOWED_SIGNING_ALGORITHMS before the JWKS lookup.
  • Closed additional authorisation bypasses in the stateless kernel, execute API, and direct-URL policy bypass in resource validation.
  • Raised minimum setuptools to 78.1.1 for the published CVE fix.

Fixed

  • CI stabilisation: fixed PyJWT/click/rich dependency issues, OPA/Cedar and LangGraph skip markers, and conftest imports across the consolidated Python package layout.
  • Consolidated PII detection patterns into a single shared constant in agent_os.integrations.base — four per-adapter copies now import the shared PII_PATTERNS tuple to prevent silent drift.

Documentation

  • README overhauled for clarity; homepage and docs site narrative refreshed; package/install guidance updated for the consolidated v4 experience.
  • 60+ tutorial improvements and Traditional Chinese (zh-TW) translations added.

[3.2.1] — 2026-04-22

Fixed

  • TypeScript SDK — fixed build compatibility with TypeScript 6.0: encryption modules (X3DHKeyManager, MeshClient, SecureChannel, DoubleRatchet) now correctly exported from npm package.
  • TypeScript SDK — fixed @noble/hashes import paths (sha256sha2 module rename).
  • TypeScript SDK — replaced removed edwardsToMontgomeryPriv/Pub with manual SHA-512 + RFC 7748 clamping.
  • TypeScript SDK — added Jest moduleNameMapper + transformIgnorePatterns for ESM @noble/* packages.

[3.2.0] — 2026-04-22

Added

  • AgentMesh Wire Protocol v1.0 specification (docs/specs/AGENTMESH-WIRE-1.0.md).
  • TypeScript E2E Encryption — X3DH + Double Ratchet + SecureChannel ported to @microsoft/agentmesh-sdk.
  • MeshClient — high-level relay transport with plaintext peers, KNOCK pending queue, wsFactory hook.
  • Registry Service — first-party agent registry with pre-key bundles, discovery, presence, and reputation.
  • Relay Service — store-and-forward WebSocket relay with 72h TTL offline inbox.

[3.1.1] — 2026-04-21

Added

  • E2E Encrypted Agent Messaging — Signal protocol (X3DH + Double Ratchet) for agent-to-agent channels with per-message forward secrecy.
    • agentmesh.encryption.x3dh — X3DH key agreement using Ed25519 identity keys
    • agentmesh.encryption.ratchet — Double Ratchet with ChaCha20-Poly1305 encryption
    • agentmesh.encryption.channel — SecureChannel high-level send/receive API
    • agentmesh.encryption.bridge — EncryptedTrustBridge gates channels on trust verification
    • 61 tests across all encryption modules
  • GitHub Pages documentation site — MkDocs Material at microsoft.github.io/agent-governance-toolkit.
  • Customer FAQ — 13 technical Q&As for customers, partners, and evaluators.
  • .NET SDK — MCP security namespace, kill switch, and lifecycle management.
  • Go SDK — MCP security, execution rings, and lifecycle management.
  • Rust SDK — Execution rings and lifecycle management.

Security

  • Addressed all 106 open code scanning alerts.
  • Removed hardcoded credentials flagged by generic secret scanning.
  • Upgraded axios to 1.15.0 for CVE-2026-40175, CVE-2025-62718.
  • XSS, curl|bash, CORS, PII leak, and path traversal fixes.

Fixed

  • Standardised DID method to did:agentmesh across all SDKs.
  • Rewrote production policy examples to valid PolicyDocument schema.

[3.1.0] — 2026-04-11

Added

  • Unified agt CLI with plugin discovery, doctor command, and 79 tests.
  • Governance Dashboard — real-time agent fleet visibility.
  • Agent Lifecycle Management — provisioning to decommission.
  • Agent Discovery Package — shadow AI discovery and inventory.
  • Quantum-Safe Signing — ML-DSA-65 alongside Ed25519.
  • PromptDefenseEvaluator — 12-vector prompt audit.
  • EU AI Act Risk Classifier — structured risk classification per Article 6 and Annex III with configurable YAML categories.
  • Optional runtime evidence mode for agt verify with --evidence and --strict flags.

Security

  • Patched dependency verification bypass and trust handshake DID forgery.
  • Hardened CLI error handling — standardised sanitised JSON error output across all 7 ecosystem tools to prevent internal information disclosure (CWE-209).
  • Implemented strict key-whitelisting in agentmesh audit JSON output.

[3.0.2] — 2026-04-02

Security

  • Comprehensive security audit remediation (29 findings fixed).
  • CI injection prevention: moved all github.event expressions to env blocks.
  • Supply chain hardening: dependency confusion fixes, npm lockfiles, Dockerfile pinning.
  • Docker/infra: removed hardcoded passwords, wildcard CORS, added .dockerignore exclusions.
  • Version pinning compliance across all pyproject.toml and Cargo.toml files.

[3.0.1] — 2026-04-01

Added

  • Rust SDK (agentmesh crate) for native governance integration.
  • Go SDK module for policy, trust, audit, and identity.
  • Trust report CLI command (agentmesh trust report).
  • Secret scanning workflow (Gitleaks).
  • 4 new fuzz targets (prompt injection, MCP scanner, sandbox, trust scoring).
  • Dependabot coverage expanded to 13 ecosystems (+ cargo, gomod, nuget, docker).
  • Entra Agent ID adapter for managed identity integration.
  • SBOM generation (SPDX/CycloneDX) with Ed25519 artifact signing.

[3.0.0] — 2026-03-26

Changed

  • Official Microsoft-Signed Public Preview — all packages now published via ESRP Release with Microsoft signing.
  • All package descriptions updated from “Community Edition” to “Public Preview”.
  • All Development Status classifiers standardised to “4 - Beta”.
  • Package agent-lightning renamed to agentmesh-lightning on PyPI.
  • All personal author references replaced with Microsoft Corporation; contact email updated to agentgovtoolkit@microsoft.com.

[2.3.0] — 2026-03-26

Added

  • MCP server allowlist/blocklist and plugin trust tiers.
  • Governance policy linter CLI command.
  • GitHub Actions action for governance verification.
  • JSON schema validation for governance policies.
  • 14 launch-ready tutorials (07–20) covering all toolkit features.

Changed

  • Renamed PyPI package agent-runtimeagentmesh-runtime (name collision with AutoGen).
  • Renamed PyPI package agent-marketplaceagentmesh-marketplace.
  • Renamed PyPI package agent-lightningagentmesh-lightning.

[2.1.0] — 2026-03-15

Added

  • TypeScript SDK full parityPolicyEngine + AgentIdentity with 4 conflict resolution strategies, Ed25519 lifecycle/delegation/JWK/JWKS/DID export, IdentityRegistry with cascade revocation. 136 tests passing.
  • Multi-language README — root README now surfaces Python (PyPI), TypeScript (npm), and .NET (NuGet) install sections and quickstart code.
  • Observability integrations — Prometheus, OpenTelemetry, PagerDuty, Grafana.
  • Performance benchmarks — published docs/BENCHMARKS.md with p50/p99 latency and throughput at 50 concurrent agents.
  • 6 comprehensive governance tutorials — policy engine, trust & identity, framework integrations, audit & compliance, agent reliability, execution sandboxing.
  • Azure deployment guides — AKS, Azure AI Foundry, Container Apps, OpenClaw sidecar.

Security

  • CostGuard org kill switch bypass — crafted IEEE 754 inputs (NaN/Inf/negative) could bypass organisation-level kill switch; fixed with input validation and persistent _org_killed flag.
  • CostGuard thread safety — bound breach history with Lock for concurrent access.

[1.1.0] — 2026-03-08

Added

  • Policy conflict resolution engine — 4 declared strategies (DENY_OVERRIDES, ALLOW_OVERRIDES, PRIORITY_FIRST_MATCH, MOST_SPECIFIC_WINS) with 3-tier policy scope model (global → tenant → agent) and auditable resolution trace.
  • Session policy pinningcreate_context() deep-copies policy so running sessions get immutable snapshots; mid-flight policy mutations no longer leak into active sessions.
  • Tool alias registry — canonical capability mapping for 7 tool families (30+ aliases) prevents policy bypass via tool renaming.
  • Human-in-the-loop escalationEscalationPolicy with ESCALATE tier, InMemoryApprovalQueue, and WebhookApprovalBackend.
  • OpenTelemetry observabilityGovernanceTracer with distributed traces, span events for policy checks, custom metrics, and OTLP exporter integration.
  • External audit trail integritySignedAuditEntry with Ed25519 signatures, HashChainVerifier for tamper detection, FileAuditSink for append-only external storage.
  • Bootstrap integrity verificationIntegrityVerifier hashes 15 governance module source files against a published integrity.json manifest to detect supply chain tampering before any policy evaluation occurs.
  • Governance certification CLIagent-governance verify checks all 10 OWASP ASI 2026 controls and generates signed attestations.

Fixed

  • 44 code scanning alerts resolved (CodeQL SAST — CWE-209, CWE-116, CWE-20).

[1.0.1] — 2026-03-06

Changed

  • Microsoft org release — first publish from microsoft/agent-governance-toolkit.
  • Added MIT licence headers to 1,159 source files across all packages.
  • Migrated all 215 documentation URLs from personal repos to the Microsoft org.
  • Bumped all 5 package versions from 1.0.0 to 1.0.1.

[1.0.0] — 2026-03-04

Added

  • Agent OS Kernel (agent-os-kernel) — policy-as-code enforcement engine with syscall-style interception, OWASP ASI 2026 compliance, and Microsoft Agent Framework native middleware adapter.
  • AgentMesh (agentmesh) — zero-trust inter-agent identity mesh with SPIFFE-based identity, DID-linked credentials, Microsoft Entra Agent ID adapter, and AI-BOM v2.0 supply-chain provenance.
  • Agent Runtime (agent-runtime) — runtime sandboxing with capability-based isolation, resource quotas, and Docker/Firecracker execution environments.
  • Agent SRE (agent-sre) — observability toolkit with chaos-engineering probes, canary deployment framework, and automated incident response.
  • Agent Compliance (agent-governance) — unified compliance installer mapping OWASP ASI 2026 (10/10), NIST AI RMF, EU AI Act, and CSA Agentic Trust Framework.
  • Mono-repo CI/CD: lint (ruff) × 5 packages, test matrix (3 Python versions × 4 packages), security scanning (safety), CodeQL SAST (Python + JavaScript).
  • OpenSSF Best Practices badge and Scorecard integration.

Security

  • CVE-2025-27520, CVE-2024-53981, CVE-2024-47874 — bumped python-multipart to ≥0.0.20.
  • CVE-2024-5206 — bumped scikit-learn to ≥1.6.1.
  • CVE-2023-36464 — replaced deprecated PyPDF2 with pypdf ≥4.0.0.
  • Removed exception details from HTTP error responses (CWE-209).
  • Fixed ReDoS patterns in policy library regex (CWE-1333).
  • Pinned all GitHub Actions by SHA hash; pinned all Docker base images by SHA256 digest.

Build docs developers (and LLMs) love

Get started for freeTalk to us