Agent Governance Foundation

Changelog

Release history

Every release of the AGF Authorization Service — new features, API changes, and fixes.

NewImprovedFixAPISDKSecurity

v0.5.0

Outbound webhooks, JIT credentials, analytics dashboard, access review automation, and Python SDK with LangChain + CrewAI adapters.

  • Outbound webhooks — subscribe to decision, approval, and quota events via HMAC-signed HTTP POST. Up to 60 events/min per org.NewAPI
  • JIT (just-in-time) credentials — issue ephemeral API keys for agents that expire after a configurable TTL. Keys auto-cleaned by scheduler.NewAPI
  • Analytics dashboard — 30-day decision volume chart, outcome breakdown, top agents table, policy effectiveness, and behavior alerts.New
  • Behavior detection — scheduler scans audit artifacts every 5 minutes for 4 threat patterns: data exfiltration, privilege escalation, resource hijacking, lateral movement.New
  • Access review automation — daily reminders for agents with recertification due in 7 days. Dashboard shows current / due soon / overdue status with one-click recertify.New
  • Python SDK (agf-sdk) — AgentGovernance facade, async AGFClient, LangChain gate tool + AGFGuardedTool adapter, CrewAI adapter, webhook signature verification.NewSDK
  • TypeScript SDK expanded — webhooks, JIT credentials, analytics, access reviews, and behavior alerts resources added to AGFClient.ImprovedSDK
  • Scheduler thread bug fix — all APScheduler jobs now use run_coroutine_threadsafe instead of ensure_future, fixing RuntimeError on first fire.Fix

v0.4.0

Human-in-the-loop approvals, tier rename, background scheduler, feature gating, config hardening, and audit isolation.

  • HITL approval workflow — REVIEW_REQUIRED decisions create pending approval requests. Dashboard shows pending / approved / denied tabs with inline approve/deny + comments.New
  • Approval timeout scheduler — pending requests expire after configurable timeout_seconds. Runs every 5 minutes.New
  • Tier rename — basic → starter, growth → growth (unchanged), enterprise unchanged. Quota defaults updated: starter 2,000/mo, growth 15,000/mo.ImprovedAPI
  • Feature gating — require_tier() dependency factory gates features by plan. Growth required for suspend/retire, policy CRUD, webhooks, JIT. Enterprise required for compliance and federation.NewAPI
  • Background scheduler — APScheduler AsyncIOScheduler wired into app lifespan. Jobs: overage_report and audit_cleanup. Configurable via admin Configuration → Scheduler tab.New
  • Audit store per-org isolation — FileAuditStore writes to decisions/{org_id}/YYYY/MM/DD/. Backward-compatible with flat-path artifacts.Improved
  • AGF_VERIFIER_ID, ALLOWED_ORIGINS, GIT_AUTHOR_NAME/EMAIL env vars added for deployment hardening.Improved
  • Policy VCS — activate policy now requires pr_status='merged' when VCS is enabled.ImprovedAPI

v0.3.0

Policy VCS with PR workflow, runbooks, metering and quota system, billing integration, and email notifications.

  • Policy version control — policies tracked in a git repo. PR workflow: open, merge, reject. Diff endpoint compares any two SHAs.NewAPI
  • Runbooks — define multi-step automated responses to events. CRUD + manual trigger + execution history.NewAPI
  • Quota metering — per-org decision quotas with tier defaults. Enforcement at /v1/decide with 429 + Retry-After when over limit.New
  • Quota headers — X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset on every 200 response.NewAPI
  • Stripe billing integration — subscription lifecycle webhooks, metered overage reporting, provider-switchable (stripe / manual / disabled).New
  • Welcome and quota warning emails — fire-and-forget after registration and at 80% / 100% quota threshold crossings.New
  • Usage dashboard — QuotaBar, overage banner, history table with Limit and Overage columns.New
  • Onboarding checklist on dashboard home — 4-step progress tracker that disappears when complete.New

v0.2.0

Admin panel, platform metrics, org impersonation, key rotation UI, federation layer, and security hardening.

  • Admin panel — separate app at admin.agentgovernancefoundation.com. Pages: Overview, Organizations, Users, Admin Users, Metrics, Security, Configuration, Contact inbox.New
  • Org impersonation — admin can open a 15-min impersonation session in the dashboard. Amber banner shown during session.New
  • Platform key rotation UI — admin can view Ed25519 key fingerprint, rotate the platform key, and record JWT rotation from the Security page.New
  • Federation layer — org registry (DID resolution), peering invitations, accept/reject flow, cross-org policy evaluation.NewAPI
  • HybridKeyResolver — resolves keys from local PEM store or remote org registry. Pluggable via KEY_RESOLVER_BACKEND env var.New
  • Security hardening — HttpOnly cookie auth flow, AuthProvider + useAuthToken() hook across all 21 client components, CSP headers, HSTS.Security
  • Rate limiting tightened — per-endpoint limits: decide 120/min (per-org), auth 5/min, register 30/min, billing 5–10/min.Security
  • Per-endpoint slowapi limits added to all sensitive routes.Security

v0.1.0

Initial release — PDP, agent identity, delegation chains, trust scoring, audit artifacts, compliance reports, and multi-tenant dashboard.

  • POST /v1/decide — real-time policy decisions with trust scoring, risk evaluation, and signed audit artifacts.NewAPI
  • Agent identity — DID-based agent registration with Ed25519 key upload. Agents have persistent root identity across invocations.NewAPI
  • Delegation chains — JWT chain evaluation. Each hop is verified; chain depth is tracked in audit artifacts.NewAPI
  • OPA policy engine — Rego policy evaluation. Policies versioned, activatable. Python fallback engine available.New
  • Compliance reports — NIST AI RMF, EU AI Act, and ISO 42001 coverage. Exportable via dashboard and API.NewAPI
  • Multi-tenant — organizations, users, team invites, role-based access (admin / member). Per-org API keys.New
  • Dashboard — 25-page Next.js app. Agents, policies, audit log, compliance, delegations, team, usage, settings.New
  • TypeScript SDK (@agf/sdk) — AGFClient with decide, agents, and audit resources.NewSDK
  • Deployment files — nginx virtual host, systemd service units, .env.example for all settings.New