feat(owasp): migrate to ASI 2026 taxonomy with reference architecture

[imran-siddique]

OWASP ASI 2026 Taxonomy Migration + Reference Architecture

What this PR does

Three improvements in one cohesive change:

1. ASI 2026 taxonomy migration (supersedes #839)

• Migrates copilot-governance from legacy AT identifiers to OWASP ASI 2026 (ASI01–ASI11)
• Adds backward-compatible LEGACY_AT_TO_ASI lookup so existing integrations don't break
• Updates all 14 reviewer rules with correct ASI risk mappings
• 46/46 tests pass including new backward-compat coverage

2. Combined OWASP reference architecture (supersedes #843 + #844)

• Single comprehensive doc at docs/compliance/owasp-agentic-top10-architecture.md
• Coverage table, Mermaid diagrams, honest gap analysis with code evidence
• All 11 ASI risks mapped with file-path references

3. Python standalone MCP governance package (supersedes #829)

• Fixes the dependency bug in feat(python): add standalone agent-mcp-governance package #829 (claimed zero deps but imported agent-os-kernel)
• Honest pyproject.toml with correct dependency declaration
• Broader Python support (>=3.10 vs feat(python): add standalone agent-mcp-governance package #829's >=3.12)
• PEP 625 compliant package name (underscores)

Why supersede instead of merge?

• fix(owasp): migrate OWASP catalogue from AT to ASI 2026 taxonomy #839 got changes requested and silently dropped unrecognized AT IDs — we add backward compat instead
• docs: OWASP Agentic Top 10 reference architecture mapping #843 + docs: OWASP upstream AGT reference implementation supporting material #844 are two separate docs that should be one comprehensive reference
• feat(python): add standalone agent-mcp-governance package #829 has a factual error (README claims zero deps, pyproject.toml declares one)
• All four PRs have merge conflicts with current main

Files changed (8 files, +580/-64)

File	Change
src/owasp.ts	Full ASI01-ASI11 catalogue + legacy AT→ASI mapping
src/reviewer.ts	All 14 rules: AT→ASI risk IDs
src/types.ts	Comment update
tests/index.test.ts	8 new OWASP tests including backward-compat
docs/compliance/owasp-agentic-top10-architecture.md	New: comprehensive reference doc
packages/agent-mcp-governance/*	New: Python standalone MCP package

Checklist

• All 46 tests pass (npm test)
• MIT license headers on all new files
• Backward compatibility maintained (AT IDs still resolve)
• No eval/exec/pickle/shell=True
• CLA signed

Supersedes: #839, #843, #844, #829

[github-actions]

🤖 AI Agent: breaking-change-detector — Summary

🔍 API Compatibility Report

Summary

This pull request introduces significant changes to the repository, including the migration to OWASP ASI 2026 taxonomy, a new Python package (agent-mcp-governance), and updates to existing functionality. While most changes are additive or backward-compatible, there are no breaking changes identified in the Python API. The backward-compatible mapping for legacy identifiers ensures that existing integrations remain functional.

Findings

Severity	Package	Change	Impact
🔵	agent-mcp-governance	New Python package added	No impact on existing code; new functionality
🔵	agent-os-kernel	Re-exported classes (GovernanceMiddleware, AuditMiddleware, etc.) in agent-mcp-governance	No impact; additive change
🔵	copilot-governance	Backward-compatible mapping for legacy AT identifiers to ASI	Ensures existing integrations using AT identifiers remain functional

Migration Guide

No migration steps are necessary for existing users, as backward compatibility has been maintained. New users can adopt the agent-mcp-governance package for standalone MCP governance functionality.

Conclusion

✅ No breaking changes detected. All changes are either additive or backward-compatible.

[github-actions]

🤖 AI Agent: test-generator — `packages/agent-mcp-governance/src/agent_mcp_governance/__init__.py`

🧪 Test Coverage Analysis

packages/agent-mcp-governance/src/agent_mcp_governance/__init__.py

• ✅ Existing coverage:

  • The agent_mcp_governance module is a thin wrapper that re-exports core classes (GovernanceMiddleware, AuditMiddleware, TrustGate, BehaviorMonitor) from the agent-os-kernel package.
  • The functionality of these classes is likely covered by tests in the agent-os-kernel package.

• ❌ Missing coverage:

  • There is no evidence of a dedicated test file for agent_mcp_governance in the tests/ directory. This means the re-export functionality and compatibility with the agent-os-kernel package are not explicitly tested.
  • No tests validate that the re-exported classes (GovernanceMiddleware, AuditMiddleware, TrustGate, BehaviorMonitor) are correctly imported and functional when accessed through agent_mcp_governance.

• 💡 Suggested test cases:

  1. test_governance_middleware_import — Verify that GovernanceMiddleware can be imported from agent_mcp_governance and instantiated without errors.
  2. test_audit_middleware_import — Verify that AuditMiddleware can be imported from agent_mcp_governance and instantiated without errors.
  3. test_trust_gate_import — Verify that TrustGate can be imported from agent_mcp_governance and instantiated without errors.
  4. test_behavior_monitor_import — Verify that BehaviorMonitor can be imported from agent_mcp_governance and instantiated without errors.
  5. test_version_attribute — Verify that the __version__ attribute is correctly defined and matches the expected version.
  6. test_integration_with_agent_os_kernel — Ensure that the re-exported classes function as expected when used in a simple integration test. For example:
     • Create a GovernanceMiddleware instance, configure it with a blocked pattern, and verify that it blocks matching inputs.
     • Create an AuditMiddleware instance, log an event, and verify that the event is recorded in the hash chain.
     • Create a TrustGate instance, configure it with a trust score, and verify that it correctly validates or rejects a sample agent.
     • Create a BehaviorMonitor instance, simulate agent behavior, and verify that it detects anomalies and triggers quarantine.

By adding these tests, you can ensure that the agent_mcp_governance package is correctly re-exporting and integrating the core governance, audit, trust, and monitoring functionalities from agent-os-kernel. This will also help catch any potential issues with version mismatches or API changes in the agent-os-kernel dependency.

[github-actions]

🤖 AI Agent: docs-sync-checker — Issues Found

📝 Documentation Sync Report

Issues Found

1. New Public APIs Without Docstrings

   • ❌ resolveId(id: string): string in packages/agentmesh-integrations/copilot-governance/src/owasp.ts — missing docstring. This function resolves a risk ID to its canonical ASI identifier and should include a docstring explaining its purpose, parameters, and return value.

2. README Sections Out of Date

   • ⚠️ packages/agent-mcp-governance/README.md — The README does not mention the backward-compatible LEGACY_AT_TO_ASI mapping or the resolveId function introduced in owasp.ts. These are important features that should be documented for users.

3. CHANGELOG Missing Entries

   • ⚠️ CHANGELOG.md — No entry for the migration to the OWASP ASI 2026 taxonomy, the addition of the LEGACY_AT_TO_ASI mapping, or the new Python standalone MCP governance package. These are significant changes that should be documented.

4. Example Code Outdated

   • ⚠️ packages/agent-mcp-governance/README.md — The example code does not demonstrate the use of the resolveId function or the LEGACY_AT_TO_ASI mapping. These should be included to ensure users understand how to use the new functionality.

5. Type Hints

   • ✅ All new public APIs in the Python package (agent_mcp_governance) have complete type annotations.
   • ❌ resolveId(id: string): string in packages/agentmesh-integrations/copilot-governance/src/owasp.ts — While this is a TypeScript function and has type annotations, it is missing a docstring to explain its purpose and behavior.

---

Suggestions

• 💡 Add a docstring for resolveId(id: string): string in packages/agentmesh-integrations/copilot-governance/src/owasp.ts. Example:

  /**
   * Resolve a risk ID to its canonical ASI identifier.
   * Returns the ID unchanged if it already starts with "ASI", or maps it
   * via {@link LEGACY_AT_TO_ASI} if it is a legacy "AT" ID.
   *
   * @param id - The risk identifier (e.g., "ASI01" or "AT01").
   * @returns The canonical ASI identifier (e.g., "ASI01").
   */

• 💡 Update packages/agent-mcp-governance/README.md to include:

  • A section on the LEGACY_AT_TO_ASI mapping and its purpose.
  • An example of how to use the resolveId function.

• 💡 Add entries to CHANGELOG.md for:

  • Migration to the OWASP ASI 2026 taxonomy.
  • Addition of the LEGACY_AT_TO_ASI mapping for backward compatibility.
  • Introduction of the new Python standalone MCP governance package.

• 💡 Update example code in packages/agent-mcp-governance/README.md to include usage of the resolveId function and demonstrate how to handle legacy AT identifiers.

---

Summary

The PR introduces significant changes, including the migration to the OWASP ASI 2026 taxonomy, a new Python package, and backward-compatible mappings for legacy identifiers. While the documentation is generally comprehensive, there are a few missing elements, such as a docstring for the resolveId function, updates to the README, and entries in the CHANGELOG. Addressing these issues will ensure the documentation remains in sync with the codebase.

Let me know if you need further assistance!

[github-actions]

🤖 AI Agent: security-scanner — Security Review of PR: feat(owasp): migrate to ASI 2026 taxonomy with reference architecture

Security Review of PR: feat(owasp): migrate to ASI 2026 taxonomy with reference architecture

This PR introduces significant changes to the microsoft/agent-governance-toolkit repository, including a migration to the OWASP ASI 2026 taxonomy, a new reference architecture document, and a standalone Python package for MCP governance. Below is a detailed security review of the changes, categorized by potential vulnerabilities.

---

1. Prompt Injection Defense Bypass

Rating: 🔵 LOW

• Analysis: The governanceMiddleware applies blockedPatterns (regex-based filtering) to prevent prompt injection attacks. The patterns are loaded dynamically from a policy YAML file, which is a good practice to avoid hardcoding security rules. The PR also includes a backward-compatible mapping for legacy identifiers, ensuring that older configurations remain functional.
• Potential Issue: Regex-based filtering can be bypassed if the patterns are not comprehensive or if attackers find creative ways to obfuscate malicious inputs.
• Recommendation: Ensure that the blockedPatterns are comprehensive and regularly updated. Consider implementing additional layers of defense, such as semantic analysis or context-aware filtering, to complement regex-based checks.

---

2. Policy Engine Circumvention

Rating: 🟠 HIGH

• Analysis: The static reviewer flags unguarded tool execution and missing governance middleware, which are critical for enforcing policies. However, the detection logic for unguarded tool execution relies on regex patterns (/governanceMiddleware|governance_middleware|GovernancePolicy|apply_governance/i), which could be bypassed by obfuscating or renaming variables and functions.
• Potential Issue: The reliance on regex for detecting policy application is fragile and could be bypassed by attackers who modify the code to evade detection.
• Recommendation: Implement a more robust static analysis mechanism that performs semantic analysis of the code to ensure governance policies are applied consistently. Consider integrating with an Abstract Syntax Tree (AST) parser to analyze the code structure more effectively.

---

3. Trust Chain Weaknesses

Rating: 🔴 CRITICAL

• Analysis: The TrustGate component uses DID-based identity verification for inter-agent communication. However, the PR does not provide details on how the DIDs are validated or whether certificate pinning is implemented.
• Potential Issue: If the DID verification process is not robust (e.g., if it relies on insecure or stubbed verify() functions), it could allow attackers to impersonate trusted agents and compromise the system.
• Recommendation: Ensure that the DID verification process is robust and does not rely on placeholder or stubbed functions. Implement certificate pinning and ensure that all cryptographic operations are performed using secure libraries and algorithms.

---

4. Credential Exposure

Rating: 🔵 LOW

• Analysis: The PR does not introduce any new logging or error-handling mechanisms that could inadvertently expose sensitive information. The AuditMiddleware explicitly supports PII redaction.
• Potential Issue: None identified in this PR.
• Recommendation: Continue to ensure that sensitive information is properly redacted in logs and error messages. Regularly audit the codebase for potential leaks.

---

5. Sandbox Escape

Rating: 🟡 MEDIUM

• Analysis: The PR does not introduce any new sandboxing mechanisms for agent memory or context. The reference architecture document acknowledges this as a gap in the current implementation.
• Potential Issue: The lack of a dedicated memory sandbox or context-integrity module could allow attackers to manipulate persistent memory stores and corrupt future agent decisions.
• Recommendation: Implement a ContextValidator module that hashes memory snapshots and verifies their integrity before use. Consider using secure enclaves or other hardware-based isolation mechanisms for sensitive operations.

---

6. Deserialization Attacks

Rating: 🔵 LOW

• Analysis: The static reviewer flags unsafe deserialization methods like pickle.loads() without HMAC verification. This is a good practice to mitigate deserialization attacks.
• Potential Issue: None identified in this PR.
• Recommendation: Ensure that all deserialization operations are reviewed for safety and that HMAC verification is consistently applied.

---

7. Race Conditions

Rating: 🟡 MEDIUM

• Analysis: The PR does not explicitly address potential race conditions in policy checks or trust evaluations. The rate_limit_per_minute feature in GovernanceMiddleware could be susceptible to race conditions if not implemented with thread-safe mechanisms.
• Potential Issue: Concurrent requests could bypass rate limits or policy checks if proper synchronization mechanisms are not in place.
• Recommendation: Ensure that all rate-limiting and policy-checking mechanisms are thread-safe. Use atomic operations or locks where necessary.

---

8. Supply Chain Vulnerabilities

Rating: 🟠 HIGH

• Analysis: The PR acknowledges a gap in supply chain security, specifically the lack of SBOM generation and dependency vulnerability scanning. The new Python package declares its dependency on agent-os-kernel, but there is no mention of how this dependency is secured against supply chain attacks.
• Potential Issue: Dependency confusion or typosquatting attacks could compromise the agent-os-kernel package or its dependencies.
• Recommendation: Integrate SBOM generation and dependency vulnerability scanning into the CI/CD pipeline. Use tools like GitHub Advanced Security or Dependabot to monitor for vulnerabilities in dependencies.

---

Summary of Findings

Category	Rating	Issue	Recommendation
Prompt Injection Defense	🔵 LOW	Regex-based filtering could be bypassed.	Add semantic/context-aware filtering.
Policy Engine Circumvention	🟠 HIGH	Regex-based detection of policy application is fragile.	Use AST-based static analysis for robust detection.
Trust Chain Weaknesses	🔴 CRITICAL	DID verification process details are unclear; potential for impersonation.	Ensure robust DID verification and implement certificate pinning.
Credential Exposure	🔵 LOW	No new issues identified.	Continue auditing logs and error messages for sensitive data.
Sandbox Escape	🟡 MEDIUM	No memory sandbox or context-integrity module.	Implement a ContextValidator and consider hardware-based isolation mechanisms.
Deserialization Attacks	🔵 LOW	No new issues identified.	Ensure HMAC verification for all deserialization operations.
Race Conditions	🟡 MEDIUM	Potential race conditions in rate-limiting and policy checks.	Use thread-safe mechanisms for rate-limiting and policy checks.
Supply Chain Vulnerabilities	🟠 HIGH	No SBOM generation or dependency scanning.	Integrate SBOM generation and dependency scanning into CI/CD.

---

Final Recommendation

This PR introduces valuable improvements, but the critical issue with trust chain weaknesses must be addressed before merging. Additionally, the policy engine circumvention and supply chain vulnerabilities should be prioritized for resolution. Other issues, while less critical, should be addressed in subsequent updates.

[github-actions]

🤖 AI Agent: code-reviewer

Pull Request Review: OWASP ASI 2026 Taxonomy Migration + Reference Architecture

---

🔴 CRITICAL Issues

1. Backward Compatibility in Risk ID Mapping

   • The resolveId function in owasp.ts silently falls back to returning the input ID if it is not found in either OWASP_AGENTIC_RISKS or LEGACY_AT_TO_ASI. This could lead to silent failures in downstream systems that rely on strict validation of risk IDs.
   • Recommendation: Throw an explicit error or log a warning when an unknown ID is encountered to avoid silent failures. Alternatively, provide a configurable fallback behavior.

   function resolveId(id: string): string {
       if (id in OWASP_AGENTIC_RISKS) return id;
       if (id in LEGACY_AT_TO_ASI) return LEGACY_AT_TO_ASI[id];
       throw new Error(`Unknown OWASP risk ID: ${id}`);
   }

2. Memory and Context Poisoning (ASI06)

   • The gap analysis highlights the absence of a memory sandbox or context integrity checks. This is a critical security issue as it leaves the system vulnerable to poisoning attacks.
   • Recommendation: Prioritize implementing a ContextValidator module that hashes memory snapshots and validates them before use. This should be integrated into the GovernanceMiddleware.

3. Agentic Supply Chain Vulnerabilities (ASI04)

   • The lack of SBOM (Software Bill of Materials) generation and dependency vulnerability scanning is a significant supply chain risk.
   • Recommendation: Integrate tools like GitHub Advanced Security or Dependabot to automate dependency scanning. Additionally, consider generating SBOMs using tools like cyclonedx-python or syft.

4. Human-Agent Trust Exploitation (ASI09)

   • The absence of UI-level guardrails or "human-in-the-loop" approval workflows is a critical gap for high-risk actions.
   • Recommendation: Implement a HumanApprovalMiddleware that requires explicit human confirmation for actions flagged as high-risk.

---

🟡 WARNING: Potential Breaking Changes

1. Python Version Compatibility

   • The new agent-mcp-governance package lowers the minimum Python version from >=3.12 to >=3.10. While this increases compatibility, it could introduce subtle issues if the codebase relies on features exclusive to Python 3.12.
   • Recommendation: Ensure comprehensive testing across all supported Python versions (3.10–3.13).

2. Legacy Risk ID Deprecation

   • While the LEGACY_AT_TO_ASI mapping ensures backward compatibility, the migration to ASI IDs may break integrations that rely on the old AT identifiers if they are not updated.
   • Recommendation: Clearly document the deprecation timeline for AT IDs and provide migration guides for downstream consumers.

---

💡 Suggestions for Improvement

1. Documentation Enhancements

   • The new OWASP reference architecture document is comprehensive but could benefit from:
     • A "Quick Start" section summarizing how to use the mappings and mitigations.
     • A "Changelog" section to track updates to the taxonomy and mitigations.

2. Static Analysis Rule Coverage

   • The static reviewer rules in reviewer.ts are robust but could be expanded to include:
     • Detection of unbounded data structures (e.g., dictionaries, lists) to prevent memory DoS attacks.
     • Detection of stubbed verify() functions that always return True.

3. Audit Middleware Enhancements

   • The audit middleware currently uses a hash chain for tamper detection. Consider extending this to include:
     • Timestamp validation to detect replay attacks.
     • Integration with a secure time source (e.g., NTP with cryptographic validation).

4. Rate Limiting

   • The rate_limit_per_minute parameter in GovernanceMiddleware is a good start but could be enhanced with:
     • Adaptive rate limiting based on historical usage patterns.
     • Per-user or per-agent rate limits to prevent abuse.

5. Mermaid Diagrams

   • The Mermaid diagrams in the OWASP reference architecture are helpful but could be made interactive (e.g., clickable nodes linking to relevant documentation or code).

---

Summary of Changes

• Strengths:

  • Comprehensive migration to OWASP ASI 2026 taxonomy with backward compatibility.
  • Detailed reference architecture with honest gap analysis.
  • New standalone Python package (agent-mcp-governance) with clear API documentation.

• Weaknesses:

  • Critical gaps in memory sandboxing, supply chain security, and human-agent trust mechanisms.
  • Potential for silent failures in risk ID resolution.
  • Some potential breaking changes for downstream consumers.

---

Final Recommendation

• Merge with Conditions:
  • Address the critical issues related to risk ID resolution, memory sandboxing, and supply chain vulnerabilities in follow-up PRs.
  • Document the deprecation timeline for AT IDs and provide migration guides.
  • Expand static analysis rules to cover additional attack vectors.

By addressing these issues, the PR will significantly enhance the security posture of the Agent Governance Toolkit while maintaining backward compatibility.