Microsoft AGT Integration
MeshGuard treats Microsoft Agent Governance Toolkit (AGT) as a first-class policy enforcement point. AGT runs inside the agent process. MeshGuard runs the neutral control plane for policy decisions, audit ingestion, identity, trust scoring, and fleet operations.
Install
pip install meshguard-agtConfigure
import os
from meshguard_agt import configure_agt_with_meshguard
kernel = configure_agt_with_meshguard(
gateway_url="https://gateway.meshguard.app",
tenant_id="acme-corp",
agent_token=os.environ["MESHGUARD_AGENT_TOKEN"],
features=["policy", "audit", "identity", "trust", "mcp"],
)What The Adapter Provides
| AGT extension point | MeshGuard implementation | Control-plane behavior |
|---|---|---|
| Policy evaluator | MeshGuardPolicyBackend | Calls MeshGuard PDP and caches decisions by policy version and context hash. |
| Audit sink | MeshGuardAuditSink | Batches decision events to audit ingestion with WAL-backed recovery. |
| Identity provider | MeshGuardIdentityProvider | Issues and verifies JWT agent identity now, SPIFFE SVID mode when enabled. |
| Trust oracle | MeshGuardTrustOracle | Reads live trust tier and trust score from MeshGuard. |
| MCP gateway | MeshGuardMCPGateway | Delegates MCP tool risk, drift, and typosquatting checks to MeshGuard. |
PDP Contract
AGT calls the same contract as every other MeshGuard client:
service MeshGuardPDP {
rpc Evaluate(PolicyRequest) returns (PolicyResponse);
rpc EvaluateStream(stream PolicyRequest) returns (stream PolicyResponse);
rpc Subscribe(PolicySubscription) returns (stream PolicyChangeEvent);
}HTTP fallback is available at POST /api/v1/pdp/evaluate for environments where gRPC is blocked.
Failure Modes
fail-closed is the default and should be used in production. fail-open is available only for low-risk migration windows and writes a failure-mode audit event.
from meshguard_agt.backends.policy import MeshGuardPolicyBackend
backend = MeshGuardPolicyBackend(
gateway_url="https://gateway.meshguard.app",
tenant_id="acme-corp",
agent_token=os.environ["MESHGUARD_AGENT_TOKEN"],
failure_mode="fail-closed",
timeout_ms=50,
)Migration
Local AGT YAML remains valid. Move the file into a Git-backed policy repo, run meshguard policy lint, then use meshguard policy lift to stage it in MeshGuard. See Migrating from AGT local policies.