feat: add standalone agent-mcp-governance package

[jackbatzner]

Description

Introduces the standalone agent-mcp-governance Python package with zero AGT dependency. This allows MCP server operators to adopt MCP governance primitives without pulling in the full Agent Governance Toolkit.

Package: agent-mcp-governance (PyPI name: agent_mcp_governance)

• dependencies = [] — no AGT dependency
• Re-exports MCP primitives from agent-os-kernel
• README with installation, quick-start examples, and OWASP MCP Cheat Sheet link

Part 2 of 3 — Merge after #822. See also:

• Part 1: feat(agent-os): add MCP security primitives with OWASP coverage #822 Core MCP security primitives ← merge first
• Part 3: Documentation and examples ← merge last

Type of Change

• New feature (non-breaking change that adds functionality)

Package(s) Affected

• agent-os-kernel

Checklist

• My code follows the project style guidelines (ruff check)
• I have added tests that prove my fix/feature works
• All new and existing tests pass (pytest)
• I have updated documentation as needed
• I have signed the Microsoft CLA

Related Issues

Supersedes #774 (split for easier review). Merge after #822.

[github-actions]

Welcome to the Agent Governance Toolkit! Thanks for your first pull request.
Please ensure tests pass, code follows style (ruff check), and you have signed the CLA.
See our Contributing Guide.

[github-actions]

🤖 AI Agent: breaking-change-detector — Summary

🔍 API Compatibility Report

Summary

This pull request introduces a new standalone Python package, agent-mcp-governance, which re-exports MCP governance primitives from the agent-os-kernel. The changes are additive and do not introduce any breaking changes to existing APIs. The new package provides a focused surface for MCP governance primitives without dependencies on the broader Agent Governance Toolkit.

Findings

Severity	Package	Change	Impact
🔵	agent-mcp-governance	New package added with MCP governance APIs	Not breaking
🔵	agent-os	New MCP-related classes and methods added	Not breaking

Migration Guide

No migration is required as no breaking changes were introduced. Downstream users can optionally adopt the new agent-mcp-governance package for standalone MCP governance functionality.

Additional Notes

• The new package agent-mcp-governance is intentionally lightweight and designed for scenarios where the full Agent Governance Toolkit is not required.
• The re-exported MCP primitives are well-documented in the provided README file, which includes installation instructions and usage examples.
• The changes to agent-os are additive and include new classes and methods such as CredentialRedactor, MCPMetrics, and various MCP-related components. These additions enhance the functionality of the package without affecting existing APIs.

✅ No breaking changes detected.

[github-actions]

🤖 AI Agent: docs-sync-checker — Issues Found

📝 Documentation Sync Report

Issues Found

• ❌ MCPMetrics in agent-os/src/agent_os/_mcp_metrics.py — missing docstring for the class and its methods.
• ❌ NoOpMCPMetrics in agent-os/src/agent_os/_mcp_metrics.py — missing docstring for the class and its methods.
• ❌ MCPMetricsRecorder in agent-os/src/agent_os/_mcp_metrics.py — missing docstring for the class and its methods.
• ❌ CredentialRedactor in agent-os/src/agent_os/credential_redactor.py — missing docstrings for some methods (e.g., redact_mapping, redact_dictionary, redact_data_structure, contains_credentials, detect_credential_types, find_matches).
• ⚠️ agent-mcp-governance/README.md — The README provides installation and usage examples, but it does not mention the new MCPMetrics or CredentialRedactor classes. These should be documented if they are intended for public use.
• ⚠️ CHANGELOG.md — No entry for the addition of the new agent-mcp-governance package or the new MCPMetrics and CredentialRedactor components.

Suggestions

• 💡 Add docstrings for the following classes and methods:
  • MCPMetrics class and its methods (record_decision, record_threats_detected, record_rate_limit_hit, record_scan).
  • NoOpMCPMetrics class and its methods (same as above).
  • MCPMetricsRecorder class and its methods (same as above).
  • CredentialRedactor methods (redact_mapping, redact_dictionary, redact_data_structure, contains_credentials, detect_credential_types, find_matches).
• 💡 Update the agent-mcp-governance/README.md to include documentation and examples for the MCPMetrics and CredentialRedactor classes if they are part of the public API.
• 💡 Add an entry to CHANGELOG.md summarizing the addition of the new agent-mcp-governance package and the new components (MCPMetrics, CredentialRedactor, etc.).

Additional Notes

• The new agent-mcp-governance package appears to be a standalone package, but it re-exports components from agent-os. Ensure that all re-exported components are properly documented in their original locations (agent-os) and that the README for agent-mcp-governance reflects their intended usage.
• All new public APIs (MCPMetrics, CredentialRedactor, etc.) include type hints, which is good.

Please address the above issues to ensure documentation is fully synchronized with the codebase. Let me know if you need further clarification!

[github-actions]

🤖 AI Agent: test-generator — `packages/agent-mcp-governance/src/agent_mcp_governance/__init__.py`

🧪 Test Coverage Analysis

packages/agent-mcp-governance/src/agent_mcp_governance/__init__.py

• ✅ Existing coverage: This file primarily re-exports components from agent-os. If the underlying components in agent-os are tested, this file is indirectly covered.
• ❌ Missing coverage: No direct tests for the standalone agent-mcp-governance package to verify that all re-exports function correctly in isolation.
• 💡 Suggested test cases:
  1. test_reexports_availability — Verify that all re-exported components are accessible from agent_mcp_governance.
  2. test_standalone_package_functionality — Ensure that the standalone package works as expected without dependencies on the broader Agent Governance Toolkit.

---

packages/agent-os/src/agent_os/__init__.py

• ✅ Existing coverage: This file primarily handles imports and re-exports. If the individual modules are tested, this file is indirectly covered.
• ❌ Missing coverage: No explicit tests for the integrity of re-exports.
• 💡 Suggested test cases:
  1. test_reexports_integrity — Verify that all re-exported components are accessible and functional from agent_os.
  2. test_import_errors_handling — Simulate scenarios where certain dependencies are missing and ensure the module handles import errors gracefully.

---

packages/agent-os/src/agent_os/_mcp_metrics.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • OpenTelemetry integration and fallback to NoOpMCPMetrics.
  • Edge cases for metrics recording (e.g., invalid inputs, disabled OpenTelemetry).
• 💡 Suggested test cases:
  1. test_noop_metrics — Ensure NoOpMCPMetrics methods do not raise errors and return None.
  2. test_metrics_recording_with_otel — Test that metrics are correctly recorded when OpenTelemetry is available.
  3. test_metrics_recording_without_otel — Test that no metrics are recorded when OpenTelemetry is unavailable.
  4. test_invalid_metric_inputs — Test behavior when invalid inputs (e.g., negative counts, missing fields) are provided to metrics methods.

---

packages/agent-os/src/agent_os/credential_redactor.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • Credential detection and redaction for all defined patterns.
  • Edge cases like overlapping patterns, empty inputs, and large payloads.
• 💡 Suggested test cases:
  1. test_redact_single_pattern — Verify redaction for each individual credential pattern.
  2. test_redact_multiple_patterns — Test redaction when multiple patterns are present in the input.
  3. test_redact_nested_structures — Ensure redaction works for deeply nested dictionaries, lists, and tuples.
  4. test_detect_credential_types — Verify that the correct credential types are detected for various inputs.
  5. test_large_payload_redaction — Test performance and correctness for large input payloads.
  6. test_no_match_behavior — Ensure no changes are made when no credentials are present.

---

packages/agent-os/src/agent_os/mcp_gateway.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • Policy enforcement edge cases (e.g., conflicting policies, bypass attempts).
  • Audit logging for various scenarios.
  • Human-in-the-loop approval workflows.
• 💡 Suggested test cases:
  1. test_policy_allow_deny — Test allow/deny decisions for various policy configurations.
  2. test_conflicting_policies — Simulate conflicting policies and verify resolution behavior.
  3. test_audit_logging — Ensure audit logs are correctly generated for all tool invocations.
  4. test_human_approval_workflow — Verify behavior when human approval is required for sensitive tools.
  5. test_policy_bypass_attempts — Test scenarios where malicious inputs attempt to bypass policy enforcement.

---

packages/agent-os/src/agent_os/mcp_message_signer.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • Edge cases for message signing and verification (e.g., expired certificates, revoked trust).
• 💡 Suggested test cases:
  1. test_message_signing — Verify that messages are signed correctly.
  2. test_message_verification — Ensure signed messages are verified correctly.
  3. test_expired_certificate — Test behavior when a certificate has expired.
  4. test_revoked_certificate — Verify that revoked certificates are not trusted.

---

packages/agent-os/src/agent_os/mcp_response_scanner.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • Threat detection for various response scenarios.
  • Edge cases like malformed responses and oversized payloads.
• 💡 Suggested test cases:
  1. test_threat_detection — Verify that threats are detected correctly in responses.
  2. test_malformed_response — Test behavior when the response is malformed.
  3. test_oversized_response — Verify handling of oversized response payloads.
  4. test_no_threats_detected — Ensure no false positives when no threats are present.

---

packages/agent-os/src/agent_os/mcp_security.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • Security scanning edge cases (e.g., cascading failures, partial failures).
• 💡 Suggested test cases:
  1. test_security_scan_success — Verify successful security scans.
  2. test_partial_failure_handling — Test behavior when a scan partially fails.
  3. test_cascading_failure_handling — Verify resilience against cascading failures.
  4. test_timeout_handling — Ensure proper handling of scan timeouts.

---

packages/agent-os/src/agent_os/mcp_session_auth.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • Session creation and validation edge cases (e.g., expired sessions, invalid tokens).
• 💡 Suggested test cases:
  1. test_session_creation — Verify that sessions are created correctly.
  2. test_session_validation — Ensure sessions are validated correctly.
  3. test_expired_session — Test behavior when a session has expired.
  4. test_invalid_token — Verify behavior when an invalid token is provided.

---

packages/agent-os/src/agent_os/mcp_sliding_rate_limiter.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • Rate limiting edge cases (e.g., burst traffic, concurrent requests).
• 💡 Suggested test cases:
  1. test_rate_limit_enforcement — Verify that rate limits are enforced correctly.
  2. test_burst_traffic_handling — Test behavior under burst traffic conditions.
  3. test_concurrent_requests — Verify that concurrent requests are handled correctly without race conditions.
  4. test_rate_limit_reset — Ensure rate limits reset correctly after the time window expires.

---

packages/agent-os/src/agent_os/policies/async_evaluator.py

• ✅ Existing coverage: None explicitly mentioned in the provided context.
• ❌ Missing coverage:
  • Asynchronous policy evaluation edge cases (e.g., timeouts, conflicting policies).
• 💡 Suggested test cases:
  1. test_async_policy_evaluation — Verify that policies are evaluated correctly in an asynchronous context.
  2. test_policy_evaluation_timeout — Test behavior when policy evaluation exceeds the timeout.
  3. test_conflicting_async_policies — Simulate conflicting policies and verify resolution behavior.
  4. test_policy_evaluation_errors — Ensure proper handling of errors during policy evaluation.

---

Summary

The following areas require additional test coverage:

1. Re-exports: Ensure all re-exported components in agent-mcp-governance and agent-os are functional and accessible.
2. Metrics: Test OpenTelemetry integration and fallback behavior.
3. Credential Redaction: Cover all patterns, edge cases, and nested structures.
4. Policy Enforcement: Test boundary conditions, conflicting policies, and bypass attempts.
5. Message Signing: Cover edge cases like expired or revoked certificates.
6. Response Scanning: Test threat detection, malformed responses, and oversized payloads.
7. Security Scanning: Cover partial failures, cascading failures, and timeouts.
8. Session Authentication: Test expired sessions and invalid tokens.
9. Rate Limiting: Cover burst traffic, concurrency, and rate limit resets.
10. Async Policy Evaluation: Test timeouts, conflicts, and error handling.

Adding these test cases will significantly improve the robustness and reliability of the agent-mcp-governance and agent-os packages.

[github-actions]

🤖 AI Agent: code-reviewer

Review Summary

This PR introduces a new standalone package, agent-mcp-governance, which re-exports MCP governance primitives from agent-os-kernel without introducing dependencies on the broader Agent Governance Toolkit (AGT). The package is designed for independent use cases, such as enterprise workflows, and includes a well-documented README, zero dependencies, and a clean API surface.

The PR also introduces new modules and updates to the agent-os package, including:

1. Credential Redactor: A utility to detect and redact sensitive information.
2. MCP Metrics: OpenTelemetry-friendly metrics helpers for MCP governance components.
3. Updates to the agent-os package to support the new package.

The PR is well-structured and adheres to the project's style guidelines. However, there are several areas that need attention, including potential security issues, type safety concerns, and suggestions for improvement.

---

🔴 CRITICAL: Security Issues

1. Credential Redactor - Incomplete Redaction

   • The CredentialRedactor class uses regular expressions to detect and redact sensitive information. However, regex-based detection is inherently prone to false negatives and may fail to catch all sensitive data. For example:
     • The regex for "OpenAI API key" assumes a specific format (sk- followed by 18+ alphanumeric characters), but this format could change or be bypassed.
     • The regex for "Bearer token" assumes a specific length and structure, which may not cover all valid tokens.
   • Recommendation: Consider using a more robust library or approach for detecting sensitive information, such as a machine learning-based solution or integrating with existing tools like truffleHog or detect-secrets.

2. Credential Redactor - Logging Redacted Information

   • The CredentialRedactor.redact method logs the number of redactions applied. If logging is not properly configured, this could inadvertently expose sensitive information.
   • Recommendation: Avoid logging redaction counts or ensure that logging is appropriately secured and sanitized.

3. MCP Metrics - OpenTelemetry Integration

   • The MCPMetrics class initializes OpenTelemetry counters but does not validate the integrity of the metrics data. If an attacker manipulates the metrics input, it could lead to incorrect or misleading telemetry data.
   • Recommendation: Add validation and sanitization for all inputs to the MCPMetrics methods to ensure they conform to expected formats and ranges.

4. MCP Gateway - Policy Enforcement

   • The MCPGateway class is responsible for policy enforcement, but the PR does not include sufficient test coverage to ensure that policies are enforced correctly. This could lead to potential security bypasses.
   • Recommendation: Add comprehensive tests to verify that the MCPGateway correctly enforces all policy rules, including edge cases.

---

🟡 WARNING: Potential Breaking Changes

1. Python Version Requirement

   • The new package requires Python 3.12 or higher (requires-python = ">=3.12"). This is a breaking change for users on older Python versions.
   • Recommendation: Clearly communicate this requirement in the release notes and documentation.

2. Public API Changes in agent-os

   • The agent-os package now re-exports several MCP-related classes and functions. This could lead to conflicts or unexpected behavior for existing users.
   • Recommendation: Document these changes in the release notes and consider versioning the agent-os package to indicate the update.

---

💡 Suggestions for Improvement

1. Type Annotations

   • While the codebase includes type annotations, some methods (e.g., CredentialRedactor.redact_data_structure) could benefit from more precise type hints.
   • Recommendation: Use typing.Union, typing.Optional, and other type hinting features to improve type safety and clarity.

2. Test Coverage

   • The PR includes tests, but the coverage for some critical components (e.g., MCPGateway, CredentialRedactor) could be improved.
   • Recommendation: Add tests for edge cases, such as malformed inputs, large payloads, and unusual credential formats.

3. Documentation

   • The README for the new package is clear and well-written, but it could benefit from additional examples, such as how to use the MCPMetrics and CredentialRedactor classes.
   • Recommendation: Expand the documentation to include more usage examples and best practices.

4. Thread Safety

   • The MCPMetrics class uses OpenTelemetry counters, which are generally thread-safe. However, the implementation does not explicitly document its thread safety guarantees.
   • Recommendation: Add documentation to clarify the thread safety of the MCPMetrics class and its methods.

5. Backward Compatibility

   • While the new package is designed to be standalone, it re-exports classes from agent-os-kernel. Any future changes to agent-os-kernel could inadvertently break agent-mcp-governance.
   • Recommendation: Implement integration tests to ensure that agent-mcp-governance remains compatible with updates to agent-os-kernel.

6. Error Handling

   • The MCPMetrics class uses a no-op implementation when OpenTelemetry is unavailable. While this is a reasonable fallback, it might lead to silent failures.
   • Recommendation: Log a warning or provide a mechanism to notify users when OpenTelemetry is not available.

---

Summary of Actionable Feedback

Critical Issues

• 🔴 Improve the robustness of the CredentialRedactor to avoid false negatives.
• 🔴 Avoid logging sensitive information or redaction counts in CredentialRedactor.
• 🔴 Add input validation to MCPMetrics methods to prevent telemetry manipulation.
• 🔴 Add comprehensive tests for MCPGateway to ensure policy enforcement correctness.

Warnings

• 🟡 Communicate the Python 3.12+ requirement as a breaking change.
• 🟡 Document the new MCP-related exports in agent-os to avoid potential conflicts.

Suggestions

• 💡 Improve type annotations for better type safety.
• 💡 Expand test coverage for critical components.
• 💡 Add more usage examples to the documentation.
• 💡 Clarify thread safety guarantees for MCPMetrics.
• 💡 Add integration tests to ensure compatibility between agent-mcp-governance and agent-os-kernel.
• 💡 Notify users when OpenTelemetry is unavailable in MCPMetrics.

This PR is a significant step forward in modularizing the MCP governance functionality, but addressing the above issues will ensure better security, reliability, and usability.

[github-actions]

🤖 AI Agent: security-scanner — Security Review of `feat: add standalone agent-mcp-governance package`

Security Review of feat: add standalone agent-mcp-governance package

The pull request introduces a new Python package, agent-mcp-governance, which provides standalone MCP governance primitives. This package is designed to allow MCP server operators to adopt governance features without requiring the full Agent Governance Toolkit (AGT). Below is a security review of the changes, categorized by potential vulnerabilities.

---

1. Prompt Injection Defense Bypass

Finding: 🔵 LOW

• The MCPGateway class in the example code includes a matches_pattern method in the DemoPolicy class, but the implementation is a placeholder (return []). This could lead to a false sense of security if users assume the method is functional without implementing it properly.
• The CredentialRedactor class provides a mechanism for redacting sensitive information, but its PATTERNS list may not cover all possible credential patterns, leaving room for prompt injection attacks if sensitive data is not fully redacted.

Recommendation:

• Provide a more robust implementation or clear documentation for the matches_pattern method to ensure users understand its importance in preventing prompt injection.
• Regularly update the PATTERNS list in CredentialRedactor to include new patterns for sensitive data as they become known.
• Consider adding a mechanism to allow users to define custom patterns for redaction.

---

2. Policy Engine Circumvention

Finding: 🟠 HIGH

• The MCPGateway class relies on user-defined policies (e.g., DemoPolicy) for enforcing governance. However, there is no validation mechanism to ensure that the provided policy is robust or that it adheres to security best practices.
• The MCPGateway class does not appear to validate the allowed_tools list or enforce strict type checking on the policy attributes. This could allow for policy circumvention if the policy is misconfigured or tampered with.

Recommendation:

• Implement a policy validation mechanism in MCPGateway to ensure that policies meet minimum security requirements (e.g., non-empty allowed_tools, valid max_tool_calls values).
• Add type annotations and runtime checks to validate the structure and content of user-defined policies.
• Consider providing a set of predefined, secure policies as templates for users.

---

3. Trust Chain Weaknesses

Finding: 🔵 LOW

• The MCPMessageSigner and MCPVerificationResult classes are re-exported from agent-os-kernel, but their implementation is not included in this PR. Without reviewing the underlying implementation, it is unclear if there are any trust chain weaknesses, such as improper SPIFFE/SVID validation or certificate pinning issues.

Recommendation:

• Conduct a thorough review of the agent-os-kernel implementation to ensure that the trust chain is robust and resistant to attacks.
• Add unit tests to validate the behavior of MCPMessageSigner and MCPVerificationResult under various edge cases.

---

4. Credential Exposure

Finding: 🔴 CRITICAL

• The CredentialRedactor class logs the number of redacted credentials using logger.info. This could inadvertently expose sensitive information in logs if the logging configuration is not properly secured or if the logs are accessible to unauthorized users.

Recommendation:

• Avoid logging the number of redacted credentials or any information that could hint at the presence of sensitive data.
• If logging is necessary, ensure that logs are properly secured and access is restricted to authorized personnel only.

---

5. Sandbox Escape

Finding: 🔵 LOW

• No evidence of sandboxing mechanisms or related vulnerabilities was found in this PR. However, the MCPGateway class interacts with user-defined policies and external tools, which could introduce risks if those tools are not properly sandboxed.

Recommendation:

• Ensure that all external tools invoked by MCP are executed in isolated environments (e.g., containers or restricted processes) to prevent potential sandbox escapes.

---

6. Deserialization Attacks

Finding: 🟠 HIGH

• The CredentialRedactor class uses Python's re module to process user-provided input. While the patterns are relatively simple, they could still be vulnerable to Regular Expression Denial of Service (ReDoS) attacks if crafted malicious inputs are passed.

Recommendation:

• Use a library like regex (an alternative to Python's re module) that supports timeouts for regex matching to mitigate ReDoS risks.
• Add input validation to ensure that excessively long or malformed strings are not processed by the CredentialRedactor.

---

7. Race Conditions

Finding: 🟡 MEDIUM

• The MCPSlidingRateLimiter class appears to use in-memory stores (e.g., InMemoryRateLimitStore) for rate limiting. This could lead to race conditions in distributed or multi-threaded environments, allowing malicious actors to bypass rate limits.

Recommendation:

• Use a distributed rate-limiting mechanism (e.g., Redis or a database) to ensure consistent enforcement across multiple instances of the application.
• Add thread-safety mechanisms to the in-memory stores to prevent race conditions in multi-threaded environments.

---

8. Supply Chain

Finding: 🔵 LOW

• The pyproject.toml file declares no dependencies (dependencies = []), which minimizes the risk of supply chain attacks. However, the package re-exports components from agent-os-kernel, which introduces an indirect dependency.

Recommendation:

• Perform regular security audits of the agent-os-kernel package to ensure it is free from vulnerabilities.
• Use a dependency scanning tool to monitor for potential issues in agent-os-kernel and other transitive dependencies.

---

Summary of Findings

Category	Severity	Description
Prompt Injection Defense	🔵 LOW	Placeholder matches_pattern method and incomplete credential patterns.
Policy Engine Circumvention	🟠 HIGH	Lack of policy validation and type checking.
Trust Chain Weaknesses	🔵 LOW	No evidence of issues, but underlying implementation is not reviewed in this PR.
Credential Exposure	🔴 CRITICAL	Logging redaction counts could expose sensitive information.
Sandbox Escape	🔵 LOW	No evidence of issues, but external tools should be sandboxed.
Deserialization Attacks	🟠 HIGH	Potential for ReDoS attacks in CredentialRedactor regex patterns.
Race Conditions	🟡 MEDIUM	In-memory rate limiting may be vulnerable to race conditions in distributed environments.
Supply Chain	🔵 LOW	No direct dependencies, but indirect dependency on agent-os-kernel needs regular auditing.

---

Overall Risk Assessment: HIGH

The introduction of this standalone package is a significant change that requires careful attention to security. The most critical issue is the potential for credential exposure through logging. Additionally, the lack of policy validation and the potential for ReDoS attacks in the CredentialRedactor class are concerning. Addressing these issues is crucial to ensure the security of the MCP governance layer.

Actionable Recommendations

1. Prompt Injection Defense:

   • Implement a robust matches_pattern method in the DemoPolicy class or provide clear documentation for users to implement it securely.
   • Regularly update the CredentialRedactor.PATTERNS list and allow users to define custom patterns.

2. Policy Engine Validation:

   • Add a validation mechanism to ensure user-defined policies meet minimum security requirements.
   • Implement runtime type checks for policy attributes.

3. Logging and Credential Exposure:

   • Remove or sanitize logging of redaction counts in CredentialRedactor to avoid potential credential exposure.

4. Deserialization Attacks:

   • Use a regex library with built-in ReDoS protection or implement timeouts for regex matching.
   • Validate input length and format before processing with regex.

5. Rate Limiting:

   • Consider using a distributed rate-limiting mechanism (e.g., Redis) for production environments.
   • Add thread-safety mechanisms to in-memory stores.

6. Supply Chain Security:

   • Regularly audit the agent-os-kernel package and its dependencies for vulnerabilities.
   • Use a dependency scanning tool to monitor for new vulnerabilities.

7. Documentation:

   • Clearly document the limitations and security considerations of the standalone package, especially for user-defined policies and credential redaction.

By addressing these issues, the agent-mcp-governance package can provide a secure and reliable foundation for MCP governance in enterprise environments.