feat: update OpenClaw skill to current API, add OpenShell integration doc

- Fix 5 stale skill scripts to use current AgentMesh API:
  - trust-score.sh: RewardEngine -> RewardService
  - record-interaction.sh: record_success/failure -> record_task_success/failure
  - verify-identity.sh: from_did -> AgentDID.from_string + verify_signature
  - audit-log.sh: agentmesh.audit -> agentmesh.governance.audit (AuditLog)
  - generate-identity.sh: did:agentmesh: -> did:mesh: prefix
- Update SKILL.md: v1.1.0, fix architecture diagram, update URLs
- Add docs/integrations/openshell.md: complementary architecture guide
  showing OpenShell (sandbox isolation) + toolkit (governance intelligence)
- Update openclaw-sidecar.md with OpenShell cross-reference
- Add OpenShell integration link to README
- Fix agent_identity snapshot for max_initial_trust_score field

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

README.md

@@ -55,6 +55,7 @@ pip install agent-lightning        # RL training governance
 - **[.NET SDK](packages/agent-governance-dotnet/README.md)** — NuGet package with full OWASP coverage
 - **[Tutorials](docs/tutorials/)** — Step-by-step guides for policy, identity, integrations, compliance, SRE, and sandboxing
 - **[Azure Deployment](docs/deployment/README.md)** — AKS, Azure AI Foundry, Container Apps, OpenClaw sidecar
+- **[NVIDIA OpenShell Integration](docs/integrations/openshell.md)** — Combine sandbox isolation with governance intelligence
 - **[OWASP Compliance](docs/OWASP-COMPLIANCE.md)** — Full ASI-01 through ASI-10 mapping
 - **[Architecture](docs/ARCHITECTURE.md)** — System design, security model, trust scoring
 - **[NIST RFI Mapping](docs/nist-rfi-mapping.md)** — Mapping to NIST AI Agent Security RFI (2026-00206)

docs/deployment/openclaw-sidecar.md

@@ -2,6 +2,8 @@
 
 Deploy OpenClaw as an autonomous agent with the Agent Governance Toolkit as a sidecar on Azure Kubernetes Service (AKS) for runtime policy enforcement, identity verification, and SLO monitoring.
 
+> **New:** The toolkit now integrates with [NVIDIA OpenShell](../integrations/openshell.md) for combined sandbox isolation + governance intelligence. See the [OpenShell integration guide](../integrations/openshell.md) for the complementary architecture.
+
 > **See also:** [Deployment Overview](README.md) | [AKS Deployment](../../packages/agent-mesh/docs/deployment/azure.md) | [OpenClaw on ClawHub](https://clawhub.ai/microsoft/agentmesh-governance)
 
 ---

docs/integrations/openshell.md

@@ -0,0 +1,215 @@
+# Integrating with NVIDIA OpenShell
+
+Deploy the Agent Governance Toolkit as the governance layer inside (or alongside) [NVIDIA OpenShell](https://github.com/NVIDIA/OpenShell) sandboxes to combine **runtime isolation** with **governance intelligence**.
+
+> **TL;DR** — OpenShell provides the *walls* (sandbox, network, filesystem policies). The toolkit provides the *brain* (identity, trust, policy decisions, audit). Together they form a complete agent security stack.
+
+---
+
+## Why Combine Them?
+
+OpenShell and the Agent Governance Toolkit solve **different halves** of the agent security problem:
+
+| Capability | OpenShell | Governance Toolkit |
+|---|:---:|:---:|
+| Container isolation | ✅ | — |
+| Filesystem policies | ✅ | — |
+| Network egress control | ✅ | — |
+| Process / syscall restrictions | ✅ | — |
+| Inference routing | ✅ | — |
+| Agent identity (Ed25519 DIDs) | — | ✅ |
+| Behavioral trust scoring | — | ✅ |
+| Policy engine (YAML + OPA + Cedar) | — | ✅ |
+| Authority resolution (reputation-gated delegation) | — | ✅ |
+| Tamper-evident Merkle audit chains | — | ✅ |
+| SLOs, circuit breakers, execution rings | — | ✅ |
+| Multi-agent governance | — | ✅ |
+
+OpenShell asks: *"Is this network call allowed by sandbox policy?"*
+The toolkit asks: *"Should this agent be trusted to make this call at all?"*
+
+Neither replaces the other — they're complementary layers in a defense-in-depth stack.
+
+---
+
+## Architecture
+
+```
+┌──────────────────────────────────────────────────────────────────┐
+│  OpenShell Sandbox                                                │
+│                                                                   │
+│  ┌────────────────────────┐   ┌────────────────────────────────┐ │
+│  │  AI Agent (Claude,     │   │  Governance Toolkit (sidecar)  │ │
+│  │  Codex, OpenCode, etc) │   │                                │ │
+│  │                        │   │  AgentIdentity  — Ed25519 DIDs │ │
+│  │  Tool call ────────────────► PolicyEngine   — YAML/OPA/Cedar│ │
+│  │             ◄──────────────  RewardService  — trust scoring │ │
+│  │  (allow / deny)        │   │  AuditLog      — Merkle chain  │ │
+│  │                        │   │  AuthorityResolver — delegation │ │
+│  └────────────────────────┘   └────────────────────────────────┘ │
+│                                                                   │
+│  ┌──────────────────────────────────────────────────────────────┐ │
+│  │  OpenShell Policy Engine                                      │ │
+│  │  Filesystem ▸ Network ▸ Process ▸ Inference                   │ │
+│  └──────────────────────────────────────────────────────────────┘ │
+└──────────────────────────────────────────────────────────────────┘
+```
+
+**Request flow:**
+
+1. Agent issues a tool call (e.g., `shell:curl`, `file:write`)
+2. **Governance Toolkit** evaluates: identity verified? trust score above threshold? policy allows action? authority delegated?
+3. If governance approves → OpenShell's **sandbox policy engine** enforces runtime constraints (network egress, filesystem boundaries, process restrictions)
+4. Both layers log independently — governance writes to the Merkle audit chain, OpenShell writes to its own policy log
+5. If either layer denies → action is blocked
+
+---
+
+## Setup
+
+### Option A: Governance Skill Inside the Sandbox
+
+Install the toolkit as an [OpenClaw skill](../packages/agentmesh-integrations/openclaw-skill/) that the agent invokes before each action:
+
+```bash
+# Inside the sandbox
+pip install agentmesh
+
+# Use the skill scripts
+scripts/check-policy.sh --action "web_search" --tokens 1500 --policy policy.yaml
+scripts/trust-score.sh --agent "did:mesh:abc123"
+scripts/verify-identity.sh --did "did:mesh:abc123" --message "hello" --signature "base64sig"
+```
+
+This approach is lightweight and works with any agent that supports OpenClaw skills.
+
+### Option B: Governance Sidecar (Production)
+
+Run the toolkit as a sidecar proxy that intercepts all tool calls transparently:
+
+```yaml
+# openshell-governance-policy.yaml
+network:
+  outbound:
+    - match:
+        host: "localhost"
+        port: 8081
+      action: allow          # Allow agent → governance sidecar
+    - match:
+        host: "*.openai.com"
+      action: allow          # Allow approved LLM calls
+    - action: deny           # Block everything else
+
+filesystem:
+  read:
+    - /workspace/**
+    - /policies/**
+  write:
+    - /workspace/**
+    - /var/log/governance/**
+```
+
+```bash
+# Start the governance sidecar inside the sandbox
+python -m agentmesh.server --port 8081 --policy /policies/ &
+
+# Create the sandbox with the policy
+openshell sandbox create \
+  --policy openshell-governance-policy.yaml \
+  -- claude
+```
+
+See the full [OpenClaw sidecar deployment guide](../deployment/openclaw-sidecar.md) for AKS and Docker Compose configurations.
+
+---
+
+## Policy Layering Example
+
+A single agent action passes through **two policy layers**:
+
+```
+Agent: "I want to POST to https://api.github.com/repos/org/repo/issues"
+
+Layer 1 — Governance Toolkit:
+  ✅ Agent identity verified (did:mesh:a1b2c3)
+  ✅ Trust score 0.82 > threshold 0.5
+  ✅ Policy allows "http:POST:api.github.com/*"
+  ✅ Authority: delegated by parent agent with scope "github:issues:create"
+  → ALLOW (logged to Merkle audit chain)
+
+Layer 2 — OpenShell:
+  ✅ Network policy permits POST to api.github.com
+  ✅ Process policy permits curl binary
+  → ALLOW (logged to OpenShell policy log)
+
+Result: Action executes
+```
+
+If either layer denies:
+
+```
+Agent: "I want to POST to https://169.254.169.254/metadata"
+
+Layer 1 — Governance Toolkit:
+  ❌ Policy blocks "http:*:169.254.169.254/*" (cloud metadata endpoint)
+  → DENY (logged with violation reason)
+
+Result: Action blocked before reaching OpenShell
+```
+
+---
+
+## OpenShell Policy + Governance Policy Mapping
+
+| OpenShell Layer | Governance Toolkit Equivalent | How They Interact |
+|---|---|---|
+| `filesystem.read/write` | Capability policies (`file:read:*`, `file:write:*`) | Governance decides *who can*, OpenShell enforces *where* |
+| `network.outbound` | Capability policies (`http:GET:*`, `http:POST:*`) | Governance decides *what action*, OpenShell enforces *which endpoints* |
+| `process` | Blocked-tool policies, execution rings | Governance gates by trust level, OpenShell gates by syscall |
+| `inference` routing | N/A (complementary) | OpenShell routes LLM traffic; governance audits responses |
+| N/A | Identity, trust scoring, audit | Governance-only capabilities |
+
+---
+
+## Monitoring
+
+When running both layers, you get two complementary telemetry streams:
+
+**Governance Toolkit metrics** (Prometheus / OpenTelemetry):
+- `policy_decisions_total{result="allow|deny"}`
+- `trust_score_current{agent="did:mesh:..."}`
+- `audit_chain_entries_total`
+- `authority_resolutions_total{decision="allow|deny|narrowed"}`
+
+**OpenShell metrics**:
+- Sandbox network egress logs
+- Filesystem access logs
+- Process execution logs
+- Inference routing logs
+
+Both can feed into the same Grafana dashboard for a unified view. See the [Agent SRE monitoring guide](../../packages/agent-sre/README.md) for SLO configuration.
+
+---
+
+## FAQ
+
+**Q: Do I need both?**
+No. Each works independently. But together they provide defense-in-depth: governance intelligence (who, what, why) plus runtime isolation (where, how).
+
+**Q: Does the toolkit work with agents other than OpenClaw?**
+Yes. The toolkit is agent-agnostic — it works with any AI agent framework (LangChain, CrewAI, AutoGen, Semantic Kernel, etc.) on any cloud (AWS, GCP, Azure) or locally.
+
+**Q: Does OpenShell replace the sidecar deployment?**
+OpenShell can *host* the sidecar. The governance sidecar runs inside or alongside the OpenShell sandbox. OpenShell provides the isolation boundary; the sidecar provides the governance logic.
+
+**Q: What about NemoClaw?**
+[NemoClaw](https://nvidianews.nvidia.com/news/ai-agents) bundles OpenShell with NVIDIA Nemotron models. The governance toolkit works with NemoClaw the same way — it adds identity, trust, and audit capabilities on top of the NemoClaw runtime.
+
+---
+
+## Related
+
+- [OpenClaw Skill](../../packages/agentmesh-integrations/openclaw-skill/) — Lightweight skill for OpenClaw agents
+- [OpenClaw Sidecar Deployment](../deployment/openclaw-sidecar.md) — AKS and Docker Compose guide
+- [NVIDIA OpenShell](https://github.com/NVIDIA/OpenShell) — Runtime sandbox for AI agents
+- [Architecture](../ARCHITECTURE.md) — Full toolkit architecture

packages/agent-mesh/tests/snapshots/agent_identity.json

@@ -21,5 +21,6 @@
   "status": "active",
   "revocation_reason": null,
   "parent_did": null,
-  "delegation_depth": 0
+  "delegation_depth": 0,
+  "max_initial_trust_score": null
 }

packages/agentmesh-integrations/openclaw-skill/SKILL.md

@@ -9,15 +9,15 @@ description: >
   (5) user asks about agent safety, governance, compliance, or trust.
   Enterprise-grade: 1,600+ tests, merged into Dify (65K★), LlamaIndex (47K★),
   Microsoft Agent-Lightning (15K★).
-version: 1.0.0
+version: 1.1.0
 metadata:
   openclaw:
     requires:
       bins:
         - python3
         - pip
     emoji: "🛡️"
-    homepage: https://github.com/imran-siddique/agentmesh-integrations/tree/master/openclaw-skill
+    homepage: https://github.com/microsoft/agent-governance-toolkit/tree/main/packages/agentmesh-integrations/openclaw-skill
 ---
 
 # AgentMesh Governance — Trust & Policy for OpenClaw Agents
@@ -70,7 +70,7 @@ collaboration health.
 Verify an agent's Ed25519 cryptographic identity before trusting its output:
 
 ```bash
-scripts/verify-identity.sh --did "did:agentmesh:abc123" --message "hello" --signature "base64sig"
+scripts/verify-identity.sh --did "did:mesh:abc123" --message "hello" --signature "base64sig"
 ```
 
 Returns `verified: true/false`. Use when receiving data from another agent.
@@ -159,12 +159,12 @@ governance engine:
 ```
 OpenClaw Agent → SKILL.md scripts → AgentMesh Engine
                                      ├── GovernancePolicy (enforcement)
-                                     ├── TrustEngine (5-dimension scoring)
+                                     ├── RewardService (5-dimension scoring)
                                      ├── AgentIdentity (Ed25519 DIDs)
-                                     └── hash-chainAuditChain (tamper-evident logs)
+                                     └── AuditLog (tamper-evident Merkle chains)
 ```
 
-Part of the [Agent Ecosystem](https://imran-siddique.github.io):
-[AgentMesh](https://github.com/imran-siddique/agent-mesh) ·
-[Agent OS](https://github.com/imran-siddique/agent-os) ·
-[Agent SRE](https://github.com/imran-siddique/agent-sre)
+Part of the [Agent Governance Toolkit](https://github.com/microsoft/agent-governance-toolkit):
+[AgentMesh](https://github.com/microsoft/agent-governance-toolkit/tree/main/packages/agent-mesh) ·
+[Agent OS](https://github.com/microsoft/agent-governance-toolkit/tree/main/packages/agent-os) ·
+[Agent SRE](https://github.com/microsoft/agent-governance-toolkit/tree/main/packages/agent-sre)

packages/agentmesh-integrations/openclaw-skill/scripts/audit-log.sh

@@ -15,12 +15,16 @@ done
 python3 -c "
 import json
 try:
-    from agentmesh.audit import MerkleAuditChain
-    chain = MerkleAuditChain()
-    entries = chain.get_entries(agent='$AGENT' or None, last=int('$LAST'))
+    from agentmesh.governance.audit import AuditLog
+    audit_log = AuditLog()
+    agent_filter = '$AGENT' or None
+    if agent_filter:
+        entries = audit_log.get_entries_for_agent(agent_did=agent_filter, limit=int('$LAST'))
+    else:
+        entries = audit_log.query(limit=int('$LAST'))
     if '$VERIFY' == 'true':
-        valid = chain.verify_integrity()
-        print(json.dumps({'integrity': 'valid' if valid else 'TAMPERED', 'entries': len(entries)}, indent=2))
+        valid, error = audit_log.verify_integrity()
+        print(json.dumps({'integrity': 'valid' if valid else 'TAMPERED', 'error': error, 'entries': len(entries)}, indent=2))
     else:
         print(json.dumps([e.to_dict() for e in entries], indent=2))
 except ImportError:

packages/agentmesh-integrations/openclaw-skill/scripts/generate-identity.sh

@@ -19,7 +19,7 @@ from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat,
 key = Ed25519PrivateKey.generate()
 pub = key.public_key()
 pub_bytes = pub.public_bytes(Encoding.Raw, PublicFormat.Raw)
-did = 'did:agentmesh:' + hashlib.sha256(pub_bytes).hexdigest()[:16]
+did = 'did:mesh:' + hashlib.sha256(pub_bytes).hexdigest()[:16]
 
 caps = [c.strip() for c in '${CAPABILITIES}'.split(',') if c.strip()]
 

packages/agentmesh-integrations/openclaw-skill/scripts/record-interaction.sh

@@ -15,14 +15,14 @@ done
 python3 -c "
 import json, datetime
 try:
-    from agentmesh.trust import RewardEngine
-    engine = RewardEngine()
+    from agentmesh.services import RewardService
+    service = RewardService()
     if '$OUTCOME' == 'success':
-        engine.record_success('$AGENT')
+        service.record_task_success('$AGENT', task_id='openclaw-interaction')
     else:
-        engine.record_failure('$AGENT', severity=float('$SEVERITY'))
-    score = engine.get_score('$AGENT')
-    print(json.dumps(score, indent=2))
+        service.record_task_failure('$AGENT', reason='severity=$SEVERITY')
+    score = service.get_score('$AGENT')
+    print(json.dumps(score.to_dict() if hasattr(score, 'to_dict') else score, indent=2))
 except ImportError:
     delta = 0.01 if '$OUTCOME' == 'success' else -float('$SEVERITY')
     result = {

packages/agentmesh-integrations/openclaw-skill/scripts/trust-score.sh

@@ -13,10 +13,10 @@ done
 python3 -c "
 import json
 try:
-    from agentmesh.trust import RewardEngine
-    engine = RewardEngine()
-    score = engine.get_score('$AGENT')
-    print(json.dumps(score, indent=2))
+    from agentmesh.services import RewardService
+    service = RewardService()
+    score = service.get_score('$AGENT')
+    print(json.dumps(score.to_dict() if hasattr(score, 'to_dict') else score, indent=2))
 except ImportError:
     # Standalone mode — return baseline trust info
     result = {

packages/agentmesh-integrations/openclaw-skill/scripts/verify-identity.sh

@@ -15,10 +15,15 @@ done
 python3 -c "
 import json
 try:
-    from agentmesh.identity import AgentIdentity
-    identity = AgentIdentity.from_did('$DID')
-    verified = identity.verify(b'$MESSAGE', '$SIGNATURE')
-    print(json.dumps({'did': '$DID', 'verified': verified}, indent=2))
+    from agentmesh.identity import AgentIdentity, AgentDID, IdentityRegistry
+    parsed = AgentDID.from_string('$DID')
+    registry = IdentityRegistry()
+    identity = registry.get(parsed)
+    if identity is None:
+        print(json.dumps({'did': '$DID', 'verified': False, 'error': 'DID not found in registry'}, indent=2))
+    else:
+        verified = identity.verify_signature(b'$MESSAGE', '$SIGNATURE')
+        print(json.dumps({'did': '$DID', 'verified': verified}, indent=2))
 except ImportError:
     from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
     import base64