github-agent 0.11.0__tar.gz → 0.11.1__tar.gz

{github_agent-0.11.0 → github_agent-0.11.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github-agent
-Version: 0.11.0
+Version: 0.11.1
 Summary: GitHub Agent for MCP
 Author-email: Audel Rouhi <knucklessg1@gmail.com>
 License: MIT
@@ -41,7 +41,7 @@ Dynamic: license-file
 ![PyPI - Wheel](https://img.shields.io/pypi/wheel/github-agent)
 ![PyPI - Implementation](https://img.shields.io/pypi/implementation/github-agent)
 
-*Version: 0.11.0*
+*Version: 0.11.1*
 
 ## Overview
 
@@ -178,6 +178,42 @@ The `github-agent` command starts the server.
 github-agent --provider openai --model-id gpt-4o --api-key sk-...
 ```
 
+## Security & Governance
+
+This project is built on [`agent-utilities`](https://github.com/Knuckles-Team/agent-utilities), inheriting enterprise-grade security and governance features.
+
+### Authentication & Authorization
+| Feature | Description |
+|---------|-------------|
+| **OIDC Token Delegation** | RFC 8693 token exchange for user-context propagation from A2A → MCP |
+| **Eunomia Policies** | Fine-grained, policy-driven tool authorization (`none`, `embedded`, `remote`) |
+| **Scoped Credentials** | Tools execute with the caller's scoped identity where possible |
+| **3LO / OAuth / API Token** | Multiple auth strategies with graceful fallback |
+
+### Eunomia Policy Enforcement
+Eunomia provides a policy enforcement point for all tool calls:
+- **Embedded mode**: Load local `mcp_policies.json` for role-based access, sensitivity gating, and audit logging
+- **Remote mode**: Forward authorization decisions to a central Eunomia policy server for multi-agent governance
+- Enable via CLI: `--eunomia-type embedded --eunomia-policy-file mcp_policies.json`
+
+### Runtime Protections
+| Protection | Description |
+|------------|-------------|
+| **Tool Guard** | Sensitivity detection with human-in-the-loop approval gating |
+| **Prompt Injection Defense** | Input scanning and repetition/loop guards |
+| **Content Filtering** | Output schema enforcement and cost budget controls |
+| **Stuck Loop Detection** | Automatic detection and recovery from agent loops |
+| **Context Limit Warnings** | Proactive alerts before context window exhaustion |
+
+### Graph Agent Architecture
+The A2A agent uses `pydantic-graph` orchestration with:
+- **RouterNode**: Lightweight classifier that routes queries to specialized domains
+- **DomainNode**: Focused executor with only relevant tools loaded, preventing tool hallucination
+- **Approval Gates**: Policy-driven approval workflows before sensitive operations
+- **Usage Guards**: Budget and rate limiting enforcement
+
+> **Production Recommendation**: Enable `--eunomia-type embedded` (or `remote`) + OIDC delegation + containerized deployment. See [`agent-utilities` documentation](https://github.com/Knuckles-Team/agent-utilities) for full policy configuration.
+
 ## Docker
 
 ### Build
@@ -229,63 +265,27 @@ docker-compose up -d
 
 ## MCP Configuration Examples
 
-### 1. Standard IO (stdio) Deployment
-
+### stdio (recommended for local development)
 ```json
 {
   "mcpServers": {
-    "github-agent": {
-      "command": "uv",
-      "args": [
-        "run",
-        "github-mcp"
-      ],
+    "github": {
+      "command": ".venv/bin/github-mcp",
+      "args": [],
       "env": {
-        "AGENT_DESCRIPTION": "<YOUR_AGENT_DESCRIPTION>",
-        "AGENT_SYSTEM_PROMPT": "<YOUR_AGENT_SYSTEM_PROMPT>",
-        "CONTENTSTOOL": "True",
-        "DEFAULT_AGENT_NAME": "<YOUR_DEFAULT_AGENT_NAME>",
-        "GITHUB_TOKEN": "<YOUR_GITHUB_TOKEN>",
-        "GITHUB_URL": "<YOUR_GITHUB_URL>",
-        "GITHUB_VERIFY": "<YOUR_GITHUB_VERIFY>",
-        "ISSUETOOL": "True",
-        "PULLSTOOL": "True",
-        "REPOSTOOL": "True"
-      }
+        "GITHUB_TOKEN": ""
+}
     }
   }
 }
 ```
 
-### 2. Streamable HTTP (SSE) Deployment
-
+### Streamable HTTP (recommended for production)
 ```json
 {
   "mcpServers": {
-    "github-agent": {
-      "command": "uv",
-      "args": [
-        "run",
-        "github-mcp",
-        "--transport",
-        "http",
-        "--host",
-        "0.0.0.0",
-        "--port",
-        "8000"
-      ],
-      "env": {
-        "AGENT_DESCRIPTION": "<YOUR_AGENT_DESCRIPTION>",
-        "AGENT_SYSTEM_PROMPT": "<YOUR_AGENT_SYSTEM_PROMPT>",
-        "CONTENTSTOOL": "True",
-        "DEFAULT_AGENT_NAME": "<YOUR_DEFAULT_AGENT_NAME>",
-        "GITHUB_TOKEN": "<YOUR_GITHUB_TOKEN>",
-        "GITHUB_URL": "<YOUR_GITHUB_URL>",
-        "GITHUB_VERIFY": "<YOUR_GITHUB_VERIFY>",
-        "ISSUETOOL": "True",
-        "PULLSTOOL": "True",
-        "REPOSTOOL": "True"
-      }
+    "github": {
+      "url": "http://localhost:8080/github-mcp/mcp"
     }
   }
 }

{github_agent-0.11.0 → github_agent-0.11.1}/README.md

@@ -21,7 +21,7 @@
 ![PyPI - Wheel](https://img.shields.io/pypi/wheel/github-agent)
 ![PyPI - Implementation](https://img.shields.io/pypi/implementation/github-agent)
 
-*Version: 0.11.0*
+*Version: 0.11.1*
 
 ## Overview
 
@@ -158,6 +158,42 @@ The `github-agent` command starts the server.
 github-agent --provider openai --model-id gpt-4o --api-key sk-...
 ```
 
+## Security & Governance
+
+This project is built on [`agent-utilities`](https://github.com/Knuckles-Team/agent-utilities), inheriting enterprise-grade security and governance features.
+
+### Authentication & Authorization
+| Feature | Description |
+|---------|-------------|
+| **OIDC Token Delegation** | RFC 8693 token exchange for user-context propagation from A2A → MCP |
+| **Eunomia Policies** | Fine-grained, policy-driven tool authorization (`none`, `embedded`, `remote`) |
+| **Scoped Credentials** | Tools execute with the caller's scoped identity where possible |
+| **3LO / OAuth / API Token** | Multiple auth strategies with graceful fallback |
+
+### Eunomia Policy Enforcement
+Eunomia provides a policy enforcement point for all tool calls:
+- **Embedded mode**: Load local `mcp_policies.json` for role-based access, sensitivity gating, and audit logging
+- **Remote mode**: Forward authorization decisions to a central Eunomia policy server for multi-agent governance
+- Enable via CLI: `--eunomia-type embedded --eunomia-policy-file mcp_policies.json`
+
+### Runtime Protections
+| Protection | Description |
+|------------|-------------|
+| **Tool Guard** | Sensitivity detection with human-in-the-loop approval gating |
+| **Prompt Injection Defense** | Input scanning and repetition/loop guards |
+| **Content Filtering** | Output schema enforcement and cost budget controls |
+| **Stuck Loop Detection** | Automatic detection and recovery from agent loops |
+| **Context Limit Warnings** | Proactive alerts before context window exhaustion |
+
+### Graph Agent Architecture
+The A2A agent uses `pydantic-graph` orchestration with:
+- **RouterNode**: Lightweight classifier that routes queries to specialized domains
+- **DomainNode**: Focused executor with only relevant tools loaded, preventing tool hallucination
+- **Approval Gates**: Policy-driven approval workflows before sensitive operations
+- **Usage Guards**: Budget and rate limiting enforcement
+
+> **Production Recommendation**: Enable `--eunomia-type embedded` (or `remote`) + OIDC delegation + containerized deployment. See [`agent-utilities` documentation](https://github.com/Knuckles-Team/agent-utilities) for full policy configuration.
+
 ## Docker
 
 ### Build
@@ -209,63 +245,27 @@ docker-compose up -d
 
 ## MCP Configuration Examples
 
-### 1. Standard IO (stdio) Deployment
-
+### stdio (recommended for local development)
 ```json
 {
   "mcpServers": {
-    "github-agent": {
-      "command": "uv",
-      "args": [
-        "run",
-        "github-mcp"
-      ],
+    "github": {
+      "command": ".venv/bin/github-mcp",
+      "args": [],
       "env": {
-        "AGENT_DESCRIPTION": "<YOUR_AGENT_DESCRIPTION>",
-        "AGENT_SYSTEM_PROMPT": "<YOUR_AGENT_SYSTEM_PROMPT>",
-        "CONTENTSTOOL": "True",
-        "DEFAULT_AGENT_NAME": "<YOUR_DEFAULT_AGENT_NAME>",
-        "GITHUB_TOKEN": "<YOUR_GITHUB_TOKEN>",
-        "GITHUB_URL": "<YOUR_GITHUB_URL>",
-        "GITHUB_VERIFY": "<YOUR_GITHUB_VERIFY>",
-        "ISSUETOOL": "True",
-        "PULLSTOOL": "True",
-        "REPOSTOOL": "True"
-      }
+        "GITHUB_TOKEN": ""
+}
     }
   }
 }
 ```
 
-### 2. Streamable HTTP (SSE) Deployment
-
+### Streamable HTTP (recommended for production)
 ```json
 {
   "mcpServers": {
-    "github-agent": {
-      "command": "uv",
-      "args": [
-        "run",
-        "github-mcp",
-        "--transport",
-        "http",
-        "--host",
-        "0.0.0.0",
-        "--port",
-        "8000"
-      ],
-      "env": {
-        "AGENT_DESCRIPTION": "<YOUR_AGENT_DESCRIPTION>",
-        "AGENT_SYSTEM_PROMPT": "<YOUR_AGENT_SYSTEM_PROMPT>",
-        "CONTENTSTOOL": "True",
-        "DEFAULT_AGENT_NAME": "<YOUR_DEFAULT_AGENT_NAME>",
-        "GITHUB_TOKEN": "<YOUR_GITHUB_TOKEN>",
-        "GITHUB_URL": "<YOUR_GITHUB_URL>",
-        "GITHUB_VERIFY": "<YOUR_GITHUB_VERIFY>",
-        "ISSUETOOL": "True",
-        "PULLSTOOL": "True",
-        "REPOSTOOL": "True"
-      }
+    "github": {
+      "url": "http://localhost:8080/github-mcp/mcp"
     }
   }
 }

{github_agent-0.11.0 → github_agent-0.11.1}/github_agent/agent_server.py

@@ -4,15 +4,7 @@ import os
 import sys
 import warnings
 
-from agent_utilities import (
-    build_system_prompt_from_workspace,
-    create_agent_parser,
-    create_graph_agent_server,
-    initialize_workspace,
-    load_identity,
-)
-
-__version__ = "0.11.0"
+__version__ = "0.11.1"
 
 logging.basicConfig(
     level=logging.INFO,
@@ -22,23 +14,38 @@ logging.basicConfig(
 logger = logging.getLogger(__name__)
 
 
-initialize_workspace()
-meta = load_identity()
-DEFAULT_AGENT_NAME = os.getenv("DEFAULT_AGENT_NAME", meta.get("name", "Github Agent"))
-DEFAULT_AGENT_DESCRIPTION = os.getenv(
-    "AGENT_DESCRIPTION",
-    meta.get(
-        "description",
-        "AI agent for GitHub Agent management.",
-    ),
-)
-DEFAULT_AGENT_SYSTEM_PROMPT = os.getenv(
-    "AGENT_SYSTEM_PROMPT",
-    meta.get("content") or build_system_prompt_from_workspace(),
-)
+DEFAULT_AGENT_NAME = None
+DEFAULT_AGENT_DESCRIPTION = None
+DEFAULT_AGENT_SYSTEM_PROMPT = None
 
 
 def agent_server():
+    from agent_utilities import (
+        build_system_prompt_from_workspace,
+        create_agent_parser,
+        create_agent_server,
+        initialize_workspace,
+        load_identity,
+    )
+
+    global DEFAULT_AGENT_NAME, DEFAULT_AGENT_DESCRIPTION, DEFAULT_AGENT_SYSTEM_PROMPT
+    initialize_workspace()
+    meta = load_identity()
+    DEFAULT_AGENT_NAME = os.getenv(
+        "DEFAULT_AGENT_NAME", meta.get("name", "Github Agent")
+    )
+    DEFAULT_AGENT_DESCRIPTION = os.getenv(
+        "AGENT_DESCRIPTION",
+        meta.get(
+            "description",
+            "AI agent for GitHub Agent management.",
+        ),
+    )
+    DEFAULT_AGENT_SYSTEM_PROMPT = os.getenv(
+        "AGENT_SYSTEM_PROMPT",
+        meta.get("content") or build_system_prompt_from_workspace(),
+    )
+
     warnings.filterwarnings("ignore", message=".*urllib3.*or chardet.*")
     warnings.filterwarnings("ignore", category=DeprecationWarning, module="fastmcp")
 
@@ -51,7 +58,7 @@ def agent_server():
         logger.debug("Debug mode enabled")
 
     # Start server using the auto-discovery pattern (from mcp_config.json)
-    create_graph_agent_server(
+    create_agent_server(
         mcp_url=args.mcp_url,
         mcp_config=args.mcp_config or "mcp_config.json",
         host=args.host,