v3.3.0 - Contributor Reputation + Repo Reorganization

Highlights

Contributor Reputation Check

A new reusable GitHub Action that screens PR and issue authors for coordinated inauthentic behavior. Any OSS repo can adopt it:

- uses: microsoft/agent-governance-toolkit/.github/actions/contributor-check@v3.3.0
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}

Detects following farming, cross-repo spray, credential laundering, and network coordination. Runs automatically on every PR/issue open. Labels and comments on MEDIUM/HIGH risk. Zero external dependencies.

Repo Reorganization

All SDK packages now live under language-specific directories for a clean, navigable root:

• agent-governance-python/ (10 packages)
• agent-governance-typescript/ (VS Code extension + TS SDK)
• agent-governance-dotnet/ (.NET SDK)
• agent-governance-rust/ (Rust SDK)
• agent-governance-golang/ (Go SDK)

Shift-Left Governance

Tutorial 45 walks through AGT's full shift-left story. Contributor reputation is now the leftmost check in the pipeline, before pre-commit hooks, before CI.

Also in this release

• Sentry integration for Agent SRE
• Policy composition with extends inheritance
• Multi-stage policy pipeline (pre_input, pre_tool, post_tool, pre_output)
• 2-line governance wrapper: govern() function
• Human-in-the-loop approval workflows
• OpenTelemetry native observability
• ATR Community Rules upgraded to 287 rules
• EU AI Act compliance templates
• SDK parity improvements across .NET, TypeScript, Rust, Go
• 80+ total changes

See full CHANGELOG for details.

v3.2.2 — Fix @noble subpath exports for Node.js runtime

Patch fix: adds .js extensions to @noble/* subpath imports so compiled SDK resolves correctly via Node.js exports field. Without this, consumers get ERR_PACKAGE_PATH_NOT_EXPORTED at runtime.

v3.2.1 — Fix npm encryption exports

Agent Governance Toolkit v3.2.1

Public Preview — Microsoft-signed, production-quality.

Fix

The v3.2.0 npm package (@microsoft/agentmesh-sdk) was missing the encryption module exports because the ESRP build ran before the TypeScript 6.0 compatibility fix (PR #1305) was merged. This patch release ensures dist/encryption/ is included.

Now correctly exported from npm:

• X3DHKeyManager, generateX25519KeyPair, ed25519ToX25519
• DoubleRatchet
• SecureChannel
• MeshClient (relay transport with E2E encryption)

Also fixed:

• @noble/hashes import paths (sha256 → sha2)
• Removed edwardsToMontgomeryPriv/Pub (replaced with SHA-512 + RFC 7748 clamping)
• Jest config for ESM @noble/* packages

Install

pip install --upgrade agent-governance-toolkit[full]==3.2.1
npm install @microsoft/agentmesh-sdk@3.2.1

v3.2.0 — E2E Encryption, Wire Protocol, Registry, Relay

Agent Governance Toolkit v3.2.0

Public Preview — Microsoft-signed, production-quality. Feedback welcome.

Highlights

E2E Encrypted Agent Messaging (Signal Protocol)

Full end-to-end encryption across Python AND TypeScript SDKs:

• X3DH key agreement, Double Ratchet (ChaCha20-Poly1305 + AAD)
• SecureChannel high-level API
• EncryptedTrustBridge — trust-gated encrypted sessions
• MeshClient — relay transport with plaintext peer compat, KNOCK pending queue, wsFactory hook
• 81 encryption tests across both languages

AgentMesh Wire Protocol v1.0

Published protocol specification (docs/specs/AGENTMESH-WIRE-1.0.md): envelope format, cipher suite, KNOCK intent protocol, registry API, relay semantics, auth model, protocol versioning. Clean-room design with full IP/prior-art documentation.

First-Party Registry + Relay Services

• Registry — 8 REST endpoints: agent registration, pre-key bundles (atomic OPK consumption), discovery, presence, reputation
• Relay — WebSocket store-and-forward with 72h TTL offline inbox, heartbeat, KNOCK routing, ciphertext-only storage

New Crypto Libraries (TypeScript)

• @noble/curves — X25519, Ed25519 (MIT, audited)
• @noble/ciphers — ChaCha20-Poly1305 (MIT, audited)
• @noble/hashes — HKDF-SHA256, HMAC (MIT, audited)

Install

pip install --upgrade agent-governance-toolkit[full]==3.2.0
npm install @microsoft/agentmesh-sdk@3.2.0

No breaking changes. Backwards-compatible with v3.1.x.

v3.1.1 — E2E Encrypted Messaging, Security Hardening, Docs Site

Agent Governance Toolkit v3.1.1

Public Preview — Microsoft-signed, production-quality. Feedback welcome.

Highlights

E2E Encrypted Agent Messaging (Signal Protocol)

AGT now provides end-to-end encrypted channels between agents using X3DH key agreement + Double Ratchet — the same protocol that secures WhatsApp and Signal. Trust-gated via EncryptedTrustBridge: peers must pass the handshake before encryption begins. 61 tests, zero new dependencies.

Security Hardening

• Resolved all 106 open code scanning alerts
• Added BinSkim binary security analysis for .NET SDK
• 6 Dependabot security vulnerabilities addressed
• Hardcoded credentials removed

GitHub Pages Docs Site

Full documentation at https://microsoft.github.io/agent-governance-toolkit/ — MkDocs Material, auto-deployed.

Cross-Language SDK Parity

• .NET: MCP security, kill switch, lifecycle management
• Go: MCP security, execution rings, lifecycle
• Rust: Execution rings, lifecycle management

CI/CD

• Path filters: docs-only PRs drop from ~14 checks to ~4
• Concurrency groups cancel stale runs
• ESRP NuGet signing fixed

New Tutorials & Docs

• Tutorial 32: E2E Encrypted Messaging
• Tutorial 33: Offline-Verifiable Decision Receipts
• Customer FAQ (13 Q&As)
• Chaos testing, ISO 42001, Entra Agent ID bridge tutorials

Install

pip install --upgrade agent-governance-toolkit[full]==3.1.1

No breaking changes. Backwards-compatible with v3.1.0.

Full changelog: CHANGELOG.md

v3.1.0 - Unified CLI, Governance Dashboard, Quantum-Safe Crypto

Agent Governance Toolkit v3.1.0

📦 Package Availability: Signed packages are currently being processed through Microsoft's ESRP Release pipeline for code signing and malware scanning. Expect published binaries on PyPI, npm, NuGet, and crates.io by the week of April 14. In the meantime, you can install directly from source:
�ash pip install git+https://github.com/microsoft/agent-governance-toolkit.git@v3.1.0#subdirectory=packages/agent-compliance

Public Preview - Microsoft-signed, production-quality. Feedback welcome.

Highlights

Unified agt CLI

One command to rule them all. No more hunting across 12 separate binaries.

pip install agent-governance-toolkit[full]
agt doctor          # Check installation health
agt verify          # OWASP ASI 2026 compliance
agt lint-policy .   # Lint your policies

Plugin-extensible via entry points - sub-packages auto-register their commands.

Governance Dashboard

Real-time terminal dashboard showing agent fleet status, trust scores, SLO health, and compliance metrics.

Agent Lifecycle Management

Complete provisioning, credential rotation, orphan detection, and decommission workflow. 8-state lifecycle model with full audit trail.

Shadow AI Discovery

New agent-discovery package scans your infrastructure for unregistered agents and builds a centralized inventory with risk scoring.

Quantum-Safe Cryptography

ML-DSA-65 (FIPS 204) signing alongside Ed25519. Post-quantum ready today.

OWASP ASI 2026

Migrated to the latest Agentic Security Initiative taxonomy with reference architecture. Still 10/10 coverage.

PromptDefenseEvaluator

12-vector prompt injection audit for systematic testing of agents against known attack patterns.

Install / Upgrade

pip install agent-governance-toolkit[full]==3.1.0
agt doctor

TypeScript: npm install @agentmesh/sdk | .NET: dotnet add package Microsoft.AgentGovernance | Rust: cargo add agentmesh

Security Fixes

• Patched dependency verification bypass and trust handshake DID forgery (#920)
• Hardened CLI error handling - CWE-209 (internal info disclosure) (#926)
• Audit log key-whitelisting
• Agent identifier injection prevention

Breaking Changes

None. Drop-in upgrade from any v3.0.x release.

By the Numbers

• 9,500+ tests | 10/10 OWASP coverage | < 0.1ms policy eval | 20+ framework integrations | 5 SDK languages

Full Changelog: v3.0.1...v3.1.0

v3.0.1

What's New in v3.0.1

New SDKs

• Rust SDK (\�gentmesh\ crate) — policy, trust, audit, Ed25519 identity
• Go SDK — policy, trust, audit, identity with functional options

New Features

• \�gentmesh trust report\ CLI command — trust score visualization
• Entra Agent ID adapter for managed identity integration
• Secure code generation templates with AST validation
• SBOM generation (SPDX/CycloneDX) with Ed25519 artifact signing
• Tenant isolation checklist and private endpoint deployment examples

Security

• Secret scanning workflow (Gitleaks)
• 4 new fuzz targets (7 total): prompt injection, MCP scanner, sandbox, trust scoring
• Dependabot expanded to 13 ecosystems (+cargo, gomod, nuget, docker)
• path-to-regexp ReDoS fix (8.3.0 → 8.4.0)
• ESRP Release publishing for Rust crates (crates.io)

Documentation

• 7 new tutorials (#21–27): Rust SDK, Go SDK, delegation chains, budgets, security hardening, SBOM, MCP scan
• README updated: 5 SDK languages, 20+ framework integrations, security tooling table
• PUBLISHING.md rewritten with full Microsoft compliance policies

CI/CD

• Branch protection: 13 required status checks, squash-only merges
• Python 3.10 matrix exclusions for packages requiring >=3.11
• Multiple ADO build fixes (TypeScript, Rust, NuGet)

Packages

Package	Version
Python (8 packages)	3.0.1
TypeScript SDK	1.0.1
Copilot Extension	1.0.1
MCP Server	1.0.2
.NET SDK	3.0.1
Rust crate	0.1.1

Full Changelog: v3.0.0...v3.0.1

Agent Governance Toolkit v3.0.0 — Microsoft-Signed Public Preview

See RELEASE_NOTES_v3.0.0.md for full details.

Agent Governance Toolkit v2.3.0

Agent Governance Toolkit v2.3.0

Important

Community Preview Release — All packages published from this repository (PyPI, npm, NuGet)
are community preview releases for testing and evaluation purposes only. They are not
official Microsoft-signed releases. Official Microsoft-signed packages published via ESRP
Release will be available in a future release.

Plugin governance, developer tooling, and hardened security — 97 commits since v2.2.0.

This release introduces a full plugin governance layer (MCP server allowlist/blocklist, schema
adapters, trust tiers), developer-facing tooling (policy linter CLI, pre-commit hooks, GitHub
Actions action), runtime reliability primitives (event bus, task outcomes, graceful degradation,
budget policies), and 14 new tutorials. It also includes significant security hardening across the
entire codebase and two PyPI package renames to avoid namespace collisions.

🚀 What's New

Plugin Governance & MCP Server Controls

• MCP server allowlist/blocklist — Enforces marketplace-level policies on which MCP servers
  plugins can use through MCPServerPolicy with allowlist/blocklist modes. Validates plugin
  manifests and rejects non-compliant plugins during registration (#425, #426, #434)
• Plugin trust tiers — Classify plugins into trust levels (e.g., verified, community,
  untrusted) with tier-based policy enforcement (#434)
• Plugin schema adapters — Auto-detects and adapts Copilot-style and Claude-style plugin
  manifest formats to the canonical PluginManifest schema, enabling multi-format plugin
  support with capability extraction (#424, #429, #433)
• Batch plugin evaluation — Evaluate multiple plugins against governance policies in a single
  call for marketplace-scale validation (#429, #433)
• Reference integration example — Complete example showing plugin marketplace governance
  integration end-to-end (#427, #435)

Developer Tooling

• Governance policy linter CLI — New agent-compliance lint-policy <path> command validates
  YAML policy files for required fields, unknown operators/actions, deprecated names, and
  conflicting rules with JSON/text output options (#404, #432)
• Pre-commit hooks — Two new hooks for local development: validate-plugin-manifest (checks
  plugin.json schema compliance) and evaluate-plugin-policy (evaluates manifests against
  governance policies before commit) (#428, #431)
• GitHub Actions action — Composite action at action/action.yml wrapping governance
  verification commands (governance-verify, marketplace-verify, policy-evaluate, all)
  with configurable inputs, structured outputs, and support for plugin marketplace PR
  workflows (#423, #430)
• JSON schema validation — Governance policy files are now validated against a formal JSON
  schema, catching structural errors before runtime (#305, #367)

Runtime Reliability & Observability

• Event bus — Cross-gate publish/subscribe system (GovernanceEventBus) enabling loose
  coupling between governance gates (PolicyEvaluator, TrustGate, CircuitBreaker) with standard
  event types for policy violations, trust changes, circuit state, and budget overages
  (#398, #415)
• Task outcomes — TaskOutcomeRecorder tracks agent task successes/failures with
  severity-based scoring, diminishing returns on success boosts, time-based score recovery,
  and per-agent trust state management (#396, #415)
• Diff policy — Evaluate only the delta between previous and current policy state to reduce
  overhead on incremental policy updates (#395, #415)
• Sandbox provider — Pluggable sandbox provider abstraction for swapping isolation backends
  (#394, #415)
• Graceful degradation — agent_os.compat module provides no-op fallbacks
  (NoOpPolicyEvaluator, NoOpGovernanceMiddleware) allowing consumers to optionally depend
  on the toolkit without try/except boilerplate (#410, #414)
• Budget policies — BudgetPolicy dataclass defines resource consumption limits (max tokens,
  tool calls, cost, duration) with BudgetTracker for monitoring usage and detecting overages
  with detailed violation reasons (#409, #414)
• Audit logger — Structured audit logging for governance decisions with pluggable backends
  (#400, #414)
• Policy evaluation heatmap — Visual heatmap added to the SRE dashboard showing policy
  evaluation patterns and hotspots (#309, #326)
• Compliance grading — compliance_grade() method added to GovernanceAttestation for
  calculating compliance scores (#346)

Tutorials & Learning Paths

• 14 new tutorials (07–20) — Launch-ready tutorials covering all toolkit features including
  plugin governance, budget policies, event bus, graceful degradation, MCP server controls,
  and more
• Tutorials landing page — New README with structured learning paths guiding users from
  beginner to advanced topics (#422)

CI/CD & ESRP

• PR review orchestrator — Collapses multiple agent review comments into a single unified
  summary on pull requests (#345)
• Dependency confusion pre-commit hook — Detects unregistered package names before commit,
  plus weekly CI audit job (#350)
• Markdown link checker — CI workflow to catch broken links in documentation (#323)
• ESRP NuGet signing — Updated NuGet signing config with Client ID and Key Vault
  integration (#359, #361, #363, #365)

⚠️ Breaking Changes

PyPI Package Renames

Two PyPI packages have been renamed to avoid namespace collisions:

Old Name	New Name	Reason
agent-runtime	agentmesh-runtime	Name collision with AutoGen team's agent-runtime package (#444)
agent-marketplace	agentmesh-marketplace	Consistent agentmesh namespace alignment (#439)

Migration: Update your requirements.txt or pyproject.toml:

- agent-runtime
+ agentmesh-runtime

- agent-marketplace
+ agentmesh-marketplace

🔒 Security

• Fork RCE hardening — Hardened pull_request_target workflows against fork-based remote
  code execution [MSRC-111178] (#353)
• Dependency confusion — Comprehensive remediation across the entire codebase: replaced all
  unregistered PyPI package names, added weekly audit CI, added pre-commit detection hook
  (#325, #328, #349, #350, #351, #352)
• MD5 → SHA-256 migration — All cryptographic hash usage migrated from MD5 to SHA-256
  (#349, #351)
• ESRP secrets — Moved all ESRP configuration values to pipeline secrets (#370)
• Maintainer approval enforcement — All external PRs now require maintainer approval (#392)
• SECURITY.md — Added security policy files to all packages (#354)
• LangChain crypto hardening — Hardened cryptographic fallback in LangChain integration (#354)
• 24 security findings addressed — Comprehensive sweep across codebase (#303)
• Agent sandbox escape hardening — Strengthened isolation boundaries against escape
  vectors (#297)
• OWASP Agentic AI hardening — Proactive hardening against OWASP Agentic AI Top 10
  themes
• 47 negative security tests — Adversarial scenario test suite added
• 101 additional tests — CA security, MCP integration, and audit stub coverage
• OpenSSF Scorecard fixes — Dangerous-workflow, signed-releases, and pinned-deps
  improvements (#356)

🐛 Bug Fixes

• Corrected license reference in AgentMesh README from Apache 2.0 to MIT (#436)
• Hardcoded service connection name in ESRP pipelines (ADO compile-time requirement) (#421)
• ESRP pipeline fixes for each directive syntax in Verify stages and ESRP_CERT_IDENTIFIER
  secret usage
• Fixed .NET GovernanceMetrics test isolation — flush listener before baseline assertion (#417)
• Fixed dependency confusion + pydantic dependency issues (#411, #412)
• Followup cleanup for recently merged community PRs (#393)
• Bumped cryptography package, migrated PyPDF2 → pypdf, scoped workflow permissions (#355)
• Filled community PR gaps — replaced bare excepts, print → logging, added py.typed
  markers, LICENSE fixes (#344)
• Improved CLI error messages in register and policy commands (#314)
• SagaStep.MaxRetries rename + behavioral fault injection + lint fix (#295)
• Pre-announcement security hardening and demo improvements (#296)
• Restored read-all at workflow level for Scorecard verification (#327)
• Reverted unsafe merged PRs #357 and #362 (#391)

📚 Documentation

• Added copilot-instructions.md with PR review checklist (#413)
• Standardized package README badges across all packages (#373)
• Added README files to example directories and skill integrations (#371, #372, #390)
• Added requirements files for example directories (#372)
• Refreshed all design proposals — updated status, added 5 new proposals (#348)
• Added inline comments to Helm chart values.yaml (#341)
• Updated framework integration star counts to current values (#329)
• Added comprehensive docstrings to mcp_adapter.py classes (#324)
• Added testing guide for external testers and customers (#313)
• Added integration author guide for contributors (#311)

📦 Dependencies

GitHub Actions

Package	From	To
actions/attest-sbom	2.2.0	4.1.0
actions/attest-build-provenance	2.4.0	4.1.0
actions/github-script	7.0.1	8.0.0
actions/setup-node	4.4.0	6.3.0
actions/stale	9.1.0	10.2.0
actions/upload-artifact	4.6.2	7.0.0
anchore/sbom-action	0.23.1	0.24.0
ossf/scorecard-action	2.4.0	2.4.3
sigstore/gh-action-sigstore-python	3.0.0	3.2.0

npm Dev Dependencies

• Bumped eslint (#387)
• Bumped typescript (#385, #386)
• Bumped yaml (#384)
• Bumped @typescript-eslint/eslint-plugin (#381, #292)
  ...

Agent Governance Toolkit v2.2.0

Agent Governance Toolkit v2.2.0

Important

Community Preview Release — All packages published from this repository (PyPI, npm, NuGet)
are community preview releases for testing and evaluation purposes only. They are not
official Microsoft-signed releases. Official Microsoft-signed packages published via ESRP
Release will be available in a future release.

What's New

ESRP Release Publishing Infrastructure

This release establishes the compliant publishing infrastructure required for future official
Microsoft-signed package releases:

• PyPI publishing migrated from GitHub Actions Trusted Publishers to Azure DevOps pipeline
  using EsrpRelease@11 (pipelines/pypi-publish.yml)
• npm publishing pipeline created using EsrpRelease@11 with @microsoft scope
  (pipelines/npm-publish.yml)
• GitHub Actions (publish.yml) now builds and attests packages only — actual publishing
  is done exclusively through ESRP Release ADO pipelines

Package Metadata Compliance

All package metadata has been updated to align with Microsoft Python team and npm publishing
policies:

Python (PyPI) — 7 packages:

• Author updated to Microsoft Corporation with team distribution list email
• Agent Governance Toolkit Team added as maintainer across all packages
• License classifier (License :: OSI Approved :: MIT License) added where missing
• Community Edition prefix added to all package descriptions
• agent-runtime build fixed (proper re-export wrapper for agent-hypervisor)

npm — 7 packages:

• All scoped packages renamed to @microsoft (from @agentmesh, @agent-os, unscoped)
• Author set to Microsoft Corporation across all packages
• License corrected to MIT where mismatched (2 packages had Apache-2.0)
• Repository URLs corrected to microsoft/agent-governance-toolkit
• Community Edition prefix added to all package descriptions

NuGet — 1 package:

• Existing ESRP signing configuration retained

Community Preview Disclaimers

Prominent disclaimers have been added to all user-facing documentation:

• Root README, CHANGELOG, PUBLISHING guide
• All 7 Python package READMEs
• All 3 npm package READMEs with user docs
• Both release notes (v1.0.0 and v2.1.0)
• PyPI and npm package descriptions (visible on registry pages)

Publishing Documentation

• New PUBLISHING.md at repo root — public-facing guide covering PyPI, npm, and NuGet
  publishing requirements, metadata standards, and naming conventions
• ADO pipeline configurations with placeholder ESRP values ready for onboarding

Packages

Python (PyPI)

Package	Version	Status
agent-os-kernel	2.2.0	Community Preview
agentmesh-platform	2.2.0	Community Preview
agent-hypervisor	2.2.0	Community Preview
agent-runtime	2.2.0	Community Preview
agent-sre	2.2.0	Community Preview
agent-governance-toolkit	2.2.0	Community Preview
agent-lightning	2.2.0	Community Preview

npm

Package	Version	Status
@microsoft/agentmesh-sdk	1.0.0	Community Preview
@microsoft/agentmesh-mcp-proxy	1.0.0	Community Preview
@microsoft/agentos-mcp-server	1.0.1	Community Preview
@microsoft/agentmesh-copilot-governance	0.1.0	Community Preview
@microsoft/agentmesh-mastra	0.1.0	Community Preview
@microsoft/agentmesh-api	0.1.0	Community Preview
@microsoft/agent-os-copilot-extension	1.0.0	Community Preview

NuGet

Package	Version	Status
Microsoft.AgentGovernance	2.2.0	Community Preview

What's Coming

• Official Microsoft-signed releases via ESRP Release (pending onboarding approval)
• PyPI package ownership transfer to microsoft account
• npm @microsoft scope activation via ESRP
• NuGet Authenticode + NuGet package signing

Full Changelog

See CHANGELOG.md for the complete list of changes.