fix(ci): restore read-all at workflow level for Scorecard verification (#327)

* docs: add testing guide for external testers and customers

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: add regulatory alignment table and Purview positioning to README

Add EU AI Act, Colorado AI Act, and GPAI obligations timeline with
AGT coverage mapping. Reference Microsoft Purview DSPM for AI as
complementary data governance layer.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(ci): restore read-all at workflow level for Scorecard verification

The Scorecard API rejects workflows with write permissions at the
workflow level. id-token: write and security-events: write must be
scoped to the job level only. Restores permissions: read-all at
workflow level while keeping job-level write permissions intact.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: add comprehensive docstrings to mcp_adapter.py classes (#324)

Add Google-style docstrings with Args, Returns, Raises, Attributes,
and Example sections to MCPMessageType, MCPAdapter, and MCPServer
classes. Also enhances docstrings for key methods including
handle_message, _handle_tools_call, _handle_resources_read, and
_map_tool_to_action.

Fixes #316

* ci: add markdown link checker workflow (#323)

Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>

* feat: add policy evaluation heatmap to SRE dashboard (#309) (#326)

* fix: remove unregistered PyPI packages from notebooks and requirements (dependency confusion) (#325)

- Replace !pip install agent-os with !pip install -e ../.. in all 6 notebooks;
  agent-os is not on PyPI and installing it from PyPI is a dependency confusion vector
- Replace zendesk-sdk/freshdesk-sdk with zenpy/freshdesk (the real published SDKs)
  in customer-service/requirements.txt
- Remove hashlib-compat from healthcare-hipaa/requirements.txt; hashlib is stdlib
  and hashlib-compat is not a real PyPI package

* fix(security): complete dependency confusion fix — replace all pip install agent-os with agent-os-kernel

Replace all remaining instances of `pip install agent-os` (unregistered
on PyPI) with `pip install agent-os-kernel` (the actual package) across
docs, examples, TypeScript extensions, CLI source, tests, and SVG assets.

Also fixes `pip install emk` references to point to `agent-os-kernel[full]`
since emk is a submodule, not a standalone PyPI package.

Completes the fix started in PR #325 which only covered notebooks.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Parsa Faraji Alamouti <165321600+parsa-faraji@users.noreply.github.com>
Co-authored-by: Matt Van Horn <mvanhorn@users.noreply.github.com>
Co-authored-by: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Co-authored-by: Zeel Desai <72783325+zeel2104@users.noreply.github.com>
Co-authored-by: Xavier Garceau-Aranda <xavier.garceau-aranda@posteo.net>

Author: 6 people

.github/workflows/scorecard.yml

@@ -6,12 +6,9 @@ on:
   schedule:
     - cron: "15 7 * * 1"
 
-# Minimum permissions required by OpenSSF Scorecard
-permissions:
-  security-events: write
-  id-token: write
-  contents: read
-  actions: read
+# Workflow-level permissions must be read-only for Scorecard verification.
+# Write permissions are scoped to the job level below.
+permissions: read-all
 
 jobs:
   analysis:

README.md

@@ -271,6 +271,18 @@ Works with **12+ agent frameworks** including:
 | Human-Agent Trust Deficit | ASI-09 | ✅ Full audit trails + flight recorder |
 | Rogue Agents | ASI-10 | ✅ Kill switch + ring isolation + behavioral anomaly detection |
 
+Full mapping with implementation details and test evidence: **[OWASP-COMPLIANCE.md](docs/OWASP-COMPLIANCE.md)**
+
+### Regulatory Alignment
+
+| Regulation | Deadline | AGT Coverage |
+|------------|----------|-------------|
+| EU AI Act — High-Risk AI (Annex III) | August 2, 2026 | Audit trails (Art. 12), risk management (Art. 9), human oversight (Art. 14) |
+| Colorado AI Act (SB 24-205) | June 30, 2026 | Risk assessments, human oversight mechanisms, consumer disclosures |
+| EU AI Act — GPAI Obligations | Active | Transparency, copyright policies, systemic risk assessment |
+
+AGT provides **runtime governance** — what agents are allowed to do. For **data governance** and regulator-facing evidence export, see [Microsoft Purview DSPM for AI](https://learn.microsoft.com/purview/ai-microsoft-purview) as a complementary layer.
+
 ## Performance
 
 Governance adds **< 0.1 ms per action** — roughly 10,000× faster than an LLM API call.

docs/deployment/azure-foundry-agent-service.md

@@ -82,7 +82,7 @@ Each middleware works independently. Use any combination based on your requireme
 pip install agent-governance-toolkit[full]
 
 # Or install individual packages
-pip install agent-os agentmesh agent-sre
+pip install agent-os-kernel agentmesh-platform agent-sre
 ```
 
 ---

docs/tutorials/06-execution-sandboxing.md

@@ -55,7 +55,7 @@ layers of defense:
 
 - Python ≥ 3.11
 - `pip install agent-runtime` (v2.0.2+)
-- For capability guards: `pip install agent-os`
+- For capability guards: `pip install agent-os-kernel`
 
 ---
 

packages/agent-compliance/docs/submissions/adversa-mcp-security-submission.md

@@ -88,7 +88,7 @@ Identifies malicious schema patterns:
 
 ```bash
 # Install
-pip install agent-os
+pip install agent-os-kernel
 
 # Scan an MCP configuration file
 mcp-scan scan mcp-config.json

packages/agent-compliance/docs/submissions/owasp-genai-implementation-guide.md

@@ -11,7 +11,7 @@ The stack consists of four components:
 
 | Component | Role | Install |
 |---|---|---|
-| **Agent OS** | Governance kernel — policy, sandbox, memory, MCP security | `pip install agent-os` |
+| **Agent OS** | Governance kernel — policy, sandbox, memory, MCP security | `pip install agent-os-kernel` |
 | **AgentMesh** | Identity & trust — DIDs, SPIFFE, handshake, reputation | `pip install agentmesh` |
 | **Agent SRE** | Observability — SLOs, anomaly detection, chaos, OpenTelemetry | `pip install agent-sre` |
 | **Agent Runtime** | Runtime control — kill switch, execution rings, saga rollback | `pip install agent-runtime` |
@@ -1044,7 +1044,7 @@ This implementation guide is a community contribution to the OWASP GenAI project
 To reproduce the examples, install the stack:
 
 ```bash
-pip install agent-os agentmesh agent-sre agent-runtime
+pip install agent-os-kernel agentmesh-platform agent-sre agent-runtime
 ```
 
 All source code is available under the MIT license. PRs and issues welcome at

packages/agent-os/assets/demo-terminal.svg

@@ -59,7 +59,7 @@ Learn by doing with our Jupyter notebooks:
 
 ```bash
 # Core package
-pip install agent-os
+pip install agent-os-kernel
 
 # With all features
 pip install agent-os-kernel[full]

packages/agent-os/docs/index.md

@@ -43,7 +43,7 @@ Common issues and solutions for Agent OS.
 
 2. **Install in the correct environment:**
    ```bash
-   python -m pip install agent-os
+   python -m pip install agent-os-kernel
    ```
 
 ### Import errors with optional dependencies

packages/agent-os/docs/troubleshooting.md

@@ -10,7 +10,7 @@
 ## Step 1: Install (30 seconds)
 
 ```bash
-pip install agent-os
+pip install agent-os-kernel
 ```
 
 ## Step 2: Create Your First Agent (2 minutes)