fix: address PR review feedback — docstrings, changelog, yaml safety

imran-siddique · Copilot · imran-siddique · commit 8b2dd0a25aee · 2026-03-18T12:06:28.000-07:00
- Add docstring to scenario_adversarial_attacks
- Document --include-attacks flag in README
- Pin pyyaml version in security-scan workflow
- Audit and fix unsafe yaml.load() calls (if any)
- Add unreleased changelog entries

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -18,7 +18,7 @@ jobs:
         with:
           python-version: "3.11"
       - name: Install dependencies
-        run: pip install pyyaml
+        run: pip install "pyyaml>=6.0,<7.0"
       - name: Run security skills scan
         continue-on-error: true
         run: |
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Demo `--include-attacks` flag for adversarial scenario testing (prompt injection, tool alias bypass, SQL bypass).
+- .NET `SagaStep.MaxAttempts` property replacing deprecated `MaxRetries`.
+
+### Security
+- Replaced XOR placeholder encryption with AES-256-GCM in DMZ module.
+- Added Security Model & Limitations section to README.
+- Added security advisories to SECURITY.md for CostGuard and thread safety fixes.
+
 ## [2.2.0] - 2026-03-17
 
 ### Added
diff --git a/README.md b/README.md
@@ -146,6 +146,16 @@ var result = kernel.EvaluateToolCall(
 if (result.Allowed) { /* proceed */ }
 ```
 
+### Run the governance demo
+
+```bash
+# Full governance demo (policy enforcement, audit, trust, cost, reliability)
+python demo/maf_governance_demo.py
+
+# Run with adversarial attack scenarios
+python demo/maf_governance_demo.py --include-attacks
+```
+
 ## More Examples & Samples
 
 - **[Framework Quickstarts](examples/quickstart/)** — One-file governed agents for LangChain, CrewAI, AutoGen, OpenAI Agents, Google ADK
diff --git a/demo/maf_governance_demo.py b/demo/maf_governance_demo.py
@@ -1017,7 +1017,15 @@ def print_audit_summary(audit_log: AuditLog) -> None:
 async def scenario_adversarial_attacks(
     client: Any, model: str, audit_log: AuditLog, verbose: bool
 ) -> int:
-    """Run adversarial test scenarios to verify governance blocks common attacks."""
+    """Run adversarial attack scenarios to test governance resilience.
+
+    Probes 4 attack vectors: prompt injection, tool alias bypass,
+    trust score manipulation, and SQL policy bypass. Reports whether
+    each attack was blocked by the governance middleware.
+
+    Returns:
+        Number of audit entries generated during the adversarial scenarios.
+    """
     print(_section("Adversarial Scenarios: Attack Resilience"))
 
     policy_dir = Path(__file__).resolve().parent / "policies"
