Introducing Azure ACA sandbox provider in AGT

[amolr]

This pull request introduces and tests new sandbox-related policy fields in the PolicyDocument schema, enhances documentation and initialization for the Azure Container Apps (ACA) sandbox provider, and adds a comprehensive test for the StepReceipt-to-MerkleAuditChain adapter. The most important changes are grouped below:

Policy Schema Extensions and Tests:

• Added new sandbox resource constraint fields to PolicyDefaults (max_cpu, max_memory_mb, timeout_seconds, and network_default) and new allowlist fields (network_allowlist, tool_allowlist) to PolicyDocument. These fields are consumed by sandbox providers for resource and network/tool access control, but ignored by the rule engine. ([[1]](https://github.com/microsoft/agent-governance-toolkit/pull/2236/files#diff-78b670c488d20b239360fefc85ce139209ff60b5e57fad532f8ac5620467579fL66-R100), [[2]](https://github.com/microsoft/agent-governance-toolkit/pull/2236/files#diff-78b670c488d20b239360fefc85ce139209ff60b5e57fad532f8ac5620467579fR119-R138))
• Added test_policy_sandbox_fields.py to pin the contract for these new fields, ensuring correct defaults, allowed values, and YAML round-trip compatibility. ([agent-governance-python/agent-os/tests/test_policy_sandbox_fields.pyR1-R118](https://github.com/microsoft/agent-governance-toolkit/pull/2236/files#diff-00666e6fe40dbdce8395620bd859731a2d7f64e93621ba279f2a1ec9836ca8e6R1-R118))

ACA Sandbox Provider Integration:

• Documented the ACA sandbox provider as a built-in backend in agent_sandbox/__init__.py, and added a lazy import for ACASandboxProvider to handle optional dependencies. ([[1]](https://github.com/microsoft/agent-governance-toolkit/pull/2236/files#diff-2a35f8bda57f0e7f2924f1fc2cd5536bccaedb2c8c55957c421d3efcbb963bffL6-R6), [[2]](https://github.com/microsoft/agent-governance-toolkit/pull/2236/files#diff-2a35f8bda57f0e7f2924f1fc2cd5536bccaedb2c8c55957c421d3efcbb963bffR15-R17), [[3]](https://github.com/microsoft/agent-governance-toolkit/pull/2236/files#diff-2a35f8bda57f0e7f2924f1fc2cd5536bccaedb2c8c55957c421d3efcbb963bffR61-R75))
• Added an __init__.py to the aca_sandbox_provider package to re-export the provider and helper functions for convenient imports. ([agent-governance-python/agent-sandbox/src/agent_sandbox/aca_sandbox_provider/__init__.pyR1-R25](https://github.com/microsoft/agent-governance-toolkit/pull/2236/files#diff-5f2f4f34a9972d7a14400f2a6940e62b91c8b41ac2e50f69df0fb24834eed6b6R1-R25))

StepReceipt to MerkleAuditChain Testing:

• Added test_step_receipt_to_audit_chain.py to verify the adapter logic and ensure documentation snippets remain in sync with the actual AuditEntry and MerkleAuditChain schema. This includes tests for hash chaining, field preservation, tampering detection, and round-tripping of egress decisions. ([agent-governance-python/agent-mesh/tests/test_step_receipt_to_audit_chain.pyR1-R164](https://github.com/microsoft/agent-governance-toolkit/pull/2236/files#diff-91f5a4f47b1c117f350968e278d01295f9977657d2294dba016a4b33c42fc880R1-R164))This pull request introduces and tests new schema fields in the policy system to support sandbox resource constraints and egress/network controls, and adds Azure ACA sandbox support to the agent sandbox package. The key changes are grouped below by theme:

Policy Schema: Sandbox Resource and Network Controls

• Added new optional sandbox resource constraint fields (max_cpu, max_memory_mb, timeout_seconds, and network_default) to the PolicyDefaults class in policy/schema.py. These fields are intended for sandbox providers (such as Azure, Docker, Hyperlight) and not for the rule engine itself. The network_default field is a required Literal with allowed values "allow" or "deny", defaulting to "deny" for fail-closed behavior.
• Added new list fields network_allowlist and tool_allowlist to PolicyDocument for specifying allowed network hosts and tools, respectively. These are consumed by sandbox providers and default to empty lists.

Testing: Policy Schema Contract

• Added a new test module test_policy_sandbox_fields.py to verify the new schema fields, including their defaults, allowed values, YAML round-trip, and backward compatibility with older YAML files.

Agent Sandbox: Azure Provider Integration

• Updated agent_sandbox/__init__.py to document and lazily import the new AzureSandboxProvider, making it available as a built-in sandbox backend alongside Docker and Hyperlight. [1] [2] [3]
• Added a new package agent_sandbox/azureadc_sandbox_provider with an __init__.py that re-exports the main provider class and helpers, supporting from agent_sandbox.azureadc_sandbox_provider import AzureSandboxProvider.

Documentation and Testing: Audit Chain Adapter

• Added a test (test_step_receipt_to_audit_chain.py) to ensure the documentation's StepReceipt to MerkleAuditChain adapter remains in sync with the actual schema, and to pin the contract for audit entries generated from sandbox steps.## Description

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Maintenance (dependency updates, CI/CD, refactoring)
• Security fix

Package(s) Affected

• agent-os-kernel
• agent-mesh
• agent-runtime
• agent-sre
• agent-governance
• docs / root

Checklist

• My code follows the project style guidelines (ruff check)
• I have added tests that prove my fix/feature works
• All new and existing tests pass (pytest)
• I have updated documentation as needed
• I have signed the Microsoft CLA

Attribution & Prior Art

• This contribution does not contain code copied or derived from other projects without attribution
• Any external projects that inspired this design are credited in code comments or documentation
• If this PR implements functionality similar to an existing open-source project, I have listed it below

Prior art / related projects (if any):

AI Assistance

• I can explain every meaningful change in this PR: what it does, why, and what tradeoffs were considered
• I have run tests and verification appropriate for this change
• No part of this PR was autonomously submitted by an AI agent without my review
• I have not used AI to generate review comments on others' PRs

If AI tools materially shaped this change, briefly note what was used:

IP, Patents, and Licensing

• This contribution does not implement patent-pending or patent-encumbered techniques
• This contribution does not require an NDA or licensing agreement to understand or use
• Any AI tools used have terms compatible with the MIT License

Related Issues

[github-actions]

🤖 AI Agent: security-scanner — View details

No security issues found.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

🤖 AI Agent: docs-sync-checker — Docs Sync

Docs Sync

• chain_receipt() in test_step_receipt_to_audit_chain.py -- missing docstring
• README.md -- Azure ACA sandbox provider integration section needs update
• CHANGELOG.md -- missing entry for new sandbox-related policy fields and ACA sandbox provider integration

[github-actions]

🤖 AI Agent: code-reviewer — Action Items:

TL;DR: 0 blockers, 1 warning. Solid implementation with minor follow-up needed.

#	Sev	Issue	Where
1	Warn	Missing validation for network_allowlist and tool_allowlist fields in PolicyDocument.	agent-os/src/agent_os/policies/schema.py

Action Items:

1. None.

Warnings:

#	Issue	Where	Follow-up
1	Add validation for network_allowlist and tool_allowlist fields to ensure proper input values.	agent-os/src/agent_os/policies/schema.py	Fine as follow-up PR.

[github-actions]

🤖 AI Agent: test-generator — `agent-governance-python/agent-os/src/agent_os/policies/schema.py`

agent-governance-python/agent-os/src/agent_os/policies/schema.py

• test_policy_defaults_sandbox_constraints -- Validate default values and constraints for new sandbox resource fields (max_cpu, max_memory_mb, timeout_seconds, network_default).
• test_policy_document_allowlist_fields -- Test network_allowlist and tool_allowlist fields for correct defaults, validation, and integration with PolicyDocument.

agent-governance-python/agent-sandbox/src/agent_sandbox/aca_sandbox_provider/__init__.py

• test_aca_sandbox_provider_lazy_import -- Verify that ACASandboxProvider is correctly imported and initialized when accessed.
• test_aca_sandbox_provider_optional_dependencies -- Ensure proper error handling when optional dependencies for ACA are missing.

agent-governance-python/agent-mesh/tests/test_step_receipt_to_audit_chain.py

Test coverage looks good. No gaps identified.

[github-actions]

🤖 AI Agent: breaking-change-detector — API Compatibility

API Compatibility

Severity	Change	Impact
High	Added new required field network_default to PolicyDefaults in PolicyDocument schema.	Existing code that instantiates PolicyDefaults without specifying network_default may break due to the new required field.
Medium	Added new optional fields (max_cpu, max_memory_mb, timeout_seconds, network_allowlist, tool_allowlist) to PolicyDefaults and PolicyDocument.	While optional, these fields may cause issues if downstream consumers are not prepared to handle them in serialized/deserialized data.
Medium	Introduced lazy import for ACASandboxProvider in agent_sandbox/__init__.py.	Code relying on immediate availability of ACASandboxProvider may break if it does not handle the lazy import properly.

[github-actions]

PR Review Summary

Check	Status	Details
🔍 Code Review	⚠️ Warning	See details
🛡️ Security Scan	✅ Passed	No issues found
🔄 Breaking Changes	✅ Completed	Analysis complete
📝 Docs Sync	✅ Completed	Analysis complete
🧪 Test Coverage	✅ Completed	Analysis complete

Verdict: ⚠️ Ready for human review

[Ricky-G]

Hey @amolr awesome work, the design doc and the quickstart are genuinely great 🙌

The two main areas I'd love the proposal to firm up before we implement:

• Identity & auth bootstrapping -> assume we use the same as the host.

• Resource group / ACA environment provisioning. -> assuming we only support existing infra

[amolr]

Hey @amolr awesome work, the design doc and the quickstart are genuinely great 🙌

The two main areas I'd love the proposal to firm up before we implement:

• Identity & auth bootstrapping -> assume we use the same as the host.
• Resource group / ACA environment provisioning. -> assuming we only support existing infra

Yes, we assume the clients use az login and provide their subscription Id to create the required resources
For the resource groups, we expect that the resource group already exists. This is in line with other management SDKs of azure

[imran-siddique]

TL;DR: 3 blockers, request changes.

#	Sev	Issue	Where
1	Blocker	Local filesystem path Q:\ADC\python\python\azure-sandbox leaked into public docs. Must use PyPI package name only.	docs/proposals/azure-aca-sandbox.md
2	Blocker	Internal names still present: management.azuredevcompute.io, host=adc-sandbox. These are internal Azure infra names that should not appear in a public repo. Replace with ACA-branded equivalents or redact.	docs/proposals/azure-aca-sandbox.md
3	Blocker	PR checklist is completely unchecked (type of change, packages affected, CLA, AI assistance, IP). Fill these out before merge.	PR body
4	Warn	10 CI checks failing (DCO, spell check, secret scanning, etc.). Verify these are not blocking.	CI
5	Warn	Docs-sync bot flagged: README sandbox providers section needs ACA mention, CHANGELOG entry missing.	Follow-up OK

Action items:

1. Remove the Q:\ADC\... local paths from the proposal doc, replace with azure-sandbox / azure-mgmt-sandbox (just the package names).
2. Scrub azuredevcompute.io and adc-sandbox references from all docs. Use containerapps.azure.com per the team's agreed branding.
3. Fill out the PR checklist checkboxes.

Code quality is solid: fail-closed defaults, input validation, thread-safe state, good test coverage (786-line unit test file + integration tests). Schema changes are backward-compatible with sensible defaults. No secrets or credential leaks detected.

[miyannishar]

Hey @amolr — took a proper look through the full diff, design doc, and the quickstart. Really nice work here.

[miyannishar]

One minor nit on the __init__.py exports — see inline. Otherwise this looks great.

[miyannishar]

nit: exporting underscore-prefixed helpers (_network_allowlist, _network_default, _validate_resource_name) in __all__ sends mixed signals — underscore says "internal", __all__ says "public API".

If they're genuinely useful for downstream consumers (e.g. someone building a custom sandbox provider), consider dropping the underscore. Otherwise, keep them out of __all__ so you can refactor freely later.

[miyannishar]

Went through the full diff — implementation, tests, design doc, quickstart. This is solid work @amolr.

Fail-closed egress default, base64-pipe execution, and the test coverage (especially test_empty_allowlist_plus_deny_is_total_lockdown) are all exactly right. CI is green. No blockers from my side.

One nit: aca_sandbox_provider/__init__.py exports underscore-prefixed helpers (_network_allowlist, _network_default) in __all__ — either drop the underscore or keep them out of __all__ so you can refactor freely later. See inline comment.