fix: address critical security and bug issues from codebase audit

Security fixes:
- sandbox: fix path traversal via pathlib.Path.resolve() (#180)
- sandbox: detect importlib.import_module() bypass in AST visitor (#181)
- PromptInjectionDetector: add regex timeout + pattern length guard (#143)
- hypervisor: tighten DID validation regex, remove @ (#163)
- hypervisor: validate provider is a class after ep.load() (#164)
- hypervisor: validate IATP trust score is finite and in [0,100] (#169)

Bug fixes:
- hypervisor: fix dead code - RingEngine -> RingEnforcer fallback (#165)
- hypervisor: bound VFS edit log with deque(maxlen=10000) (#167)
- agent-mesh: fix deprecated datetime.utcnow() -> now(timezone.utc) (#177)
- agent-sre: bound ErrorBudget._events with deque, use monotonic time (#173,#174)
- agent-sre: fix CascadeDetector.get_breaker() KeyError (#175)
- PolicyRule: quote-aware SplitCompound() (#146)
- CircuitBreaker: guard against arithmetic overflow (#142)
- agent-compliance: handle corrupted manifest JSON (#153)
- agent-compliance: replace bare except anti-pattern (#154)
- agent-compliance: add UTF-8 encoding to file operations (#155)
- agent-compliance: add CLI error handling (#156)
- agent-compliance: use spec.get() for key validation (#157)

CI fixes:
- Remove continue-on-error on lint step (#182)
- Remove silent test failure fallback (#183)
- Add agent-compliance to test matrix (#184)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

.github/workflows/ci.yml

@@ -24,14 +24,13 @@ jobs:
         run: pip install --require-hashes --no-cache-dir -r requirements/ci-lint.txt
       - name: Lint ${{ matrix.package }}
         run: ruff check packages/${{ matrix.package }}/src/ --select E,F,W --ignore E501
-        continue-on-error: true
 
   test:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        package: [agent-os, agent-mesh, agent-hypervisor, agent-sre]
+        package: [agent-os, agent-mesh, agent-hypervisor, agent-sre, agent-compliance]
         python-version: ["3.11", "3.12"]
         include:
           - package: agent-os
@@ -53,7 +52,7 @@ jobs:
             2>/dev/null || pip install --no-cache-dir pytest==8.4.1 pytest-asyncio==1.1.0 2>/dev/null || true
       - name: Test ${{ matrix.package }}
         working-directory: packages/${{ matrix.package }}
-        run: pytest tests/ -x -q --tb=short 2>/dev/null || echo "No tests found"
+        run: pytest tests/ -x -q --tb=short
 
   security:
     runs-on: ubuntu-latest

packages/agent-compliance/src/agent_compliance/cli/main.py

@@ -36,25 +36,29 @@ def cmd_integrity(args: argparse.Namespace) -> int:
     """Run integrity verification or generate manifest."""
     from agent_compliance.integrity import IntegrityVerifier
 
-    if args.generate:
-        verifier = IntegrityVerifier()
-        manifest = verifier.generate_manifest(args.generate)
-        print(f"Manifest written to {args.generate}")
-        print(f"  Files hashed: {len(manifest['files'])}")
-        print(f"  Functions hashed: {len(manifest['functions'])}")
-        return 0
-
-    verifier = IntegrityVerifier(manifest_path=args.manifest)
-    report = verifier.verify()
-
-    if args.json:
-        import json
-
-        print(json.dumps(report.to_dict(), indent=2))
-    else:
-        print(report.summary())
-
-    return 0 if report.passed else 1
+    try:
+        if args.generate:
+            verifier = IntegrityVerifier()
+            manifest = verifier.generate_manifest(args.generate)
+            print(f"Manifest written to {args.generate}")
+            print(f"  Files hashed: {len(manifest['files'])}")
+            print(f"  Functions hashed: {len(manifest['functions'])}")
+            return 0
+
+        verifier = IntegrityVerifier(manifest_path=args.manifest)
+        report = verifier.verify()
+
+        if args.json:
+            import json
+
+            print(json.dumps(report.to_dict(), indent=2))
+        else:
+            print(report.summary())
+
+        return 0 if report.passed else 1
+    except Exception as e:
+        print(f"Error: {e}", file=sys.stderr)
+        return 1
 
 
 def main() -> int:

packages/agent-compliance/src/agent_compliance/integrity.py

@@ -223,8 +223,14 @@ def __init__(
         self._manifest: Optional[dict] = None
 
         if manifest_path and os.path.exists(manifest_path):
-            with open(manifest_path) as f:
-                self._manifest = json.load(f)
+            try:
+                with open(manifest_path, encoding="utf-8") as f:
+                    self._manifest = json.load(f)
+            except json.JSONDecodeError as e:
+                import logging
+                logging.getLogger(__name__).warning(
+                    "Corrupted manifest at %s: %s", manifest_path, e
+                )
 
     def verify(self) -> IntegrityReport:
         """Run full integrity verification.
@@ -358,7 +364,7 @@ def generate_manifest(self, output_path: str) -> dict:
                     "sha256": _hash_file(source_file),
                     "path": source_file,
                 }
-            except (ImportError, Exception) as e:
+            except (ImportError, OSError, TypeError) as e:
                 logger.warning("Could not hash module %s: %s", mod_name, e)
 
         for mod_name, func_path in self.critical_functions:
@@ -368,12 +374,12 @@ def generate_manifest(self, output_path: str) -> dict:
                 if func:
                     key = f"{mod_name}:{func_path}"
                     manifest["functions"][key] = _hash_function_bytecode(func)
-            except (ImportError, Exception) as e:
+            except (ImportError, OSError, TypeError, AttributeError) as e:
                 logger.warning(
                     "Could not hash function %s.%s: %s", mod_name, func_path, e
                 )
 
-        with open(output_path, "w") as f:
+        with open(output_path, "w", encoding="utf-8") as f:
             json.dump(manifest, f, indent=2)
 
         return manifest

packages/agent-compliance/src/agent_compliance/verify.py

@@ -263,32 +263,43 @@ def verify(self) -> GovernanceAttestation:
 
     def _check_control(self, control_id: str, spec: dict) -> ControlResult:
         """Check if a single control's component is importable."""
-        mod_name = spec["module"]
-        component_name = spec["check"]
+        mod_name = spec.get("module")
+        component_name = spec.get("check")
+        control_name = spec.get("name", control_id)
+
+        if not mod_name or not component_name:
+            return ControlResult(
+                control_id=control_id,
+                name=control_name,
+                present=False,
+                module=mod_name or "",
+                component=component_name or "",
+                error="Malformed control spec: missing 'module' or 'check'",
+            )
 
         try:
             mod = importlib.import_module(mod_name)
             component = getattr(mod, component_name, None)
             if component is None:
                 return ControlResult(
                     control_id=control_id,
-                    name=spec["name"],
+                    name=control_name,
                     present=False,
                     module=mod_name,
                     component=component_name,
                     error=f"{component_name} not found in {mod_name}",
                 )
             return ControlResult(
                 control_id=control_id,
-                name=spec["name"],
+                name=control_name,
                 present=True,
                 module=mod_name,
                 component=component_name,
             )
         except ImportError as e:
             return ControlResult(
                 control_id=control_id,
-                name=spec["name"],
+                name=control_name,
                 present=False,
                 module=mod_name,
                 component=component_name,

packages/agent-governance-dotnet/src/AgentGovernance/Policy/PolicyRule.cs

@@ -164,16 +164,43 @@ private static bool EvaluateExpression(string expression, IReadOnlyDictionary<st
     private static List<string> SplitCompound(string expression, string keyword)
     {
         var parts = new List<string>();
-        int idx;
-        var remaining = expression;
+        var current = new System.Text.StringBuilder();
+        bool inSingleQuote = false;
+        bool inDoubleQuote = false;
 
-        while ((idx = remaining.IndexOf(keyword, StringComparison.OrdinalIgnoreCase)) >= 0)
+        for (int i = 0; i < expression.Length; i++)
         {
-            parts.Add(remaining[..idx]);
-            remaining = remaining[(idx + keyword.Length)..];
+            char c = expression[i];
+
+            // Toggle quote state (no escaping needed for policy expressions)
+            if (c == '\'' && !inDoubleQuote)
+            {
+                inSingleQuote = !inSingleQuote;
+                current.Append(c);
+                continue;
+            }
+            if (c == '"' && !inSingleQuote)
+            {
+                inDoubleQuote = !inDoubleQuote;
+                current.Append(c);
+                continue;
+            }
+
+            // Only split on keyword when outside quotes
+            if (!inSingleQuote && !inDoubleQuote
+                && i + keyword.Length <= expression.Length
+                && expression.Substring(i, keyword.Length).Equals(keyword, StringComparison.OrdinalIgnoreCase))
+            {
+                parts.Add(current.ToString());
+                current.Clear();
+                i += keyword.Length - 1; // -1 because loop increments
+                continue;
+            }
+
+            current.Append(c);
         }
 
-        parts.Add(remaining);
+        parts.Add(current.ToString());
         return parts;
     }
 

packages/agent-governance-dotnet/src/AgentGovernance/Security/PromptInjectionDetector.cs

@@ -251,11 +251,14 @@ public IReadOnlyList<DetectionResult> DetectBatch(IEnumerable<string> inputs)
         return inputs.Select(Detect).ToList().AsReadOnly();
     }
 
+    private static readonly int MaxCustomPatternLength = 1000;
+    private static readonly TimeSpan RegexTimeout = TimeSpan.FromMilliseconds(200);
+    private static readonly Regex Base64Pattern = new(@"[A-Za-z0-9+/]{20,}={0,2}", RegexOptions.Compiled, TimeSpan.FromMilliseconds(200));
+
     private (string Name, ThreatLevel Threat)? DetectEncodedPayloads(string input)
     {
         // Look for base64-encoded strings (at least 20 chars).
-        var b64Pattern = new Regex(@"[A-Za-z0-9+/]{20,}={0,2}", RegexOptions.Compiled);
-        var b64Matches = b64Pattern.Matches(input);
+        var b64Matches = Base64Pattern.Matches(input);
 
         foreach (Match match in b64Matches)
         {
@@ -309,9 +312,12 @@ public IReadOnlyList<DetectionResult> DetectBatch(IEnumerable<string> inputs)
             (Compile(@"UNION\s+SELECT", RegexOptions.IgnoreCase), InjectionType.DirectOverride, ThreatLevel.High, "sql_union"),
         };
 
-        // Add custom patterns.
+        // Add custom patterns with length and timeout guards.
         foreach (var custom in _config.CustomPatterns)
         {
+            if (custom.Length > MaxCustomPatternLength)
+                continue;
+
             try
             {
                 patterns.Add((Compile(custom), InjectionType.DirectOverride, ThreatLevel.High, $"custom:{custom[..Math.Min(20, custom.Length)]}"));
@@ -327,7 +333,7 @@ public IReadOnlyList<DetectionResult> DetectBatch(IEnumerable<string> inputs)
 
     private static Regex Compile(string pattern, RegexOptions extra = RegexOptions.None)
     {
-        return new Regex(pattern, RegexOptions.Compiled | RegexOptions.IgnoreCase | extra);
+        return new Regex(pattern, RegexOptions.Compiled | RegexOptions.IgnoreCase | extra, RegexTimeout);
     }
 
     private static string ComputeHash(string input)

packages/agent-governance-dotnet/src/AgentGovernance/Sre/CircuitBreaker.cs

@@ -198,7 +198,8 @@ private void EnsureCallAllowed()
             switch (_state)
             {
                 case CircuitState.Open:
-                    var elapsed = TimeSpan.FromMilliseconds(Environment.TickCount64 - _openedAtTicks);
+                    var elapsedMs = Math.Max(0, Environment.TickCount64 - _openedAtTicks);
+                    var elapsed = TimeSpan.FromMilliseconds(elapsedMs);
                     var retryAfter = _config.ResetTimeout - elapsed;
                     if (retryAfter < TimeSpan.Zero) retryAfter = TimeSpan.Zero;
                     throw new CircuitBreakerOpenException(retryAfter);

packages/agent-hypervisor/src/hypervisor/integrations/iatp_adapter.py

@@ -87,6 +87,10 @@ def analyze_manifest(self, manifest: IATPManifest) -> ManifestAnalysis:
             trust_level = IATPTrustLevel.UNKNOWN
         ring_hint = TRUST_LEVEL_RING_HINTS.get(trust_level, ExecutionRing.RING_3_SANDBOX)
         iatp_score = manifest.calculate_trust_score()
+        import math
+        if not isinstance(iatp_score, (int, float)) or not math.isfinite(iatp_score):
+            iatp_score = 0.0
+        iatp_score = min(max(iatp_score, 0.0), 100.0)
         sigma_hint = min(max(iatp_score / 10.0, 0.0), 1.0)
         analysis = ManifestAnalysis(
             agent_did=agent_did, trust_level=trust_level, ring_hint=ring_hint,
@@ -107,6 +111,10 @@ def analyze_manifest_dict(self, manifest_dict: dict) -> ManifestAnalysis:
             trust_level = IATPTrustLevel.UNKNOWN
         ring_hint = TRUST_LEVEL_RING_HINTS.get(trust_level, ExecutionRing.RING_3_SANDBOX)
         iatp_score = manifest_dict.get("trust_score", 5)
+        import math
+        if not isinstance(iatp_score, (int, float)) or not math.isfinite(iatp_score):
+            iatp_score = 0.0
+        iatp_score = min(max(iatp_score, 0.0), 100.0)
         sigma_hint = min(max(iatp_score / 10.0, 0.0), 1.0)
         actions = []
         for cap in manifest_dict.get("actions", []):

packages/agent-hypervisor/src/hypervisor/models.py

@@ -9,8 +9,9 @@
 from datetime import UTC, datetime
 from enum import Enum
 
-# Agent ID must be alphanumeric, hyphens, underscores, colons, or dots (e.g. "did:mesh:agent-1")
-_AGENT_ID_PATTERN = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9._:@-]*$")
+# Agent ID: DID format (did:method:id) or simple alphanumeric identifiers.
+# Restrict to safe characters — no @, no consecutive special chars.
+_AGENT_ID_PATTERN = re.compile(r"^[a-zA-Z0-9](?:[a-zA-Z0-9._:-]*[a-zA-Z0-9])?$")
 # Max lengths
 _MAX_AGENT_ID_LENGTH = 256
 _MAX_NAME_LENGTH = 256

packages/agent-hypervisor/src/hypervisor/providers.py

@@ -36,9 +36,14 @@ def _discover_provider(group: str) -> type | None:
         if eps:
             ep = next(iter(eps))
             provider_cls = ep.load()
-            _provider_cache[group] = provider_cls
-            logger.info("Advanced provider loaded: %s from %s", ep.name, ep.value)
-            return provider_cls
+            if not isinstance(provider_cls, type):
+                logger.warning(
+                    "Provider %s is not a class, skipping", ep.name
+                )
+            else:
+                _provider_cache[group] = provider_cls
+                logger.info("Advanced provider loaded: %s from %s", ep.name, ep.value)
+                return provider_cls
     except Exception:
         logger.debug("Provider discovery failed for %s", group, exc_info=True)
 
@@ -56,8 +61,8 @@ def get_ring_engine(**kwargs: Any):
     if provider is not None:
         return provider(**kwargs)
 
-    from hypervisor.rings.engine import RingEngine
-    return RingEngine(**kwargs)
+    from hypervisor.rings.enforcer import RingEnforcer
+    return RingEnforcer(**kwargs)
 
 
 def get_liability_engine(**kwargs: Any):