v4.1.0

What's New in v4.1.0

Agent OS (Nexus)

• Ed25519 signature verification for agent registration and deregistration
• Escrow signing support in ProofOfOutcome
• Crewai adapter fixes

Policy Engine

• Dynamic policy conditions with time-based and cost-aware rules
• Updated Cedar policy versions
• agt-policies 5.0.0

All Packages

See CHANGELOG for full details.

v4.0.0

Agent Governance Toolkit v4.0.0

Ship agents to production without losing sleep -- now with consolidated packages, TEE key management, and Entra JWT verification across the mesh.

Highlights

Python Package Consolidation (Breaking)

45 Python packages consolidated into 5 clean distributions:

Distribution	What is included
agent-governance-toolkit-core	Policy engine, capability model, audit, MCP gateway, identity, trust scoring
agent-governance-toolkit-runtime	Privilege rings, saga orchestration, termination control
agent-governance-toolkit-sre	SLOs, error budgets, chaos engineering, circuit breakers
agent-governance-toolkit-cli	agt CLI, OWASP verification, integrity checks, policy linting
agent-governance-toolkit[full]	Meta-package installing all of the above

Old package names (agent-os-kernel, agentmesh-platform, etc.) remain as stub redirects for migration.

New Capabilities

• TEE keystore abstraction (ADR 0010): async key management with TEEKeyHandle, SoftwareKeyHandle, and attested key store adapters
• Entra-signed JWT verification for mesh-relay WebSocket connections and mesh-registry agent verification
• Wire-protocol-aware policy evaluation for SQL and Kubernetes across TypeScript, Rust, Go, and .NET
• Credential injection and offload across all four SDK languages
• Expanded credential redaction across C#, Python, TypeScript, and Rust
• Sandbox subprocess code scanner and OpenShell shell interception
• LangGraph v1.0 governance adapter with stale-auth fingerprinting
• New CLI governance packages: OpenCode, Antigravity CLI, Claude Code
• AGT test replay engine for policy regression testing

Security (15+ fixes)

• Closed authorization bypasses in stateless kernel and execute API
• Proof-of-possession enforcement on registry endpoints
• Trust boundary hardening: POP, capability grant auth, signing-oracle, unknown-DID auto-trust
• JWKS/revocation trust-fetch hardening and URL allowlist matching
• In-process sandbox hardening against stdlib escape paths
• Mute-agent: 11 red-team regression tests
• setuptools minimum raised to 78.1.1 for CVE fix

Documentation

• README rewrite, docs site refresh, architecture diagrams
• ADR-0026 (Foundry AI Gateway PDP), ADR-0028 (AGT Studio), ADR-0029 (policy distribution)
• NSA MCP compliance mapping, zh-TW translations
• 60+ tutorial improvements

Install

�ash pip install agent-governance-toolkit[full]

Full changelog: CHANGELOG.md

v3.7.0

Agent Governance Toolkit v3.7.0

Release Date: 2026-05-18

Important

Public Preview - All packages published from this repository are
Microsoft-signed public preview releases. They are production-quality but
may have breaking changes before GA.

Highlights

Version Bump and Release Hygiene

v3.7.0 opens the next development cycle with full release documentation for the
v3.6.0 milestone that was previously undocumented.

Tool Usage Policies (oracle/agent-spec)

Contributed the ToolPolicy schema to the Agent Spec standard (PR #191),
enabling declarative rate-limit, approval, and justification guards on tool
invocations. AGT will adopt the ratified schema once merged upstream.

Added

• v3.6.0 release notes documenting the full scope of the previous release
• Presentation demos committed to examples/demos/presentation/ (6 offline scripts)
• EU AI Act demo Windows UTF-8 fix
• StdoutAuditSink overlapping merge fix
• Repo structure simplified with layout guide
• Tutorials reorganized into customer-centric categories

Packages

Package	Version
agent-governance-toolkit (meta)	3.7.0
agent-os-kernel	3.7.0
agentmesh-platform	3.7.0
agentmesh-runtime	3.7.0
agent-sre	3.7.0
agent-compliance	3.7.0
agent-rag-governance	3.7.0
agent-hypervisor	3.7.0
agent-lightning	3.7.0
agentmesh-marketplace	3.7.0

Upgrade Guide

pip install --upgrade agent-governance-toolkit[full]
agt doctor  # verify installation
agt verify  # confirm OWASP ASI 2026 compliance

No breaking changes from v3.6.0.

v3.6.0

Agent Governance Toolkit v3.6.0

Release Date: 2026-05-12

Important

Public Preview - All packages published from this repository are
Microsoft-signed public preview releases. They are production-quality but
may have breaking changes before GA.

Highlights

Formal Specifications Published

v3.6.0 formalizes the governance architecture with six specification documents:

• AgentMesh Identity and Trust v1.0 - DID lifecycle, Ed25519 signatures, trust scoring
• AgentMesh Trust and Coordination v1.0 - handshake protocol, capability delegation
• Agent Hypervisor Execution Control v1.0 - privilege rings, resource quotas, isolation
• Agent SRE Governance v1.0 - SLOs, error budgets, anomaly detection
• MCP Security Gateway v1.0 - tool allowlists, PII scanning, SSRF prevention
• Framework Adapter Contract v1.0 - SPI for pluggable framework integration
• Audit and Compliance v1.0 - Merkle-chained logs, retention, evidence export

Security Hardening Sprint

319 fixes including:

• Path traversal guards across SRE, signing, and spec modules
• SSRF blocklist expansion (.NET OPA backend, TypeScript Cedar)
• HMAC verification before nonce commit in MCP message signer
• Shell injection prevention in GitHub Actions inputs
• Rust prompt injection guard
• VectorClock causal ordering and fail-closed SessionIsolation
• YAML deserialization hardened to JSON_SCHEMA (TypeScript)

Cross-Org Agent Federation (ADR-0007)

ExternalJWKSProvider enables agents from different organizations to verify each
other's identities via federated JWKS endpoints without sharing private keys.

Governance Sidecar Container

Production-ready container image for sidecar deployment patterns. Includes the
full governance middleware stack, OTEL bootstrap, and Prometheus /metrics endpoint.

Execution Ring Enforcement

Privilege rings (previously stubs) now enforce real isolation boundaries.
Agents cannot escalate beyond their assigned ring without explicit delegation.

New Integrations

• Azure ACA Sandbox Provider - container-based sandboxing on Azure Container Apps
• AWS Bedrock Agent Adapter - governance wrapper for Bedrock Agents
• RAG Governance - retrieval access control with Cedar policies and LlamaIndex adapter
• Agent Shield - 5-stage guardrails engine (prompt defense, PII/CRI detection)
• Copilot CLI Governance - governance checks for Copilot CLI tool invocations
• GitHub Actions Governance Gate - block non-compliant agent deployments in CI/CD

StdoutAuditSink and Execution Context

New audit sink for containerized deployments (Kubernetes, Docker, OpenShell) that
writes JSONL to stdout. Audit entries now carry execution-context fields
(sandbox_id, environment, container_runtime) when available.

Added

• 6 formal specifications - identity, trust, hypervisor, SRE, MCP security, adapters, audit (#2344, #2353, #2360, #2361, #2363, #2364, #2369, #2375)
• ExternalJWKSProvider for cross-org agent federation (#2380)
• GovernanceEventSink SPI for pluggable event routing (#2362)
• Governance sidecar container with OTEL and Prometheus (#2307, #2312)
• Execution ring enforcement beyond stubs (#2309)
• Trust ceiling propagation for delegated child agents (#2306)
• ExternalPolicyBackend interface for pluggable evaluators (#2304)
• StdoutAuditSink with execution-context enrichment (#2302, #2305)
• Azure ACA sandbox provider (#2236)
• AWS Bedrock Agent adapter (#1833)
• RAG Governance package with Cedar + LlamaIndex (#1754, #1820, #1975)
• Agent Shield 5-stage guardrails integration (#1805)
• PII/CRI detection in MCP Security Gateway (#1815)
• Copilot CLI governance package (#2272)
• GitHub Actions governance gate (#2102)
• PluginInstaller real artifact fetch with SHA-256 verification (#1980)
• Attestation collector/verifier interfaces (#2226)
• Go quickstart example (#1817)
• .NET ASP.NET Core middleware example (#1796)
• Presentation demos - 6 self-contained offline demo scripts (#2390)
• dbt data quality evidence adapter example (#2278)
• ATR community import example (#2308)
• NOT_IN operator for policy evaluation (#2373)
• RFC process and issue template (#2356)
• License header enforcement in CI (#2331)
• Semantic PR title enforcement (#2325)
• 25 retroactive ADRs (0001-0025) documenting prior decisions (#2329, #2377)

Fixed

• StdoutAuditSink syntax error from overlapping merge (#2382)
• EU AI Act demo Unicode encoding on Windows (#2388)
• VectorClock causal ordering and fail-closed SessionIsolation (#2346)
• Path traversal guards in SRE capture, signing, and specs (#2352)
• HMAC verification before nonce commit in MCP signer (#2354)
• SSRF blocklist expanded for cloud metadata endpoints (.NET) (#2358)
• YAML deserialization hardened to JSON_SCHEMA (TypeScript) (#2333, #2334)
• Shell injection prevention in Actions inputs (#2330)
• Docker CLI args - use ArgumentList instead of string concat (#2357)
• PolicyAction validation from YAML instead of unsafe cast (TS) (#2355)
• Hypervisor isolation tests aligned with fail-closed implementation (#2370)
• CI hardening - lint, safety check, docs deploy, ATR sync (#2341, #2345, #2348, #2349, #2365, #2367, #2371, #2376, #2378)
• .NET streaming governance for MAF agents (#2366)
• AEGIS cleanup consolidated tracker resolved (#2332)

Changed

• Tutorials reorganized into collapsible customer-centric categories (#2389)
• Repo structure simplified with layout guide (#2391)
• ADK wrap/unwrap/get_callbacks deprecated with runtime warnings (#2359)
• MeshClient - event hooks, auto-reconnect, Ed25519 verify, heartbeat (#2090)
• Golang examples gallery covering every agentmesh module (#2275)

Packages

Package	Version
agent-governance-toolkit (meta)	3.5.0
agent-os-kernel	3.6.0
agentmesh-platform	3.6.0
agentmesh-runtime	2.3.0
agent-sre	3.6.0
agent-compliance	3.6.0
agent-rag-governance	3.6.0
agent-hypervisor	3.6.0
agent-lightning	3.6.0
agentmesh-marketplace	3.6.0

Upgrade Guide

pip install --upgrade agent-governance-toolkit[full]
agt doctor  # verify installation
agt verify  # confirm OWASP ASI 2026 compliance

No breaking changes from v3.5.0. New features are additive.

v3.5.0

Highlights

Citadel Integration - Entra identity bridge and APIM policy fragment for enterprise-grade agent identity. Includes Phase 1 (docs, exporter, policy binding) and Phase 2 (Entra bridge, APIM fragment).

Multi-Agent Collective Policies - evaluate constraints (rate limits, concurrent caps) across all agents in a workflow, not just individual agents.

Decision BOM Reconstructible View - reconstruct the full decision lineage for any agent action from observability signals, with resilient partial reconstruction when sources are unavailable.

Intent-Based Authorization - declare/approve/execute/verify lifecycle with drift detection for multi-agent orchestration.

Cost Governance - tiered budgets (per-task, per-agent, org-wide), auto-throttle, kill switches, and anomaly detection.

Centralized Version Management - single \VERSION\ file and \scripts/sync-version.py\ propagates version across Python, TypeScript, .NET, and Rust.

Added

• Citadel Phase 1 and Phase 2 (#1778, #1785)
• Multi-agent collective policy evaluator (#1776)
• Decision BOM reconstructible view (#1777)
• Intent-Based Authorization (Tutorial 48, #1781)
• Cost Governance (Tutorial 51, #1784)
• Identity attestation evidence model (#1763)
• OTelLogsBackend for audit emission (#1747)
• Aegis governance profile - YAML to Cedar + Rego (#1704)
• .NET Quickstart console app (#1794)
• .NET unit tests for governance client (#1792)
• 57 hardened tests + 20 smoke tests (#1786)
• ADOPTERS.md, GOVERNANCE.md, CHARTER.md, MAINTAINERS.md
• A365+AGT reference architecture guide (#1768)
• ADR-0012 cost governance (#1769)
• Tutorials 48-51
• Rust quickstart example (#1677)
• Korean README translation (#1729)

Fixed

• Decision BOM source exception resilience (#1786)
• .NET version drift (3.3.0 -> 3.5.0) centralized in Directory.Build.props (#1803)
• CI hardening (branch protection, DCO, cspell, link-check)
• Lazy imports for framework adapters (#1766)

Install

\\�ash
pip install agent-governance-toolkit[full]==3.5.0
\\

\\�ash
dotnet add package Microsoft.AgentGovernance --version 3.5.0
\\

Full changelog: https://github.com/microsoft/agent-governance-toolkit/blob/main/CHANGELOG.md

v3.4.0 — Contributor Check False-Positive Fix

What's Changed

Fixed

• Contributor Reputation Check — false-positive HIGH risk for established accounts. Accounts with age > 1yr, 50+ followers, and 20+ repos now have
  ecent_repo_burst\ and \cross_repo_spray\ signals dampened to LOW with bounded caps and abuse-signal guards (#1725)

Changed

• CI — fixed ruff lint errors in agent-compliance CLI tools, added SC2153 to shellcheck disable list (#1724)
• README — removed duplicate Docs and PyPI shield badges

Full Changelog: v3.3.0...v3.4.0

v3.3.0 - Contributor Reputation + Repo Reorganization

Highlights

Contributor Reputation Check

A new reusable GitHub Action that screens PR and issue authors for coordinated inauthentic behavior. Any OSS repo can adopt it:

- uses: microsoft/agent-governance-toolkit/.github/actions/contributor-check@v3.3.0
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}

Detects following farming, cross-repo spray, credential laundering, and network coordination. Runs automatically on every PR/issue open. Labels and comments on MEDIUM/HIGH risk. Zero external dependencies.

Repo Reorganization

All SDK packages now live under language-specific directories for a clean, navigable root:

• agent-governance-python/ (10 packages)
• agent-governance-typescript/ (VS Code extension + TS SDK)
• agent-governance-dotnet/ (.NET SDK)
• agent-governance-rust/ (Rust SDK)
• agent-governance-golang/ (Go SDK)

Shift-Left Governance

Tutorial 45 walks through AGT's full shift-left story. Contributor reputation is now the leftmost check in the pipeline, before pre-commit hooks, before CI.

Also in this release

• Sentry integration for Agent SRE
• Policy composition with extends inheritance
• Multi-stage policy pipeline (pre_input, pre_tool, post_tool, pre_output)
• 2-line governance wrapper: govern() function
• Human-in-the-loop approval workflows
• OpenTelemetry native observability
• ATR Community Rules upgraded to 287 rules
• EU AI Act compliance templates
• SDK parity improvements across .NET, TypeScript, Rust, Go
• 80+ total changes

See full CHANGELOG for details.

v3.2.2 — Fix @noble subpath exports for Node.js runtime

Patch fix: adds .js extensions to @noble/* subpath imports so compiled SDK resolves correctly via Node.js exports field. Without this, consumers get ERR_PACKAGE_PATH_NOT_EXPORTED at runtime.

v3.2.1 — Fix npm encryption exports

Agent Governance Toolkit v3.2.1

Public Preview — Microsoft-signed, production-quality.

Fix

The v3.2.0 npm package (@microsoft/agentmesh-sdk) was missing the encryption module exports because the ESRP build ran before the TypeScript 6.0 compatibility fix (PR #1305) was merged. This patch release ensures dist/encryption/ is included.

Now correctly exported from npm:

• X3DHKeyManager, generateX25519KeyPair, ed25519ToX25519
• DoubleRatchet
• SecureChannel
• MeshClient (relay transport with E2E encryption)

Also fixed:

• @noble/hashes import paths (sha256 → sha2)
• Removed edwardsToMontgomeryPriv/Pub (replaced with SHA-512 + RFC 7748 clamping)
• Jest config for ESM @noble/* packages

Install

pip install --upgrade agent-governance-toolkit[full]==3.2.1
npm install @microsoft/agentmesh-sdk@3.2.1

v3.2.0 — E2E Encryption, Wire Protocol, Registry, Relay

Agent Governance Toolkit v3.2.0

Public Preview — Microsoft-signed, production-quality. Feedback welcome.

Highlights

E2E Encrypted Agent Messaging (Signal Protocol)

Full end-to-end encryption across Python AND TypeScript SDKs:

• X3DH key agreement, Double Ratchet (ChaCha20-Poly1305 + AAD)
• SecureChannel high-level API
• EncryptedTrustBridge — trust-gated encrypted sessions
• MeshClient — relay transport with plaintext peer compat, KNOCK pending queue, wsFactory hook
• 81 encryption tests across both languages

AgentMesh Wire Protocol v1.0

Published protocol specification (docs/specs/AGENTMESH-WIRE-1.0.md): envelope format, cipher suite, KNOCK intent protocol, registry API, relay semantics, auth model, protocol versioning. Clean-room design with full IP/prior-art documentation.

First-Party Registry + Relay Services

• Registry — 8 REST endpoints: agent registration, pre-key bundles (atomic OPK consumption), discovery, presence, reputation
• Relay — WebSocket store-and-forward with 72h TTL offline inbox, heartbeat, KNOCK routing, ciphertext-only storage

New Crypto Libraries (TypeScript)

• @noble/curves — X25519, Ed25519 (MIT, audited)
• @noble/ciphers — ChaCha20-Poly1305 (MIT, audited)
• @noble/hashes — HKDF-SHA256, HMAC (MIT, audited)

Install

pip install --upgrade agent-governance-toolkit[full]==3.2.0
npm install @microsoft/agentmesh-sdk@3.2.0

No breaking changes. Backwards-compatible with v3.1.x.