feat(governance): agt verify CI step and release evidence — closes #340#346
Merged
Conversation
Closes #340. - governance/cmcp-enforcement.yaml: YAML policy descriptor with deny_by_default: true that satisfies agt verify --evidence deny-semantics check. Documents Cedar default-deny enforcement at the MCP gateway. - scripts/gen_agt_evidence.py: generates agt-evidence.json from live package metadata and the bfsi-demo catalog + policy files. - CI: new governance job (depends on test) runs agt verify --evidence, fails on regression, uploads agt-evidence.json + agt-attestation.json as artifacts. - Release: new governance-release job generates evidence post-publish and attaches both files to the GitHub release asset list. - tests/unit/test_agt_evidence.py: 14 tests covering schema, all required deployment fields, JSON round-trip, governance YAML deny semantics, and (when AGT is installed) GovernanceVerifier.verify_evidence() integration. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Move importlib.util before pytest (I001 import order) - Replace timezone.utc with datetime.UTC (UP017, x2) - Remove f prefix from string literal with no placeholders (F541) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The agt CLI entry point lives in agent-compliance, not the package installed by .[dev]. Without it the governance step fails with 'agt: command not found'. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
imran-siddique
added a commit
that referenced
this pull request
Jun 25, 2026
… job agent-governance-toolkit-core is already installed as a core dependency via pip install -e ".[dev]", so agt is available without the extra arg. agent-compliance does not exist on PyPI and has been failing CI since #346. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
imran-siddique
added a commit
that referenced
this pull request
Jun 25, 2026
The agt CLI is provided by agent-governance-toolkit-compliance, not agent-compliance. The latter name does not exist on PyPI; this was the root cause of the governance job failure since #346. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
imran-siddique
added a commit
that referenced
this pull request
Jun 25, 2026
…estation (#352) * feat(experiments): add Claim 5 temporal adjacency and Claim 6 cross-org attestation Claim 5 (temporal-adjacency): 6 properties proven -- monotonic sequence numbers, cross-boundary event detection from phi/pii/pci/restricted domains, provenance disclaimer in every call graph summary, zero false negatives by construction, concurrent call ordering, denied calls recorded. 9 pytest tests. Closes #350. Claim 6 (cross-org-attestation): software simulation of dual-TEE B2B protocol. 7 properties proven -- independent keypairs, session_id linkage, Phase 1 and Phase 2 nonce binding (SHA-256(key||session_id)), independent verification, cross-claim tamper independence, server binary swap detection. 9 pytest tests. Closes #351. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(lint): resolve ruff errors in claim5/6 test files - PLC2701: add noqa for private _HIGH_SENSITIVITY_DOMAINS import - C416: replace unnecessary list comprehension with list() - F841: remove unused variables sv_key, session_id, key Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(lint): sort imports in test_claim5_temporal_adjacency (I001) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(ci): remove non-existent agent-compliance package from governance job agent-governance-toolkit-core is already installed as a core dependency via pip install -e ".[dev]", so agt is available without the extra arg. agent-compliance does not exist on PyPI and has been failing CI since #346. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(ci): use correct package name agent-governance-toolkit-compliance The agt CLI is provided by agent-governance-toolkit-compliance, not agent-compliance. The latter name does not exist on PyPI; this was the root cause of the governance job failure since #346. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(ci): use agent-governance-toolkit meta-package; swap agent-manifest to PyPI - governance job: agent-governance-toolkit>=4.1 is the published meta-package that includes the agt CLI (was using wrong sub-package name) - pyproject.toml: drop git source pin for agent-manifest, use PyPI >=0.1.1 - remove allow-direct-references hatch flag (no more git deps) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
governance/cmcp-enforcement.yaml— YAML policy descriptor withdeny_by_default: truesatisfying theagt verify --evidencedeny-semantics checkscripts/gen_agt_evidence.py— generatesagt-evidence.jsonfrom live package metadata, bfsi-demo catalog, and policy filesgovernanceCI job: runsagt verify --evidence agt-evidence.json, fails on regression, uploadsagt-evidence.json+agt-attestation.jsonas build artifactsgovernance-releaserelease job: attaches both evidence files to every GitHub release as machine-readable OWASP ASI 2026 conformance proofGovernanceVerifier.verify_evidence()integrationWhy
The README claims OWASP Agentic Top 10 coverage but nothing backs it at release time. Every cMCP release now ships
agt-attestation.json— a machine-readable attestation that regulated-industry buyers can hand to their audit teams.Test plan
tests/unit/test_agt_evidence.pypass (pytest tests/unit/test_agt_evidence.py)python scripts/gen_agt_evidence.pywrites a validagt-evidence.jsonagt verify --evidence agt-evidence.jsonexits 0agt-evidence.jsonandagt-attestation.jsonappear as release assets🤖 Generated with Claude Code