build(deps): Bump scikit-learn from 1.3.2 to 1.5.0 in /packages/agent-os/modules/caas#4
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [scikit-learn](https://github.com/scikit-learn/scikit-learn) from 1.3.2 to 1.5.0. - [Release notes](https://github.com/scikit-learn/scikit-learn/releases) - [Commits](scikit-learn/scikit-learn@1.3.2...1.5.0) --- updated-dependencies: - dependency-name: scikit-learn dependency-version: 1.5.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Member
|
Closing — will address dependency updates in bulk during pre-release cleanup. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/pip/packages/agent-os/modules/caas/scikit-learn-1.5.0
branch
4 tasks
imran-siddique
added a commit
that referenced
this pull request
Apr 1, 2026
… 37 files) (#684) * fix(security): eliminate CI injection vectors and pin actions (#1) - Move all github.event.* expressions from run: to env: blocks (CWE-94) - spell-check.yml: changed_files via env var - markdown-link-check.yml: changed_files via temp file input - ai-spec-drafter.yml: issue.number via env var - ai-test-generator.yml: pull_request.number via env var - ai-release-notes.yml: release.tag_name via env var - sbom.yml: release.tag_name via env var - Redact secret scanner output to prevent secret leaks to CI logs (CWE-200) - SHA-pin dtolnay/rust-toolchain (the only unpinned action) (CWE-829) - Add missing permissions: block to markdown-link-check.yml (CWE-250) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): supply chain hardening — dep confusion, lockfiles, Dockerfile digest (#2) - Fix dependency confusion: replace agent-primitives==0.1.0 with local file references in scak and iatp requirements.txt (CWE-427) - Pin root Dockerfile base image to SHA digest (CWE-829) - Generate missing package-lock.json for 4 npm packages (CWE-829): mcp-proxy, api, chrome extension, mastra-agentmesh - Remove unsafe npm ci || npm install fallback in ESRP pipeline (CWE-829) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): Docker/infra hardening — CORS, Grafana, .dockerignore, CODEOWNERS (#3) - Replace hardcoded Grafana admin passwords with env var refs in 7 docker-compose files (CWE-798) - Replace wildcard CORS allow_origins=[*] with env-driven origins in 6 production services (CWE-942) - Add secret exclusion patterns (.env, *.key, *.pem, *.p12) to root and caas .dockerignore files (CWE-532) - Add security contact, supported versions, and 90-day disclosure policy to SECURITY.md (CWE-693) - Add CODEOWNERS rules for scripts/, Dockerfile, docker-compose*, .dockerignore, .clusterfuzzlite/ (CWE-862) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): code quality — XSS, Rust panics, example warnings (#4) - Replace innerHTML with safe DOM APIs (textContent, createElement) in PolicyEditorPanel.ts and MetricsDashboardPanel.ts (CWE-79) - Add HTML entity escaping for violation names in metrics dashboard - Replace .unwrap() with .expect() on production RwLock/Mutex calls in policy.rs for clearer panic messages (CWE-252) - Add INTENTIONALLY INSECURE warnings to test fixture code in github-reviewer example to prevent copy-paste propagation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Apr 11, 2026
prashansapkota
added a commit
to prashansapkota/agent-governance-toolkit
that referenced
this pull request
Apr 27, 2026
- Add session_id to GovernanceReceipt to prevent replay attacks by binding receipts to a specific execution context (Critical #1) - Add trusted_keys parameter to verify_receipt_chain for signer public key validation against a trusted set (Critical microsoft#3) - Add Unicode edge case tests: emoji, CJK, empty strings (Critical microsoft#4) - Add --json output flag to verify_receipts.py for CI/CD integration - 74 tests passing (9 new tests added)
imran-siddique
pushed a commit
that referenced
this pull request
Apr 27, 2026
* feat: offline-verifiable decision receipts (Ed25519 + JCS) - Add parent_receipt_hash for per-tool-call hash chaining - Enforce RFC 8785 JCS canonical JSON (ensure_ascii=False) - Add verify_receipt_chain() for offline chain verification - Add to_slsa_provenance() for SLSA v1.0 predicate emission - Add CLI verifier (scripts/verify_receipts.py) - Add tutorial (docs/tutorials/33-offline-verifiable-receipts.md) - 65 tests passing Closes #1499 * fix: address CodeQL and reviewer critical findings - Fix CodeQL high: use urlparse hostname check instead of substring match for builder URL validation (Incomplete URL substring sanitization) - Fix critical: verify_receipt_chain now flags unsigned receipts instead of silently skipping them, preventing unsigned receipt injection - Update tests to verify the unsigned receipt detection behavior * fix: address code-reviewer critical findings - Add session_id to GovernanceReceipt to prevent replay attacks by binding receipts to a specific execution context (Critical #1) - Add trusted_keys parameter to verify_receipt_chain for signer public key validation against a trusted set (Critical #3) - Add Unicode edge case tests: emoji, CJK, empty strings (Critical #4) - Add --json output flag to verify_receipts.py for CI/CD integration - 74 tests passing (9 new tests added) * fix: address second-round reviewer findings - CLI verify_receipts.py: structured per-receipt JSON output with exit codes (0=ok, 1=chain error, 2=load error) and --json flag detail - Tests: add Unicode edge cases (replacement char U+FFFD, Arabic RTL), SLSA schema field validation, inserted-receipt detection, and all-defaults unsigned receipt coverage (83 tests total) * refactor: simplify and clean up receipt, adapter, tests, and CLI - receipt.py: remove verbose docstrings; flatten to_slsa_provenance dict; tighten sign_receipt, verify_receipt, and verify_receipt_chain - adapter.py: collapse CedarPolicyEvaluator init; remove redundant comments; shorten govern_tool_call and govern_and_execute - verify_receipts.py: collapse _reconstruct and verify_chain; tighten main() - test_receipt.py: shared _make_chain helper; collapse unicode cases into one parametrized test; merge duplicate fixtures; 583 → 280 lines, same coverage * fix: address latest reviewer critical findings - verify_receipt: raise ImportError instead of silently returning False when cryptography library is missing - ReceiptSigningError: custom exception replaces generic RuntimeError in govern_tool_call for clearer failure context - ReceiptStore.add: enforce receipt_id uniqueness to prevent replay injection - verify_receipt_chain: validate signer_public_key is 64-char hex before trusted-key comparison to block malformed key bypass --------- Co-authored-by: Prashan Sapkota <prashansapkota@users.noreply.github.com>
This was referenced Apr 29, 2026
imran-siddique
added a commit
that referenced
this pull request
May 4, 2026
…1709) Packages existing chaos engineering (adversarial playbooks) and PromptDefenseEvaluator into a unified CLI surface: agt red-team scan <path> - Scan prompts for defense gaps agt red-team attack - Run adversarial playbooks agt red-team list-playbooks - List available attack playbooks agt red-team report - Full red-team assessment Addresses Gartner gap #4 (agent security testing/red teaming) by making AGT's existing capabilities discoverable via a single command. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
imran-siddique
pushed a commit
that referenced
this pull request
May 12, 2026
…ner execs (#1954) The timeout watchdog inside ``run`` called ``container.kill()`` to abort an over-budget exec. That kills the entire container, destroying every guest-state artefact prior ``execute_code`` calls in the same session built up — installed packages, /tmp files, running daemons, mounted scratch space, all of it. A single timeout on exec #5 effectively wiped exec #1-#4's accumulated state. Two structural changes, both load-bearing: 1. Scope the timeout to the specific exec, not the whole container. The new ``_run_with_exec_timeout`` drives ``exec_create`` / ``exec_start`` through the low-level Docker API so we hold the exec_id. On timeout, ``exec_inspect`` gives us the PID and we send SIGKILL to that process via ``container.exec_run(['kill', '-9', pid])`` from inside the container. ``container.kill()`` is now a fallback that fires only when the PID is unavailable or the kill itself fails. 2. Serialise concurrent execs per container with a per-(agent, session) ``threading.Lock`` in ``self._exec_locks``. Without this, a timeout on exec A could disrupt an unrelated exec B running in parallel inside the same container. The lock entry is cleaned up alongside the container in ``destroy_session``. For the test path: when only the high-level ``container.exec_run`` is mocked (the existing fixture's pattern), the low-level API returns MagicMocks that aren't usable. The new ``_LowLevelExecUnavailable`` sentinel detects that case and falls back to ``_run_with_legacy_timeout`` — which mirrors the prior behaviour (``container.exec_run`` in a thread, ``container.kill()`` on timeout). Real Docker daemons always return tuple output and never trip the fallback. Adds two regression tests: - ``test_timeout_kills_exec_process_not_container`` — timeout fires; asserts ``container.kill`` was NOT called and the PID-targeted ``container.exec_run(['kill', '-9', '4242'])`` WAS called - ``test_concurrent_runs_serialise_per_container`` — 4 threads concurrently call ``run`` against the same session; asserts max-in-flight is 1 (serialised by the per-container lock) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merged
27 tasks
jackbatzner
added a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 29, 2026
…se auth Addresses Opus PR microsoft#2645 re-review finding microsoft#4 ("resolve_dispute is security theater") and a tangential sweep finding (submit_dispute did not lock the escrow against further releases). Changes: - release_escrow: outcome="failure" now requires the provider's token (or admin), not the requester's. A requester cannot unilaterally refund themselves by claiming failure; the dispute flow is the only way to contest a delivery. outcome="success" still requires the requester (acknowledging delivery) and outcome="dispute" requires either participant. - submit_dispute (arbiter): now atomically marks the escrow as "disputed" via a new escrow.mark_escrow_disputed helper. Once a dispute is open, neither party can /release the escrow until the arbiter rules. Idempotent for already-disputed escrows; rejects terminal-state escrows with 400 ESCROW_ALREADY_RESOLVED. - resolve_dispute (arbiter): no longer returns a fabricated 100-credit payout that never moves state. It now (a) looks up the escrow's actual locked credit total via escrow.get_escrow_credits, (b) computes the split, (c) calls escrow.disburse_disputed_escrow to actually move the credits and transition the escrow out of "disputed", and (d) emits a "dispute_resolved" compliance event. Reputation deltas remain advisory (documented in README) since real reputation wiring is out of scope. - escrow: new helpers get_escrow_credits, mark_escrow_disputed, disburse_disputed_escrow. The disburse helper rejects splits that do not sum to the locked credit total (400 DISBURSEMENT_MISMATCH) so arbiter math errors fail loudly. README: documents the per-outcome release auth model, the dispute locking guarantee, and the reputation-still-advisory boundary. Tests: 20/20 passing (3 new): - test_release_outcome_failure_requires_provider_or_admin - test_submit_dispute_locks_escrow_against_subsequent_release - test_resolve_dispute_disburses_locked_credits_and_unlocks_escrow GPT-5.5 re-review was clean (no blockers/warnings). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
jackbatzner
pushed a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 29, 2026
…ILING Red-team finding microsoft#4: IntentManager.check_action does not verify that the caller's agent_id matches the intent's agent_id, so agent B can reuse agent A's stored intent record to perform privileged actions under A's policy context. Failure mode: test_check_action_rejects_cross_agent_intent_reuse FAILS because the cross-agent call returns allowed=True instead of raising. Fix in next commit.
jackbatzner
pushed a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 29, 2026
Closes microsoft#4. Asserts intent.agent_id == caller agent_id in check_action. Red->Green: 1 failed -> 41 passed.
imran-siddique
pushed a commit
that referenced
this pull request
May 29, 2026
…outes (#2645) * fix(cloud-board): add bearer auth, close credit-minting gap, harden routes Adds a fail-closed bearer-token auth layer to the Nexus Cloud Board API and resolves issues surfaced in the recent security review: - New api/auth.py with admin and agent-scoped principals, SHA-256 + hmac.compare_digest token comparison, '<did>=<token>' agent token entries, 401 with WWW-Authenticate, and 503 when tokens are not configured. - Registry: registration binds the request DID to the verification key, PUT enforces auth + proof-of-possession + DID match, DELETE requires scoped auth, GET/discover redact owner_id and contact for anonymous callers. - Reputation: report and slash are admin-only; slash history is admin-only because it exposes evidence and trace_ids. - Escrow: all mutating endpoints require auth, credits start at 0 (no self-minting), add_credits is admin-only and rejects non-positive amounts, raise_dispute now uses a JSON body. - Arbiter: disputes require an existing escrow, bind the disputing party to the authenticated principal, store participant DIDs, restrict resolution to admins, and scope reads to participants. - Compliance: events/stats/export/download/data-handling are admin-only. - Route ordering fix: /discover, /sync, /leaderboard, /slashes were shadowed by /{agent_did} path-param routes. - README documents env vars, deliberately public reads, and the demo-only security boundary. - 14 pytest cases under tests/cloud_board/test_api_auth.py. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(cloud-board): close SCAK fail-open, require admin outcome on resolve Addresses Opus review findings on PR #2645: - Escrow release with require_scak=true no longer succeeds when scak_drift_score is omitted. Missing drift score now returns 400 SCAK_DRIFT_SCORE_REQUIRED instead of falling through to the success path. Drift above the threshold still resolves as failure. - Arbiter resolve_dispute now requires an admin-supplied outcome (requester_wins | provider_wins | split) plus optional explanation. The arbiter no longer derives the winner from claimed_outcome (which is supplied by the disputing party at submit time and is therefore attacker-influenced). - Arbiter get_resolution now returns the resolution record actually stored by resolve_dispute. It 404s with RESOLUTION_NOT_FOUND before the dispute is resolved, instead of returning a hardcoded 50/50 split with a fabricated explanation. - Three regression tests added (now 17 total): SCAK release without drift score is rejected; resolve_dispute without/with bad outcome is rejected and admin outcome is recorded; get_resolution 404s before resolve and returns the stored outcome after. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(cloud-board): wire arbiter to escrow state machine, tighten release auth Addresses Opus PR #2645 re-review finding #4 ("resolve_dispute is security theater") and a tangential sweep finding (submit_dispute did not lock the escrow against further releases). Changes: - release_escrow: outcome="failure" now requires the provider's token (or admin), not the requester's. A requester cannot unilaterally refund themselves by claiming failure; the dispute flow is the only way to contest a delivery. outcome="success" still requires the requester (acknowledging delivery) and outcome="dispute" requires either participant. - submit_dispute (arbiter): now atomically marks the escrow as "disputed" via a new escrow.mark_escrow_disputed helper. Once a dispute is open, neither party can /release the escrow until the arbiter rules. Idempotent for already-disputed escrows; rejects terminal-state escrows with 400 ESCROW_ALREADY_RESOLVED. - resolve_dispute (arbiter): no longer returns a fabricated 100-credit payout that never moves state. It now (a) looks up the escrow's actual locked credit total via escrow.get_escrow_credits, (b) computes the split, (c) calls escrow.disburse_disputed_escrow to actually move the credits and transition the escrow out of "disputed", and (d) emits a "dispute_resolved" compliance event. Reputation deltas remain advisory (documented in README) since real reputation wiring is out of scope. - escrow: new helpers get_escrow_credits, mark_escrow_disputed, disburse_disputed_escrow. The disburse helper rejects splits that do not sum to the locked credit total (400 DISBURSEMENT_MISMATCH) so arbiter math errors fail loudly. README: documents the per-outcome release auth model, the dispute locking guarantee, and the reputation-still-advisory boundary. Tests: 20/20 passing (3 new): - test_release_outcome_failure_requires_provider_or_admin - test_submit_dispute_locks_escrow_against_subsequent_release - test_resolve_dispute_disburses_locked_credits_and_unlocks_escrow GPT-5.5 re-review was clean (no blockers/warnings). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(cloud-board): RED — bearer-auth oracle + env-cache regressions (F#3,4,10,15) Pre-fix failure modes: 5 RED (403 vs 401 oracle on require_admin x4 endpoints; 503 vs 200 on admin plane when one env entry is malformed); 1 invariant-pin (bearer-cap behavior is response-code identical pre/post since both reject, but the test pins the cap regression-side). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(cloud-board): harden bearer auth (F#3 oracle, F#4 cache, F#10 doc, F#15 length cap) GREEN: 6/6 group-1 regression tests now pass. - F#3: require_admin returns uniform 401 (drops 403-on-valid-agent-token oracle) - F#4: cache parsed agent-token env entries; malformed entries log+continue instead of 503ing every request - F#10: document comma-in-token limitation - F#15: refuse bearer tokens > 256 bytes before SHA-256 (DoS hardening) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(cloud-board): RED — escrow double-pay + fail-closed regressions (F#1,2,5,7,8,9,12) Pre-fix failure modes: 9 RED - test_raise_dispute_rejects_terminal_escrow_no_double_payout: 200 != 400 (terminal escrow re-disputable, full create->release->dispute->resolve chain inflates total credits) - test_disburse_disputed_escrow_refuses_second_payout: DID NOT RAISE (second disburse succeeds, doubling provider credits) - test_scak_drift_score_rejects_non_finite_values[nan/inf/-inf]: DID NOT RAISE (validator absent on baseline) - test_create_escrow_rejects_self_escrow: 200 != 400 (self-escrow accepted) - test_create_escrow_rejects_unregistered_provider: 200 != 400 (no registration check) - test_unauthorized_escrow_access_returns_404_not_403: 403 != 404 (oracle distinguishes participant vs non-participant) - test_dispute_reason_capped_on_release_dispute: 200 != 422 (no length cap) - 1 invariant-pin (release_dispute_branch_preserves_audit_reason) for F#7 defense-in-depth Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(cloud-board): close escrow double-pay + fail-closed validators (F#1,2,5,7,8,9,12) GREEN: 10/10 group-2 regression tests now pass; full suite 32/32. - F#1: raise_dispute refuses terminal states; idempotent already-disputed preserves reason; disburse_disputed_escrow rejects if resolved_at set (3 layered defenses) - F#2: ReleaseEscrowRequest rejects NaN/+Inf/-Inf scak_drift_score via field_validator - F#5: _authorize_escrow_participant returns 404 (not 403) - F#7: release(outcome=dispute) preserves prior dispute_reason instead of clobbering with None - F#8: ReleaseEscrowRequest.dispute_reason capped at 1000 chars - F#9: create_escrow rejects requester_did == provider_did (SELF_ESCROW_FORBIDDEN) - F#12: create_escrow rejects unregistered provider (PROVIDER_NOT_REGISTERED) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(cloud-board): RED — arbiter dispute lifecycle regressions (F#5,6,8,14,17) Pre-fix failure modes: 6 RED — 403!=404 oracle on dispute GET, 200!=409 on duplicate submit, KeyError submitted_by, 403!=404 oracle on submit, 200!=422 reason cap, orphan dispute not marked terminal. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(cloud-board): tighten arbiter dispute lifecycle (F#5,6,8,14,17) GREEN: 6/6 group-3 regression tests now pass. - F#5: dispute participant checks return 404 (not 403) - F#6: reject duplicate open disputes for same escrow (409 DISPUTE_ALREADY_OPEN) - F#8: SubmitDisputeRequest.dispute_reason length-capped at 1000 - F#14: submit_dispute records submitted_by (agent DID or 'admin') - F#17: resolve_dispute on missing escrow marks dispute terminal before 409 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(cloud-board): RED — registry hardening regressions (F#3,11,16) Pre-fix failure modes: 3 RED - test_get_agent_redacts_pii_for_other_authenticated_callers: owner_id leaks to PROVIDER (non-owner authenticated caller) due to denylist redaction - test_registration_rejects_naive_proof_timestamp: 500 TypeError 'can't subtract offset-naive and offset-aware datetimes' instead of 400 - test_did_now_uses_full_256_bit_sha256: full 64-char DID rejected as DID_MISMATCH because baseline truncates to 32 chars Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(cloud-board): registry hardening (F#3 PII allowlist, F#11 tz, F#16 256-bit DID) GREEN: 3/3 group-4 regression tests now pass; full suite 39/39. - F#3: _view_manifest uses an allowlist (did, verification_key, display_name); full identity only for owner or admin - F#11: register/update_agent reject naive timestamps with 400 INVALID_TIMESTAMP - F#16: derived DID uses full 64-hex-char SHA-256 (256-bit) instead of 128-bit truncation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(cloud-board): document reputation read asymmetry + PII redaction model (F#13) Also fixes ruff W292 missing trailing newline in test_api_auth.py. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jackbatzner
pushed a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 29, 2026
…ILING Red-team finding microsoft#4: IntentManager.check_action does not verify that the caller's agent_id matches the intent's agent_id, so agent B can reuse agent A's stored intent record to perform privileged actions under A's policy context. Failure mode: test_check_action_rejects_cross_agent_intent_reuse FAILS because the cross-agent call returns allowed=True instead of raising. Fix in next commit.
jackbatzner
pushed a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 29, 2026
Closes microsoft#4. Asserts intent.agent_id == caller agent_id in check_action. Red->Green: 1 failed -> 41 passed.
jackbatzner
pushed a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 30, 2026
…ILING Red-team finding microsoft#4: IntentManager.check_action does not verify that the caller's agent_id matches the intent's agent_id, so agent B can reuse agent A's stored intent record to perform privileged actions under A's policy context. Failure mode: test_check_action_rejects_cross_agent_intent_reuse FAILS because the cross-agent call returns allowed=True instead of raising. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
jackbatzner
pushed a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 30, 2026
Closes microsoft#4. Asserts intent.agent_id == caller agent_id in check_action. Red->Green: 1 failed -> 41 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
jackbatzner
pushed a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 30, 2026
…ILING Red-team finding microsoft#4: IntentManager.check_action does not verify that the caller's agent_id matches the intent's agent_id, so agent B can reuse agent A's stored intent record to perform privileged actions under A's policy context. Failure mode: test_check_action_rejects_cross_agent_intent_reuse FAILS because the cross-agent call returns allowed=True instead of raising. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
jackbatzner
pushed a commit
to jackbatzner/agent-governance-toolkit
that referenced
this pull request
May 30, 2026
Closes microsoft#4. Asserts intent.agent_id == caller agent_id in check_action. Red->Green: 1 failed -> 41 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
imran-siddique
pushed a commit
that referenced
this pull request
May 30, 2026
…xecute API (#2644) * fix(agent-os): close authorization bypasses in stateless kernel and execute API Three same-class authorization fixes identified in security review: 1. stateless._check_policies: caller-supplied params['approved']=True no longer satisfies requires_approval gates. Approval must flow through the trusted IntentManager path; unplanned drift on restricted actions is now denied. The legacy flag is stripped from params before action execution. 2. server/app.py /api/v1/execute: caller-supplied agent_id is no longer trusted when authentication is bypassed. The legacy AGENT_OS_ALLOW_UNAUTHENTICATED_EXECUTE env var now raises ValueError at construction time. The replacement AGENT_OS_UNSAFE_ALLOW_UNAUTHENTICATED_EXECUTE is gated on AGENT_OS_ENV in {dev,development,local}; the server-side identity is fixed by AGENT_OS_UNSAFE_LOCAL_EXECUTE_AGENT_ID (default local-dev-agent); mismatched caller agent_id is rejected with 422 (unsafe) or 403 (authenticated). 3. mcp-kernel-server KernelExecuteTool._check_policies: same params.get('approved') bypass pattern as (1); now ignored with a warning log and the action is denied with guidance pointing to a trusted host approval workflow. Tests added/updated for all three paths. Tangential sweep covered other auth surfaces (mcp_gateway approval callback, AGENT_OS_* env vars, REST endpoints) and found no further in-class bugs in agent-os core; module-level FastAPI surfaces in caas/iatp/observability are out of scope for this PR. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(mcp-scan): regression for env-poisoning RCE + cwd hijack -- currently FAILING Red-team findings #1 + #2: mcp-scan CLI accepts arbitrary environment keys (LD_PRELOAD, PYTHONPATH, NODE_OPTIONS, ...) and untrusted cwd paths when launching subprocesses, enabling pre-exec code injection. These regression tests assert the SECURE behavior (refusal). They FAIL on this commit because the helpers _blocked_command_env_keys and _validate_launch_cwd do not exist, proving the vuln surface is present. Failure mode: 28 errors in TestLaunchEnvAndCwdGuards (AttributeError on missing helpers). Fix applied in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(mcp-scan): restore env-key blocklist and untrusted-cwd guard Closes red-team findings #1 + #2. Restores _blocked_command_env_keys and _validate_launch_cwd helpers. Red->Green: 28 errors -> 129 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(authz): regression for approval-key bypasses + provider edge cases -- currently FAILING Red-team findings #8 (confusable/nested approved keys bypass strip), #10 (non-strict-True provider return treated as allow), #11 (log injection via CR/LF in caller fields), #12 (provider BaseException leaks past approval check). Failure mode: 15 failures across stateless + mcp_kernel_server.tools. Cyrillic 'approvеd', uppercased 'Approved', nested dict values, truthy-non-bool returns ('yes', 1, object), and SystemExit/KeyboardInterrupt all currently bypass the gate. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(authz): harden approval-key strip, strict-bool, BaseException, log sanitization Closes red-team #8, #10, #11, #12. NFKC + casefold approved-key match, recursive strip into nested dicts/lists, strict 'is True', except BaseException, _sanitize_log_field. Red->Green: 15 failed -> 141 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(authz): regression for empty-policies bypass + non-loopback execute -- currently FAILING Red-team findings #3 (no policy match -> action allowed even when requires_approval declared elsewhere) and #5 (unsafe execute mode trusted from arbitrary remote peers). Failure mode: test_execute_global_approval_blocks_empty_policy_list FAILS because StatelessKernel falls through to allow when no policy entry matches. test_execute_unsafe_escape_hatch_rejects_non_loopback_peer FAILS because _authenticate_execute_request does not inspect request.client. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(authz): close empty-policies bypass and enforce loopback for unsafe execute Closes #3 + #5. _globally_protected_actions enforced after per-policy loop; _is_loopback_client rejects non-127.x/::1 peers with 403. Red->Green: 2 failed -> 94 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(intent): regression for cross-agent intent reuse -- currently FAILING Red-team finding #4: IntentManager.check_action does not verify that the caller's agent_id matches the intent's agent_id, so agent B can reuse agent A's stored intent record to perform privileged actions under A's policy context. Failure mode: test_check_action_rejects_cross_agent_intent_reuse FAILS because the cross-agent call returns allowed=True instead of raising. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(intent): bind intent to declaring agent_id Closes #4. Asserts intent.agent_id == caller agent_id in check_action. Red->Green: 1 failed -> 41 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(iatp): regression for weak/short trusted-override tokens -- currently FAILING Red-team finding #9: AGENT_OS_IATP_TRUSTED_OVERRIDE_TOKEN accepts any non-empty string -- 'true', 'admin', 'password', 'x' -- so a misconfigured operator (or attacker who can set one env var) trivially enables the X-User-Override path. Failure mode: 18 failures in test_blacklisted_weak_token_disables_gate (main+sidecar paths) and test_short_token_disables_gate. Each demonstrates a weak/short token still bypassing the override check. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(iatp): reject weak/short trusted-override tokens Closes #9. _load_trusted_override_token enforces 16-char minimum and blacklists {true,yes,admin,password,...}. Sidecar delegates to iatp.main to prevent drift. Red->Green: 18 failed -> 30 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(policies): regression for plaintext OPA over network -- currently FAILING Red-team finding #7: OPABackend remote mode follows http:// URLs to non-loopback hosts without warning. An on-path attacker on the OPA route flips allow=true and the kernel approves any action. Failure mode: test_plaintext_remote_non_loopback_denied and test_plaintext_opt_in_without_local_env_denied FAIL because _evaluate_remote performs the HTTP call without protocol gating. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(policies): require HTTPS for remote OPA unless explicitly opted in Closes #7. _evaluate_remote rejects non-HTTPS unless loopback host OR (AGENT_OS_OPA_ALLOW_PLAINTEXT=1 + AGENT_OS_ENV in {local,dev,development}). Plaintext non-loopback returns error='plaintext_opa_blocked'. Red->Green: 2 failed -> 77 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(caas): regression for unauthenticated FastAPI surface gate -- currently FAILING Red-team finding #6: caas.api.server only LOGS a warning when started outside local env; misconfigured deployment exposes every CaaS route silently. Failure mode: 13 failures because _caas_unauth_gate_satisfied does not exist and startup hook does not raise. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(caas): require explicit env gate to start unauthenticated CaaS surface Closes #6. Startup hook raises RuntimeError unless AGENT_OS_ENV in {local,dev,development} OR CAAS_UNSAFE_ALLOW_UNAUTH=1. Red->Green: 13 failed -> 13 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * ci(agent-os): clear no-stubs/no-crypto/spell-check/safety-critical CI gates - Reword TODO(security) doc comments to 'Future hardening (security)' in caas/api/server.py, iatp/main.py (x2 including proxy_task cross-ref), iatp/sidecar/__init__.py so the no-stubs CI gate accepts the docs without losing the design-followup intent. - Replace inline 'import hmac; hmac.compare_digest' with 'import secrets; secrets.compare_digest' in iatp/main.py so the no-custom-crypto CI gate is happy (secrets.compare_digest is the stdlib re-export of hmac.compare_digest, same constant-time guarantee). - Add 19 project-specific terms to .cspell-repo-terms.txt (ASGI, NFKC, casefold, confusables, multitenant, normalisation, sanitised, unicodedata, testclient, monkeypatched, baseexception, rsplit, hdrs, oncall, madmin, backendunavailable, changeme, shortone, approv) for the spell-check-changed-files job. - Update tests/test_safety_critical.py::TestPolicyEdgeCases::test_empty_policies_list_allows to reflect the new fail-closed behavior from fix #3: an empty policies list must DENY requires_approval actions (file_write). Renamed to test_empty_policies_list_denies_protected_actions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * ci(spell-check): allow cyrillic-e 'approv\u0435d' confusable used in unicode normalization tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> --------- Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <copilot@github.com>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
… 37 files) (microsoft#684) * fix(security): eliminate CI injection vectors and pin actions (microsoft#1) - Move all github.event.* expressions from run: to env: blocks (CWE-94) - spell-check.yml: changed_files via env var - markdown-link-check.yml: changed_files via temp file input - ai-spec-drafter.yml: issue.number via env var - ai-test-generator.yml: pull_request.number via env var - ai-release-notes.yml: release.tag_name via env var - sbom.yml: release.tag_name via env var - Redact secret scanner output to prevent secret leaks to CI logs (CWE-200) - SHA-pin dtolnay/rust-toolchain (the only unpinned action) (CWE-829) - Add missing permissions: block to markdown-link-check.yml (CWE-250) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): supply chain hardening — dep confusion, lockfiles, Dockerfile digest (microsoft#2) - Fix dependency confusion: replace agent-primitives==0.1.0 with local file references in scak and iatp requirements.txt (CWE-427) - Pin root Dockerfile base image to SHA digest (CWE-829) - Generate missing package-lock.json for 4 npm packages (CWE-829): mcp-proxy, api, chrome extension, mastra-agentmesh - Remove unsafe npm ci || npm install fallback in ESRP pipeline (CWE-829) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): Docker/infra hardening — CORS, Grafana, .dockerignore, CODEOWNERS (microsoft#3) - Replace hardcoded Grafana admin passwords with env var refs in 7 docker-compose files (CWE-798) - Replace wildcard CORS allow_origins=[*] with env-driven origins in 6 production services (CWE-942) - Add secret exclusion patterns (.env, *.key, *.pem, *.p12) to root and caas .dockerignore files (CWE-532) - Add security contact, supported versions, and 90-day disclosure policy to SECURITY.md (CWE-693) - Add CODEOWNERS rules for scripts/, Dockerfile, docker-compose*, .dockerignore, .clusterfuzzlite/ (CWE-862) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(security): code quality — XSS, Rust panics, example warnings (microsoft#4) - Replace innerHTML with safe DOM APIs (textContent, createElement) in PolicyEditorPanel.ts and MetricsDashboardPanel.ts (CWE-79) - Add HTML entity escaping for violation names in metrics dashboard - Replace .unwrap() with .expect() on production RwLock/Mutex calls in policy.rs for clearer panic messages (CWE-252) - Add INTENTIONALLY INSECURE warnings to test fixture code in github-reviewer example to prevent copy-paste propagation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…#1519) * feat: offline-verifiable decision receipts (Ed25519 + JCS) - Add parent_receipt_hash for per-tool-call hash chaining - Enforce RFC 8785 JCS canonical JSON (ensure_ascii=False) - Add verify_receipt_chain() for offline chain verification - Add to_slsa_provenance() for SLSA v1.0 predicate emission - Add CLI verifier (scripts/verify_receipts.py) - Add tutorial (docs/tutorials/33-offline-verifiable-receipts.md) - 65 tests passing Closes microsoft#1499 * fix: address CodeQL and reviewer critical findings - Fix CodeQL high: use urlparse hostname check instead of substring match for builder URL validation (Incomplete URL substring sanitization) - Fix critical: verify_receipt_chain now flags unsigned receipts instead of silently skipping them, preventing unsigned receipt injection - Update tests to verify the unsigned receipt detection behavior * fix: address code-reviewer critical findings - Add session_id to GovernanceReceipt to prevent replay attacks by binding receipts to a specific execution context (Critical microsoft#1) - Add trusted_keys parameter to verify_receipt_chain for signer public key validation against a trusted set (Critical microsoft#3) - Add Unicode edge case tests: emoji, CJK, empty strings (Critical microsoft#4) - Add --json output flag to verify_receipts.py for CI/CD integration - 74 tests passing (9 new tests added) * fix: address second-round reviewer findings - CLI verify_receipts.py: structured per-receipt JSON output with exit codes (0=ok, 1=chain error, 2=load error) and --json flag detail - Tests: add Unicode edge cases (replacement char U+FFFD, Arabic RTL), SLSA schema field validation, inserted-receipt detection, and all-defaults unsigned receipt coverage (83 tests total) * refactor: simplify and clean up receipt, adapter, tests, and CLI - receipt.py: remove verbose docstrings; flatten to_slsa_provenance dict; tighten sign_receipt, verify_receipt, and verify_receipt_chain - adapter.py: collapse CedarPolicyEvaluator init; remove redundant comments; shorten govern_tool_call and govern_and_execute - verify_receipts.py: collapse _reconstruct and verify_chain; tighten main() - test_receipt.py: shared _make_chain helper; collapse unicode cases into one parametrized test; merge duplicate fixtures; 583 → 280 lines, same coverage * fix: address latest reviewer critical findings - verify_receipt: raise ImportError instead of silently returning False when cryptography library is missing - ReceiptSigningError: custom exception replaces generic RuntimeError in govern_tool_call for clearer failure context - ReceiptStore.add: enforce receipt_id uniqueness to prevent replay injection - verify_receipt_chain: validate signer_public_key is 64-char hex before trusted-key comparison to block malformed key bypass --------- Co-authored-by: Prashan Sapkota <prashansapkota@users.noreply.github.com>
MohammadHaroonAbuomar
added a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
Both reviewers (claude-opus-4.7-1m-internal + gpt-5.5) found overlapping concerns. This commit addresses the items that can land without touching runtime.rs. Blockers fixed: - manifest.schema.json missing cedar branch (GPT microsoft#3). Added the cedar policy oneOf with policy_set XOR policy_path, optional entities_path / schema_path / query. - Evidence over 4 KiB silently accepted (GPT microsoft#2 partial). Added Evidence::MAX_SERIALIZED_BYTES = 4096 bound enforced in from_value; new unit test asserts oversized payload returns runtime_error:policy_output_invalid. Warnings fixed: - Rust RuntimeError lacked the four resolution_* variants Python already exposes (GPT microsoft#4 / D6 cross-language parity). Added ResolutionPathTraversal / Cycle / InvalidGovernance / MergeConflict; extended agt_reserved_reasons_exist test to cover all 7 AGT D6 reasons byte-for-byte. - agt-policies build.py silently dropped rules with unsupported operators (Opus microsoft#6). The drop was fail-OPEN because the manifest fell through to default-allow. Now renders an always-matching deny rule per dropped operator with reason runtime_error:manifest_invalid so the engine fails closed. - Decision::applies_effects() included Escalate (Opus microsoft#7). Spec §13.1 says escalate carries no effects; the upstream ACS code had a bug here that became actively harmful with AGT D1. Removed Escalate; explicit Transform also returns false (uses verdict.transform instead). Parity fixture + test updated to match. - DELTA / AGT-SNAPSHOT documented the IFC library replacement as 'MUST replace' the upstream file (Opus microsoft#5). Reframed as 'AGT ships agt_ifc.rego alongside upstream ifc.rego'; AGT users MUST import data.agt.ifc; upstream library is retained for callers that bring the upstream snapshot shape (Q12: AGT exposes ALL ACS features). Remaining round-1 blockers (deferred to a focused follow-up): - Transform verdict parsed at normalization but NOT applied to the policy target at the engine level (Opus/GPT microsoft#1). Adding the application path requires changes to runtime.rs::evaluate_intervention_point. - Effects[] still accepted/applied by the engine (Opus microsoft#2). D1 says MUST reject. Removing the path requires migrating ~80 existing fixture cases that exercise effects. - Evidence telemetry propagation (Opus microsoft#3 / GPT remaining): the runtime needs to attach evidence_artefact and evidence_verification_pointer_keys to decision events, and emit intervention_point.transformed instead of effect_applied. - Bisected action identity (Opus microsoft#4 warning): runtime needs to compute input_identity AND enforced_identity for transform verdicts. These four cluster around the same Rust file (runtime.rs + telemetry.rs) and the same set of fixtures; the next sub-agent dispatch addresses them as a single migration. Test totals after this commit: pytest 44, cargo 170, opa 98 = 312. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: AGT 5.0 ACS merge <agentgovtoolkit@microsoft.com>
MohammadHaroonAbuomar
added a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
… _bridge Round-4 Opus regression: the previous round-4 fix (2604ea0) incremented ``self._adapter_ctx.call_count`` AND called ``self._bridge.record_post_execute(tool_calls=1)``, but both mutations ultimately advance the SnapshotBuilder's ``tool_call_count``: - ``AdapterRuntimeBridge.builder_for(ctx)`` mirrors ``builder.tool_call_count = max(builder.tool_call_count, ctx.call_count)`` on every call (`_v5_runtime_bridge.py:188`). - ``record_post_execute(tool_calls=1)`` then adds another 1 to the same builder via ``record_tool_call``. Result: after 3 sequential non-sensitive calls through the same ``_bridge``, the rego saw ``tool_call_count`` go 0 → 2 → 3 instead of 0 → 1 → 2. A ``GovernancePolicy(max_tool_calls=5)`` would deny on call microsoft#4, not call microsoft#5 — a silent off-by-one against the documented ``max_tool_calls`` contract. The smolagents adapter already warned about this anti-pattern (`smolagents_adapter.py:734-738` / `:1032-1035` comments) and uses the single-mutation pattern. The fix here adopts that pattern: drop both ``record_post_execute`` calls. The single ``ctx.call_count += 1`` propagates to both the default ``_bridge`` and the sibling ``_approval_bridge`` (when present) via the ``builder_for`` mirror, which is what closed the original GPT round-3 budget-divergence regression. The new regression test ``test_repeated_non_sensitive_calls_do_not_double_count_budget`` asserts three sequential calls produce ``tool_call_count == [0, 1, 2]`` in the order the rego dispatcher observes. Test fails against pre-fix code (observes ``[0, 2, 3]``), passes against post-fix. Tested: 13/13 TestGoogleADKBridgeScenarios + 251 test_integrations.py + 10/10 demo. No regressions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Mohamed AbuOmar <mhabuomar@users.noreply.github.com>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…icrosoft#1709) Packages existing chaos engineering (adversarial playbooks) and PromptDefenseEvaluator into a unified CLI surface: agt red-team scan <path> - Scan prompts for defense gaps agt red-team attack - Run adversarial playbooks agt red-team list-playbooks - List available attack playbooks agt red-team report - Full red-team assessment Addresses Gartner gap microsoft#4 (agent security testing/red teaming) by making AGT's existing capabilities discoverable via a single command. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…ner execs (microsoft#1954) The timeout watchdog inside ``run`` called ``container.kill()`` to abort an over-budget exec. That kills the entire container, destroying every guest-state artefact prior ``execute_code`` calls in the same session built up — installed packages, /tmp files, running daemons, mounted scratch space, all of it. A single timeout on exec microsoft#5 effectively wiped exec microsoft#1-microsoft#4's accumulated state. Two structural changes, both load-bearing: 1. Scope the timeout to the specific exec, not the whole container. The new ``_run_with_exec_timeout`` drives ``exec_create`` / ``exec_start`` through the low-level Docker API so we hold the exec_id. On timeout, ``exec_inspect`` gives us the PID and we send SIGKILL to that process via ``container.exec_run(['kill', '-9', pid])`` from inside the container. ``container.kill()`` is now a fallback that fires only when the PID is unavailable or the kill itself fails. 2. Serialise concurrent execs per container with a per-(agent, session) ``threading.Lock`` in ``self._exec_locks``. Without this, a timeout on exec A could disrupt an unrelated exec B running in parallel inside the same container. The lock entry is cleaned up alongside the container in ``destroy_session``. For the test path: when only the high-level ``container.exec_run`` is mocked (the existing fixture's pattern), the low-level API returns MagicMocks that aren't usable. The new ``_LowLevelExecUnavailable`` sentinel detects that case and falls back to ``_run_with_legacy_timeout`` — which mirrors the prior behaviour (``container.exec_run`` in a thread, ``container.kill()`` on timeout). Real Docker daemons always return tuple output and never trip the fallback. Adds two regression tests: - ``test_timeout_kills_exec_process_not_container`` — timeout fires; asserts ``container.kill`` was NOT called and the PID-targeted ``container.exec_run(['kill', '-9', '4242'])`` WAS called - ``test_concurrent_runs_serialise_per_container`` — 4 threads concurrently call ``run`` against the same session; asserts max-in-flight is 1 (serialised by the per-container lock) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…outes (microsoft#2645) * fix(cloud-board): add bearer auth, close credit-minting gap, harden routes Adds a fail-closed bearer-token auth layer to the Nexus Cloud Board API and resolves issues surfaced in the recent security review: - New api/auth.py with admin and agent-scoped principals, SHA-256 + hmac.compare_digest token comparison, '<did>=<token>' agent token entries, 401 with WWW-Authenticate, and 503 when tokens are not configured. - Registry: registration binds the request DID to the verification key, PUT enforces auth + proof-of-possession + DID match, DELETE requires scoped auth, GET/discover redact owner_id and contact for anonymous callers. - Reputation: report and slash are admin-only; slash history is admin-only because it exposes evidence and trace_ids. - Escrow: all mutating endpoints require auth, credits start at 0 (no self-minting), add_credits is admin-only and rejects non-positive amounts, raise_dispute now uses a JSON body. - Arbiter: disputes require an existing escrow, bind the disputing party to the authenticated principal, store participant DIDs, restrict resolution to admins, and scope reads to participants. - Compliance: events/stats/export/download/data-handling are admin-only. - Route ordering fix: /discover, /sync, /leaderboard, /slashes were shadowed by /{agent_did} path-param routes. - README documents env vars, deliberately public reads, and the demo-only security boundary. - 14 pytest cases under tests/cloud_board/test_api_auth.py. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(cloud-board): close SCAK fail-open, require admin outcome on resolve Addresses Opus review findings on PR microsoft#2645: - Escrow release with require_scak=true no longer succeeds when scak_drift_score is omitted. Missing drift score now returns 400 SCAK_DRIFT_SCORE_REQUIRED instead of falling through to the success path. Drift above the threshold still resolves as failure. - Arbiter resolve_dispute now requires an admin-supplied outcome (requester_wins | provider_wins | split) plus optional explanation. The arbiter no longer derives the winner from claimed_outcome (which is supplied by the disputing party at submit time and is therefore attacker-influenced). - Arbiter get_resolution now returns the resolution record actually stored by resolve_dispute. It 404s with RESOLUTION_NOT_FOUND before the dispute is resolved, instead of returning a hardcoded 50/50 split with a fabricated explanation. - Three regression tests added (now 17 total): SCAK release without drift score is rejected; resolve_dispute without/with bad outcome is rejected and admin outcome is recorded; get_resolution 404s before resolve and returns the stored outcome after. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(cloud-board): wire arbiter to escrow state machine, tighten release auth Addresses Opus PR microsoft#2645 re-review finding microsoft#4 ("resolve_dispute is security theater") and a tangential sweep finding (submit_dispute did not lock the escrow against further releases). Changes: - release_escrow: outcome="failure" now requires the provider's token (or admin), not the requester's. A requester cannot unilaterally refund themselves by claiming failure; the dispute flow is the only way to contest a delivery. outcome="success" still requires the requester (acknowledging delivery) and outcome="dispute" requires either participant. - submit_dispute (arbiter): now atomically marks the escrow as "disputed" via a new escrow.mark_escrow_disputed helper. Once a dispute is open, neither party can /release the escrow until the arbiter rules. Idempotent for already-disputed escrows; rejects terminal-state escrows with 400 ESCROW_ALREADY_RESOLVED. - resolve_dispute (arbiter): no longer returns a fabricated 100-credit payout that never moves state. It now (a) looks up the escrow's actual locked credit total via escrow.get_escrow_credits, (b) computes the split, (c) calls escrow.disburse_disputed_escrow to actually move the credits and transition the escrow out of "disputed", and (d) emits a "dispute_resolved" compliance event. Reputation deltas remain advisory (documented in README) since real reputation wiring is out of scope. - escrow: new helpers get_escrow_credits, mark_escrow_disputed, disburse_disputed_escrow. The disburse helper rejects splits that do not sum to the locked credit total (400 DISBURSEMENT_MISMATCH) so arbiter math errors fail loudly. README: documents the per-outcome release auth model, the dispute locking guarantee, and the reputation-still-advisory boundary. Tests: 20/20 passing (3 new): - test_release_outcome_failure_requires_provider_or_admin - test_submit_dispute_locks_escrow_against_subsequent_release - test_resolve_dispute_disburses_locked_credits_and_unlocks_escrow GPT-5.5 re-review was clean (no blockers/warnings). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(cloud-board): RED — bearer-auth oracle + env-cache regressions (F#3,4,10,15) Pre-fix failure modes: 5 RED (403 vs 401 oracle on require_admin x4 endpoints; 503 vs 200 on admin plane when one env entry is malformed); 1 invariant-pin (bearer-cap behavior is response-code identical pre/post since both reject, but the test pins the cap regression-side). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(cloud-board): harden bearer auth (F#3 oracle, F#4 cache, F#10 doc, F#15 length cap) GREEN: 6/6 group-1 regression tests now pass. - F#3: require_admin returns uniform 401 (drops 403-on-valid-agent-token oracle) - F#4: cache parsed agent-token env entries; malformed entries log+continue instead of 503ing every request - F#10: document comma-in-token limitation - F#15: refuse bearer tokens > 256 bytes before SHA-256 (DoS hardening) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(cloud-board): RED — escrow double-pay + fail-closed regressions (F#1,2,5,7,8,9,12) Pre-fix failure modes: 9 RED - test_raise_dispute_rejects_terminal_escrow_no_double_payout: 200 != 400 (terminal escrow re-disputable, full create->release->dispute->resolve chain inflates total credits) - test_disburse_disputed_escrow_refuses_second_payout: DID NOT RAISE (second disburse succeeds, doubling provider credits) - test_scak_drift_score_rejects_non_finite_values[nan/inf/-inf]: DID NOT RAISE (validator absent on baseline) - test_create_escrow_rejects_self_escrow: 200 != 400 (self-escrow accepted) - test_create_escrow_rejects_unregistered_provider: 200 != 400 (no registration check) - test_unauthorized_escrow_access_returns_404_not_403: 403 != 404 (oracle distinguishes participant vs non-participant) - test_dispute_reason_capped_on_release_dispute: 200 != 422 (no length cap) - 1 invariant-pin (release_dispute_branch_preserves_audit_reason) for F#7 defense-in-depth Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(cloud-board): close escrow double-pay + fail-closed validators (F#1,2,5,7,8,9,12) GREEN: 10/10 group-2 regression tests now pass; full suite 32/32. - F#1: raise_dispute refuses terminal states; idempotent already-disputed preserves reason; disburse_disputed_escrow rejects if resolved_at set (3 layered defenses) - F#2: ReleaseEscrowRequest rejects NaN/+Inf/-Inf scak_drift_score via field_validator - F#5: _authorize_escrow_participant returns 404 (not 403) - F#7: release(outcome=dispute) preserves prior dispute_reason instead of clobbering with None - F#8: ReleaseEscrowRequest.dispute_reason capped at 1000 chars - F#9: create_escrow rejects requester_did == provider_did (SELF_ESCROW_FORBIDDEN) - F#12: create_escrow rejects unregistered provider (PROVIDER_NOT_REGISTERED) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(cloud-board): RED — arbiter dispute lifecycle regressions (F#5,6,8,14,17) Pre-fix failure modes: 6 RED — 403!=404 oracle on dispute GET, 200!=409 on duplicate submit, KeyError submitted_by, 403!=404 oracle on submit, 200!=422 reason cap, orphan dispute not marked terminal. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(cloud-board): tighten arbiter dispute lifecycle (F#5,6,8,14,17) GREEN: 6/6 group-3 regression tests now pass. - F#5: dispute participant checks return 404 (not 403) - F#6: reject duplicate open disputes for same escrow (409 DISPUTE_ALREADY_OPEN) - F#8: SubmitDisputeRequest.dispute_reason length-capped at 1000 - F#14: submit_dispute records submitted_by (agent DID or 'admin') - F#17: resolve_dispute on missing escrow marks dispute terminal before 409 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test(cloud-board): RED — registry hardening regressions (F#3,11,16) Pre-fix failure modes: 3 RED - test_get_agent_redacts_pii_for_other_authenticated_callers: owner_id leaks to PROVIDER (non-owner authenticated caller) due to denylist redaction - test_registration_rejects_naive_proof_timestamp: 500 TypeError 'can't subtract offset-naive and offset-aware datetimes' instead of 400 - test_did_now_uses_full_256_bit_sha256: full 64-char DID rejected as DID_MISMATCH because baseline truncates to 32 chars Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(cloud-board): registry hardening (F#3 PII allowlist, F#11 tz, F#16 256-bit DID) GREEN: 3/3 group-4 regression tests now pass; full suite 39/39. - F#3: _view_manifest uses an allowlist (did, verification_key, display_name); full identity only for owner or admin - F#11: register/update_agent reject naive timestamps with 400 INVALID_TIMESTAMP - F#16: derived DID uses full 64-hex-char SHA-256 (256-bit) instead of 128-bit truncation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs(cloud-board): document reputation read asymmetry + PII redaction model (F#13) Also fixes ruff W292 missing trailing newline in test_api_auth.py. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
MohammadHaroonAbuomar
added a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
Both reviewers (claude-opus-4.7-1m-internal + gpt-5.5) found overlapping concerns. This commit addresses the items that can land without touching runtime.rs. Blockers fixed: - manifest.schema.json missing cedar branch (GPT microsoft#3). Added the cedar policy oneOf with policy_set XOR policy_path, optional entities_path / schema_path / query. - Evidence over 4 KiB silently accepted (GPT microsoft#2 partial). Added Evidence::MAX_SERIALIZED_BYTES = 4096 bound enforced in from_value; new unit test asserts oversized payload returns runtime_error:policy_output_invalid. Warnings fixed: - Rust RuntimeError lacked the four resolution_* variants Python already exposes (GPT microsoft#4 / D6 cross-language parity). Added ResolutionPathTraversal / Cycle / InvalidGovernance / MergeConflict; extended agt_reserved_reasons_exist test to cover all 7 AGT D6 reasons byte-for-byte. - agt-policies build.py silently dropped rules with unsupported operators (Opus microsoft#6). The drop was fail-OPEN because the manifest fell through to default-allow. Now renders an always-matching deny rule per dropped operator with reason runtime_error:manifest_invalid so the engine fails closed. - Decision::applies_effects() included Escalate (Opus microsoft#7). Spec §13.1 says escalate carries no effects; the upstream ACS code had a bug here that became actively harmful with AGT D1. Removed Escalate; explicit Transform also returns false (uses verdict.transform instead). Parity fixture + test updated to match. - DELTA / AGT-SNAPSHOT documented the IFC library replacement as 'MUST replace' the upstream file (Opus microsoft#5). Reframed as 'AGT ships agt_ifc.rego alongside upstream ifc.rego'; AGT users MUST import data.agt.ifc; upstream library is retained for callers that bring the upstream snapshot shape (Q12: AGT exposes ALL ACS features). Remaining round-1 blockers (deferred to a focused follow-up): - Transform verdict parsed at normalization but NOT applied to the policy target at the engine level (Opus/GPT microsoft#1). Adding the application path requires changes to runtime.rs::evaluate_intervention_point. - Effects[] still accepted/applied by the engine (Opus microsoft#2). D1 says MUST reject. Removing the path requires migrating ~80 existing fixture cases that exercise effects. - Evidence telemetry propagation (Opus microsoft#3 / GPT remaining): the runtime needs to attach evidence_artefact and evidence_verification_pointer_keys to decision events, and emit intervention_point.transformed instead of effect_applied. - Bisected action identity (Opus microsoft#4 warning): runtime needs to compute input_identity AND enforced_identity for transform verdicts. These four cluster around the same Rust file (runtime.rs + telemetry.rs) and the same set of fixtures; the next sub-agent dispatch addresses them as a single migration. Test totals after this commit: pytest 44, cargo 170, opa 98 = 312. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: AGT 5.0 ACS merge <agentgovtoolkit@microsoft.com>
MohammadHaroonAbuomar
added a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
… _bridge Round-4 Opus regression: the previous round-4 fix (a27c118) incremented ``self._adapter_ctx.call_count`` AND called ``self._bridge.record_post_execute(tool_calls=1)``, but both mutations ultimately advance the SnapshotBuilder's ``tool_call_count``: - ``AdapterRuntimeBridge.builder_for(ctx)`` mirrors ``builder.tool_call_count = max(builder.tool_call_count, ctx.call_count)`` on every call (`_v5_runtime_bridge.py:188`). - ``record_post_execute(tool_calls=1)`` then adds another 1 to the same builder via ``record_tool_call``. Result: after 3 sequential non-sensitive calls through the same ``_bridge``, the rego saw ``tool_call_count`` go 0 → 2 → 3 instead of 0 → 1 → 2. A ``GovernancePolicy(max_tool_calls=5)`` would deny on call microsoft#4, not call microsoft#5 — a silent off-by-one against the documented ``max_tool_calls`` contract. The smolagents adapter already warned about this anti-pattern (`smolagents_adapter.py:734-738` / `:1032-1035` comments) and uses the single-mutation pattern. The fix here adopts that pattern: drop both ``record_post_execute`` calls. The single ``ctx.call_count += 1`` propagates to both the default ``_bridge`` and the sibling ``_approval_bridge`` (when present) via the ``builder_for`` mirror, which is what closed the original GPT round-3 budget-divergence regression. The new regression test ``test_repeated_non_sensitive_calls_do_not_double_count_budget`` asserts three sequential calls produce ``tool_call_count == [0, 1, 2]`` in the order the rego dispatcher observes. Test fails against pre-fix code (observes ``[0, 2, 3]``), passes against post-fix. Tested: 13/13 TestGoogleADKBridgeScenarios + 251 test_integrations.py + 10/10 demo. No regressions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Mohamed AbuOmar <mhabuomar@users.noreply.github.com>
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…xecute API (microsoft#2644) * fix(agent-os): close authorization bypasses in stateless kernel and execute API Three same-class authorization fixes identified in security review: 1. stateless._check_policies: caller-supplied params['approved']=True no longer satisfies requires_approval gates. Approval must flow through the trusted IntentManager path; unplanned drift on restricted actions is now denied. The legacy flag is stripped from params before action execution. 2. server/app.py /api/v1/execute: caller-supplied agent_id is no longer trusted when authentication is bypassed. The legacy AGENT_OS_ALLOW_UNAUTHENTICATED_EXECUTE env var now raises ValueError at construction time. The replacement AGENT_OS_UNSAFE_ALLOW_UNAUTHENTICATED_EXECUTE is gated on AGENT_OS_ENV in {dev,development,local}; the server-side identity is fixed by AGENT_OS_UNSAFE_LOCAL_EXECUTE_AGENT_ID (default local-dev-agent); mismatched caller agent_id is rejected with 422 (unsafe) or 403 (authenticated). 3. mcp-kernel-server KernelExecuteTool._check_policies: same params.get('approved') bypass pattern as (1); now ignored with a warning log and the action is denied with guidance pointing to a trusted host approval workflow. Tests added/updated for all three paths. Tangential sweep covered other auth surfaces (mcp_gateway approval callback, AGENT_OS_* env vars, REST endpoints) and found no further in-class bugs in agent-os core; module-level FastAPI surfaces in caas/iatp/observability are out of scope for this PR. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(mcp-scan): regression for env-poisoning RCE + cwd hijack -- currently FAILING Red-team findings microsoft#1 + microsoft#2: mcp-scan CLI accepts arbitrary environment keys (LD_PRELOAD, PYTHONPATH, NODE_OPTIONS, ...) and untrusted cwd paths when launching subprocesses, enabling pre-exec code injection. These regression tests assert the SECURE behavior (refusal). They FAIL on this commit because the helpers _blocked_command_env_keys and _validate_launch_cwd do not exist, proving the vuln surface is present. Failure mode: 28 errors in TestLaunchEnvAndCwdGuards (AttributeError on missing helpers). Fix applied in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(mcp-scan): restore env-key blocklist and untrusted-cwd guard Closes red-team findings microsoft#1 + microsoft#2. Restores _blocked_command_env_keys and _validate_launch_cwd helpers. Red->Green: 28 errors -> 129 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(authz): regression for approval-key bypasses + provider edge cases -- currently FAILING Red-team findings microsoft#8 (confusable/nested approved keys bypass strip), microsoft#10 (non-strict-True provider return treated as allow), microsoft#11 (log injection via CR/LF in caller fields), microsoft#12 (provider BaseException leaks past approval check). Failure mode: 15 failures across stateless + mcp_kernel_server.tools. Cyrillic 'approvеd', uppercased 'Approved', nested dict values, truthy-non-bool returns ('yes', 1, object), and SystemExit/KeyboardInterrupt all currently bypass the gate. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(authz): harden approval-key strip, strict-bool, BaseException, log sanitization Closes red-team microsoft#8, microsoft#10, microsoft#11, microsoft#12. NFKC + casefold approved-key match, recursive strip into nested dicts/lists, strict 'is True', except BaseException, _sanitize_log_field. Red->Green: 15 failed -> 141 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(authz): regression for empty-policies bypass + non-loopback execute -- currently FAILING Red-team findings microsoft#3 (no policy match -> action allowed even when requires_approval declared elsewhere) and microsoft#5 (unsafe execute mode trusted from arbitrary remote peers). Failure mode: test_execute_global_approval_blocks_empty_policy_list FAILS because StatelessKernel falls through to allow when no policy entry matches. test_execute_unsafe_escape_hatch_rejects_non_loopback_peer FAILS because _authenticate_execute_request does not inspect request.client. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(authz): close empty-policies bypass and enforce loopback for unsafe execute Closes microsoft#3 + microsoft#5. _globally_protected_actions enforced after per-policy loop; _is_loopback_client rejects non-127.x/::1 peers with 403. Red->Green: 2 failed -> 94 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(intent): regression for cross-agent intent reuse -- currently FAILING Red-team finding microsoft#4: IntentManager.check_action does not verify that the caller's agent_id matches the intent's agent_id, so agent B can reuse agent A's stored intent record to perform privileged actions under A's policy context. Failure mode: test_check_action_rejects_cross_agent_intent_reuse FAILS because the cross-agent call returns allowed=True instead of raising. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(intent): bind intent to declaring agent_id Closes microsoft#4. Asserts intent.agent_id == caller agent_id in check_action. Red->Green: 1 failed -> 41 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(iatp): regression for weak/short trusted-override tokens -- currently FAILING Red-team finding microsoft#9: AGENT_OS_IATP_TRUSTED_OVERRIDE_TOKEN accepts any non-empty string -- 'true', 'admin', 'password', 'x' -- so a misconfigured operator (or attacker who can set one env var) trivially enables the X-User-Override path. Failure mode: 18 failures in test_blacklisted_weak_token_disables_gate (main+sidecar paths) and test_short_token_disables_gate. Each demonstrates a weak/short token still bypassing the override check. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(iatp): reject weak/short trusted-override tokens Closes microsoft#9. _load_trusted_override_token enforces 16-char minimum and blacklists {true,yes,admin,password,...}. Sidecar delegates to iatp.main to prevent drift. Red->Green: 18 failed -> 30 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(policies): regression for plaintext OPA over network -- currently FAILING Red-team finding microsoft#7: OPABackend remote mode follows http:// URLs to non-loopback hosts without warning. An on-path attacker on the OPA route flips allow=true and the kernel approves any action. Failure mode: test_plaintext_remote_non_loopback_denied and test_plaintext_opt_in_without_local_env_denied FAIL because _evaluate_remote performs the HTTP call without protocol gating. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(policies): require HTTPS for remote OPA unless explicitly opted in Closes microsoft#7. _evaluate_remote rejects non-HTTPS unless loopback host OR (AGENT_OS_OPA_ALLOW_PLAINTEXT=1 + AGENT_OS_ENV in {local,dev,development}). Plaintext non-loopback returns error='plaintext_opa_blocked'. Red->Green: 2 failed -> 77 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * test(caas): regression for unauthenticated FastAPI surface gate -- currently FAILING Red-team finding microsoft#6: caas.api.server only LOGS a warning when started outside local env; misconfigured deployment exposes every CaaS route silently. Failure mode: 13 failures because _caas_unauth_gate_satisfied does not exist and startup hook does not raise. Fix in next commit. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * fix(caas): require explicit env gate to start unauthenticated CaaS surface Closes microsoft#6. Startup hook raises RuntimeError unless AGENT_OS_ENV in {local,dev,development} OR CAAS_UNSAFE_ALLOW_UNAUTH=1. Red->Green: 13 failed -> 13 passed. Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * ci(agent-os): clear no-stubs/no-crypto/spell-check/safety-critical CI gates - Reword TODO(security) doc comments to 'Future hardening (security)' in caas/api/server.py, iatp/main.py (x2 including proxy_task cross-ref), iatp/sidecar/__init__.py so the no-stubs CI gate accepts the docs without losing the design-followup intent. - Replace inline 'import hmac; hmac.compare_digest' with 'import secrets; secrets.compare_digest' in iatp/main.py so the no-custom-crypto CI gate is happy (secrets.compare_digest is the stdlib re-export of hmac.compare_digest, same constant-time guarantee). - Add 19 project-specific terms to .cspell-repo-terms.txt (ASGI, NFKC, casefold, confusables, multitenant, normalisation, sanitised, unicodedata, testclient, monkeypatched, baseexception, rsplit, hdrs, oncall, madmin, backendunavailable, changeme, shortone, approv) for the spell-check-changed-files job. - Update tests/test_safety_critical.py::TestPolicyEdgeCases::test_empty_policies_list_allows to reflect the new fail-closed behavior from fix microsoft#3: an empty policies list must DENY requires_approval actions (file_write). Renamed to test_empty_policies_list_denies_protected_actions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> * ci(spell-check): allow cyrillic-e 'approv\u0435d' confusable used in unicode normalization tests Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> --------- Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Jack Batzner <jackbatzner@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <copilot@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps scikit-learn from 1.3.2 to 1.5.0.
Release notes
Sourced from scikit-learn's releases.
... (truncated)
Commits
b51d0c9trigger whell builder [cd build]919ae9bMAINT Reoder what's new for 1.5 (#29039)0ac28adDOC Release highlights 1.5 (#29007)729b54dtest py3.12 against numpy 2 [cd build]1e50434set versionffbe4abDOC remove obsolete SVM example (#27108)4647729DOC Fix time complexity of MLP (#28592)9bd7047FIX convergence criterion of MeanShift (#28951)b79420fFIX add long long for int32/int64 windows compat in NumPy 2.0 (#29029)37f544dDOC replace pandas with Polars in examples/gaussian_process/plot_gpr_co2.py (...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.