MCPcopy Index your code
hub / github.com/microsoft/agent-governance-toolkit

github.com/microsoft/agent-governance-toolkit @v4.1.0

repository ↗ · DeepWiki ↗ · release v4.1.0 ↗ · + Follow
39,533 symbols 168,356 edges 2,359 files 18,340 documented · 46% updated 2d agov4.1.0 · 2026-06-09★ 4,65534 open issues
README

🌍 English | 日本語 | 简体中文 | 한국어

Agent Governance Toolkit

Agent Governance Toolkit

Ship agents to production without losing sleep

Full Documentation

🚀 Quick Start · 📋 Specifications · 📦 PyPI · 📝 Changelog

CI Discord License: MIT PyPI version npm NuGet OpenSSF Scorecard OpenSSF Best Practices OWASP Agentic Top 10

[!IMPORTANT] Public Preview -- production-quality public preview releases. May have breaking changes before GA.

Policy enforcement, identity, sandboxing, and SRE for autonomous AI agents. One pip install, any framework.


The Problem

Your AI agents call tools, browse the web, query databases, and delegate to other agents. Once deployed, they make decisions autonomously. You need answers to three questions:

1. Is this action allowed? An agent with access to send_email and query_database should not be able to drop_table. OAuth scopes and IAM roles control which services an agent can reach, not what it does once connected.

2. Which agent did this? In a multi-agent system, five agents might share a single API key. When something goes wrong, "an agent did it" is not an incident response.

3. Can you prove what happened? Auditors and regulators need tamper-evident records of every decision: what policy was active, what the agent requested, and why it was allowed or denied.

Prompt-level safety ("please follow the rules") is not a control surface. It is a polite request to a stochastic system. OWASP LLM01:2025 states this explicitly: "it is unclear if there are fool-proof methods of prevention for prompt injection." The published numbers back this up. Andriushchenko et al. (ICLR 2025) report 100% attack success rate on GPT-4o, GPT-3.5, Claude 3, and Llama-3 using adaptive attacks with logprob access and suffix optimization, evaluated against the JailbreakBench benchmark (Chao et al., NeurIPS 2024). Microsoft's own AI Red Teaming Agent formalizes Attack Success Rate (ASR), the rate of policy violations under adversarial input, as the canonical metric for this class of failure. Lessons from Red Teaming 100 Generative AI Products reinforces the point: "mitigations do not eliminate risk entirely" and red teaming must be a continuous process because model-layer defenses are probabilistic by construction.

AGT does not try to win that fight inside the prompt. Every tool call, message send, and delegation is intercepted in deterministic application code before the model's intent reaches the wire. Actions the AGT kernel denies are not "unlikely." They are structurally impossible. That is the difference between asking an agent to behave and making it incapable of misbehaving.


Quick Start

Prerequisites: Python 3.10+

pip install agent-governance-toolkit[full]

For Claude Code, add AGT as a plugin marketplace and install the governance plugin:

/plugin marketplace add microsoft/agent-governance-toolkit
/plugin install agt-governance@agent-governance-toolkit

Govern any tool function in two lines:

from agentmesh.governance import govern

safe_tool = govern(my_tool, policy="policy.yaml")   # every call checked, logged, enforced

That's it. safe_tool evaluates your YAML policy on every call, logs the decision, and raises GovernanceDenied if the action is blocked.

# policy.yaml
apiVersion: governance.toolkit/v1
name: production-policy
default_action: allow
rules:
  - name: block-destructive
    condition: "action.type in ['drop', 'delete', 'truncate']"
    action: deny
    description: "Destructive operations require human approval"

  - name: require-approval-for-send
    condition: "action.type == 'send_email'"
    action: require_approval
    approvers: ["security-team"]
>>> safe_tool(action="read", table="users")
{'table': 'users', 'rows': 42}

>>> safe_tool(action="drop", table="users")
GovernanceDenied: Action denied by policy rule 'block-destructive':
  Destructive operations require human approval

Or use the full PolicyEvaluator API for programmatic control:

PolicyEvaluator example

from agent_os.policies import (
    PolicyEvaluator, PolicyDocument, PolicyRule,
    PolicyCondition, PolicyAction, PolicyOperator, PolicyDefaults
)

evaluator = PolicyEvaluator(policies=[PolicyDocument(
    name="my-policy", version="1.0",
    defaults=PolicyDefaults(action=PolicyAction.ALLOW),
    rules=[PolicyRule(
        name="block-dangerous-tools",
        condition=PolicyCondition(
            field="tool_name",
            operator=PolicyOperator.IN,
            value=["execute_code", "delete_file"]
        ),
        action=PolicyAction.DENY, priority=100,
    )],
)])

result = evaluator.evaluate({"tool_name": "web_search"})    # Allowed
result = evaluator.evaluate({"tool_name": "delete_file"})   # Blocked

TypeScript / .NET / Rust / Go examples

TypeScript

import { PolicyEngine } from "@microsoft/agent-governance-sdk";

const engine = new PolicyEngine([
  { action: "web_search", effect: "allow" },
  { action: "shell_exec", effect: "deny" },
]);
engine.evaluate("web_search"); // "allow"
engine.evaluate("shell_exec"); // "deny"

.NET

using AgentGovernance;
using AgentGovernance.Extensions.ModelContextProtocol;
using AgentGovernance.Policy;

var kernel = new GovernanceKernel(new GovernanceOptions
{
    PolicyPaths = new() { "policies/default.yaml" },
});
var result = kernel.EvaluateToolCall("did:mesh:agent-1", "web_search",
    new() { ["query"] = "latest AI news" });

// MCP server integration
builder.Services.AddMcpServer()
    .WithGovernance(options => options.PolicyPaths.Add("policies/mcp.yaml"));

Rust

use agent_governance::{AgentMeshClient, ClientOptions};

let client = AgentMeshClient::new("my-agent").unwrap();
let result = client.execute_with_governance("data.read", None);
assert!(result.allowed);

Go

import agentmesh "github.com/microsoft/agent-governance-toolkit/agent-governance-golang"

client, _ := agentmesh.NewClient("my-agent",
    agentmesh.WithPolicyRules([]agentmesh.PolicyRule{
        {Action: "data.read", Effect: agentmesh.Allow},
        {Action: "*", Effect: agentmesh.Deny},
    }),
)
result := client.ExecuteWithGovernance("data.read", nil)

CLI tools:

agt doctor                                        # check installation
agt verify                                        # OWASP compliance check
agt verify --evidence ./agt-evidence.json --strict # fail CI on weak evidence
agt red-team scan ./prompts/ --min-grade B         # prompt injection audit
agt lint-policy policies/                          # validate policy files

Full walkthrough: quickstart.md -- zero to governed agents in 5 minutes. 🌍 Also in: 日本語 | 简体中文 | 한국어


How It Works

Agent ──► Policy Engine ──► Identity ──► Audit Log
            (YAML/OPA/Cedar)  (SPIFFE/DID/mTLS)  (Tamper-evident)
                 │                                      │
                 ├── Allowed ──► Tool executes           │
                 └── Denied  ──► GovernanceDenied        │
                                                        ▼
                                                 Decision Record

Every layer is optional. Start with govern() and add layers as your risk profile grows. Most teams run policy enforcement + audit logging and never need the full stack.


Packages

Package Description
Agent OS Policy engine, agent lifecycle, governance gate
Agent Control Specification (README) Stateless, deterministic, fail-closed policy decision runtime (Rust core) backing the AGT policy layer
Agent Mesh Agent discovery, routing, and trust mesh
Agent Runtime Execution sandboxing with four privilege rings
Agent SRE Kill switch, SLO monitoring, chaos testing
Agent Compliance OWASP verification, policy linting, integrity checks
Agent Marketplace Plugin governance and trust scoring
Agent Lightning RL training governance with violation penalties
Agent Hypervisor Execution audit, delta engine, commitment anchoring

Additional Capabilities

Capability Description
MCP Security Gateway Tool poisoning detection, drift monitoring, typosquatting, hidden instruction scanning (Spec)
Shadow AI Discovery Find unregistered agents across processes, configs, and repos (Discovery)
Governance Dashboard Real-time fleet visibility for health, trust, and compliance (Dashboard)
PromptDefense Evaluator 12-vector prompt injection audit (Evaluator)
Contributor Reputation PR/issue author screening for social engineering. Reusable GitHub Action (Action)

Install

Language Package Command
Python agent-governance-toolkit pip install agent-governance-toolkit[full]
TypeScript @microsoft/agent-governance-sdk npm install @microsoft/agent-governance-sdk
Copilot CLI @microsoft/agent-governance-copilot-cli npx @microsoft/agent-governance-copilot-cli install
Claude Code @microsoft/agent-governance-claude-code claude --plugin-dir ./agent-governance-claude-code
OpenCode @microsoft/agent-governance-opencode npm install @microsoft/agent-governance-opencode
.NET Microsoft.AgentGovernance dotnet add package Microsoft.AgentGovernance
.NET MCP Microsoft.AgentGovernance.Extensions.ModelContextProtocol dotnet add package Microsoft.AgentGovernance.Extensions.ModelContextProtocol
Rust agent-governance cargo add agent-governance
Go agent-governance-toolkit go get github.com/microsoft/agent-governance-toolkit/agent-governance-golang

All five language SDKs implement core governance (policy, identity, trust, audit). Python has the full stack. Copilot CLI and Claude Code are first-party developer surfaces built on the TypeScript SDK. See Language Package Matrix for detailed per-language coverage.

Python distributions (v4.0.0 — consolidated)

As of v4.0.0, 45 packages have been consolidated into 5 top-level distributions:

Distribution PyPI What's included
agent-governance-toolkit-core agent-governance-toolkit-core Policy engine, capability model, audit, MCP gateway, zero-trust identity, trust scoring, A2A/MCP/IATP bridges
agent-governance-toolkit-runtime [agent-governance-toolkit-runtime](https://pypi.or

Extension points exported contracts — how you extend this code

Disposable (Interface)
Disposable returned by store subscriptions. [18 implementers]
agent-governance-typescript/agent-os-vscode/src/webviews/shared/panelHost.ts
MetricSink (Interface)
(no doc) [20 implementers]
agent-governance-typescript/src/metrics.ts
AnnotatorDispatcher (Interface)
(no doc) [29 implementers]
policy-engine/sdk/node/src/index.ts
Rule (Interface)
A review rule with its detector logic. [4 implementers]
agent-governance-python/agentmesh-integrations/copilot-governance/src/reviewer.ts
PolicyCheck (FuncType)
PolicyCheck is the workflow-policy callback type.
agent-governance-golang/packages/agentmesh/credential_vault.go
RecordedRequest (Interface)
(no doc)
agent-governance-typescript/tests/registry-client.test.ts
ProxyOptions (Interface)
(no doc)
agent-governance-python/agent-mesh/packages/mcp-proxy/src/proxy.ts
ModelResult (Interface)
(no doc)
agent-governance-python/agent-os/extensions/cursor/src/cmvkClient.ts

Core symbols most depended-on inside this repo

append
called by 2028
agent-governance-python/agent-sre/src/agent_sre/slo/persistence.py
get
called by 1545
agent-governance-python/agent-os/src/agent_os/stateless.py
append
called by 1411
agent-governance-python/agent-os/modules/control-plane/src/agent_control_plane/vfs.py
now
called by 1111
agent-governance-python/agent-os/src/agent_os/policies/dynamic_context.py
join
called by 920
agent-governance-python/agent-os/modules/atr/atr/tools/safe/text_tool.py
get
called by 698
agent-governance-typescript/src/identity.ts
push
called by 619
agent-governance-typescript/agent-os-vscode/src/observability/MetricsExporter.ts
compile
called by 477
agent-governance-python/agent-os/src/agent_os/integrations/langgraph_adapter.py

Shape

Method 24,679
Function 7,647
Class 6,345
Interface 402
Route 332
Struct 93
TypeAlias 20
Enum 8
FuncType 7

Languages

Python90%
TypeScript8%
Go2%

Modules by API surface

agent-governance-python/agent-os/tests/test_integrations.py391 symbols
agent-governance-python/agent-mesh/tests/test_coverage_boost.py288 symbols
agent-governance-python/agent-sandbox/tests/test_docker_sandbox.py271 symbols
agent-governance-python/agent-os/modules/control-plane/src/agent_control_plane/lifecycle.py195 symbols
agent-governance-python/agent-os/tests/test_coverage_boost.py188 symbols
agent-governance-python/agent-os/tests/test_spec_audit_compliance_conformance.py187 symbols
agent-governance-python/agent-os/tests/test_spec_adapter_contract_conformance.py178 symbols
agent-governance-python/agent-mesh/tests/test_spec_identity_trust_conformance.py152 symbols
agent-governance-python/agent-lightning/tests/test_lightning_comprehensive.py151 symbols
agent-governance-python/agent-os/tests/test_google_adk_adapter.py146 symbols
agent-governance-python/agent-os/tests/test_spec_mcp_gateway_conformance.py143 symbols
agent-governance-python/agent-os/tests/test_mcp_scan_cli.py128 symbols

Dependencies from manifests, versioned

gopkg.in/yaml.v3v3.0.1 · 1×
@anthropic-ai/sdk0.100.1 · 1×
@langchain/core1.1.48 · 1×
@mastra/core1.37.1 · 1×
@microsoft/agent-governance-sdk4.0.0 · 1×
@modelcontextprotocol/sdk1.29.0 · 1×
@napi-rs/cli2.18.4 · 1×
@noble/ciphers2.2.0 · 1×
@noble/curves2.2.0 · 1×
@noble/ed255193.1.0 · 1×

Datastores touched

dbDatabase · 1 repos
(mysql)Database · 1 repos
agentsDatabase · 1 repos

For agents

$ claude mcp add agent-governance-toolkit \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact