Skip to content

feat(agent-os): add native FIDES-compatible IFC layer#3245

Open
jackbatzner wants to merge 5 commits into
microsoft:mainfrom
jackbatzner:jackbatzner-ifc-adoption-plan
Open

feat(agent-os): add native FIDES-compatible IFC layer#3245
jackbatzner wants to merge 5 commits into
microsoft:mainfrom
jackbatzner:jackbatzner-ifc-adoption-plan

Conversation

@jackbatzner

Copy link
Copy Markdown
Collaborator

Description

Adds a native FIDES-compatible information-flow-control layer for AGT with concrete runtime proof: Agent OS label parsing/propagation/enforcement, AgentMesh signed IFC receipts for native agent-to-agent message handoff, ACS annotation interoperability, deterministic examples, focused tests, and documentation that cites FIDES while preserving distributed claim boundaries.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality) - Adds native IFC primitives, runtime enforcement, receipts, and examples.
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update - Adds the native IFC ADR/proof page and updates limitations/threat-model navigation.
  • Maintenance (dependency updates, CI/CD, refactoring)
  • Security fix - Closes the scoped knowledge-flow gap by enforcing labels before configured sinks execute.

Package(s) Affected

  • agent-os-kernel - Adds IFC labels, sink checks, context propagation, denial category, and tests.
  • agent-mesh - Adds signed IFC receipts and replay/downgrade verification tests.
  • agent-runtime
  • agent-sre
  • agent-governance
  • docs / root - Adds security docs, examples, mkdocs nav, and ACS fixture.

Checklist

  • My code follows the project style guidelines (ruff check) - Focused ruff passed on changed Python files.
  • I have added tests that prove my fix/feature works - Added Agent OS IFC tests and AgentMesh receipt tests.
  • All new and existing tests pass (pytest) - Focused Agent OS IFC tests and AgentMesh receipt tests pass.
  • I have updated documentation as needed - Added native IFC doc and limitations/threat-model updates.
  • I have signed the Microsoft CLA - Contributor is already covered.

Attribution & Prior Art

  • This contribution does not contain code copied or derived from other projects without attribution
  • Any external projects that inspired this design are credited in code comments or documentation - Documentation cites Microsoft Agent Framework security guidance and the FIDES paper.
  • If this PR implements functionality similar to an existing open-source project, I have listed it below

Prior art / related projects (if any):

AI Assistance

  • I can explain every meaningful change in this PR: what it does, why, and what tradeoffs were considered
  • I have run tests and verification appropriate for this change
  • No part of this PR was autonomously submitted by an AI agent without my review
  • I have not used AI to generate review comments on others' PRs

If AI tools materially shaped this change, briefly note what was used:
GitHub Copilot assisted with implementation, tests, documentation, and review hardening. All output was reviewed and validated by the contributor.

IP, Patents, and Licensing

  • This contribution does not implement patent-pending or patent-encumbered techniques
  • This contribution does not require an NDA or licensing agreement to understand or use
  • Any AI tools used have terms compatible with the MIT License

Related Issues

None.

Validation

  • python -m pytest agent-governance-python\agent-os\tests\policies\test_information_flow.py agent-governance-python\agent-os\tests\test_integrations.py -k "information_flow or ifc or malicious" -q - 28 passed.
  • PYTHONPATH=agent-governance-python\agent-mesh\src python -m pytest agent-governance-python\agent-mesh\tests\test_information_flow_receipts.py -q - 13 passed.
  • ruff check --select E,F,W --ignore E501 <changed Python files> - passed.
  • python examples\information-flow-control\demo.py - blocked public email sink, allowed bounded reveal, allowed quarantine sink.
  • python examples\distributed-information-flow-control\demo.py - allowed valid receipt, denied tamper/downgrade/replay.
  • python scripts\docs\check_links.py - 0 new broken links.
  • git diff --check and staged secret/stub/license-header scans - passed.

Add Agent OS information-flow labels, strict sink enforcement, bounded reveal/declassification/endorsement primitives, and AgentMesh signed IFC receipts.

Include ACS annotation fixture, deterministic examples, focused tests, and documentation that links to FIDES while scoping distributed limitations.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
@github-actions github-actions Bot added documentation Improvements or additions to documentation tests agent-mesh agent-mesh package security Security-related issues size/XL Extra large PR (500+ lines) and removed documentation Improvements or additions to documentation tests agent-mesh agent-mesh package security Security-related issues labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
🤖 AI Agent: breaking-change-detector — API Compatibility

AI-generated review output. Treat it as untrusted analysis and verify before acting.

API Compatibility

Severity Change Impact
High Added new public API in agentmesh.transport module, including functions and classes such as create_information_flow_receipt, verify_information_flow_receipt, and InformationFlowReceipt. Existing users of the agentmesh.transport module may encounter issues if they rely on reflection or dynamic imports and do not expect these new additions.
High Added information_flow.py module to agentmesh.transport with new public APIs. Potential for conflicts if users have implemented custom modules or extensions with the same name.
High Added new constants such as DEFAULT_RECEIPT_TTL, RECEIPT_FRAME_KEY, and RECEIPT_SCHEMA_VERSION to the public API. Potential naming conflicts with existing user-defined constants or variables.
Medium Modified agentmesh.transport.__init__.py to include new imports and __all__ entries. May affect users relying on the previous __all__ definition or importing specific symbols.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
🤖 AI Agent: security-scanner — View details

AI-generated review output. Treat it as untrusted analysis and verify before acting.

No security issues found.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
🤖 AI Agent: docs-sync-checker — Docs Sync

AI-generated review output. Treat it as untrusted analysis and verify before acting.

Docs Sync

  • InformationFlowReceipt in agentmesh/transport/information_flow.py -- missing docstring for several methods and classes, such as InformationFlowNonceCache, create_information_flow_receipt, attach_information_flow_receipt, extract_information_flow_receipt, and verify_information_flow_receipt.
  • README.md -- no updates found for the newly added "native FIDES-compatible IFC layer" or its components.
  • CHANGELOG.md -- missing entry for the addition of the native IFC layer and related features.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
🤖 AI Agent: test-generator — `agent-mesh/src/agentmesh/transport/information_flow.py`

AI-generated review output. Treat it as untrusted analysis and verify before acting.

agent-mesh/src/agentmesh/transport/information_flow.py

  • test_create_information_flow_receipt_invalid_inputs -- Validate behavior when invalid inputs (e.g., empty strings, invalid types) are passed to create_information_flow_receipt.
  • test_verify_information_flow_receipt_replay_attack -- Test verify_information_flow_receipt with a replayed nonce to ensure it is rejected.
  • test_verify_information_flow_receipt_tampered_signature -- Validate that verify_information_flow_receipt rejects receipts with tampered signatures.
  • test_verify_information_flow_receipt_expired -- Ensure verify_information_flow_receipt rejects receipts that have expired.
  • test_extract_information_flow_receipt_invalid_format -- Test extract_information_flow_receipt with improperly formatted or missing receipt data.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

PR Review Summary

Check Status Details
🔍 Code Review ⚠️ Missing No current-run comment
🛡️ Security Scan ⚠️ Missing No current-run comment
🔄 Breaking Changes ⚠️ Missing No current-run comment
📝 Docs Sync ⚠️ Missing No current-run comment
🧪 Test Coverage ⚠️ Missing No current-run comment

Verdict: ⚠️ AI review incomplete; ready for human review

AI review comments are untrusted advisory output. The summary reports workflow-generated completion status only, not model-authored pass/fail claims.

Allow the IFC variable URI scheme and avoid compact precheck/postcheck wording in docs.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
@github-actions github-actions Bot added documentation Improvements or additions to documentation tests agent-mesh agent-mesh package security Security-related issues labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
🤖 AI Agent: code-reviewer — View details

AI-generated review output. Treat it as untrusted analysis and verify before acting.

TL;DR: 0 blockers, 1 warning. The PR introduces a robust IFC layer with signed receipts but has a potential replay risk due to the nonce cache's bounded size.

# Sev Issue Where
1 Warn Nonce cache size may allow replay attacks if exhausted. InformationFlowNonceCache in information_flow.py

Action items:

  1. None.

Warnings:

# Issue Where Action
1 Nonce cache size may allow replay attacks if exhausted. InformationFlowNonceCache in information_flow.py Fine as follow-up PR.

No other issues found. The implementation appears secure and well-documented.

Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
Signed-off-by: Jack Batzner <jackbatzner@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

agent-mesh agent-mesh package documentation Improvements or additions to documentation security Security-related issues size/XL Extra large PR (500+ lines) tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant