Track cross-language skill-aware audit trail hardening parity (TypeScript, .NET, Go, Rust)

[Ricky-G]

Summary

PR #2572 added skill-aware audit trail hardening to the Python agent-os framework integration adapters. This issue tracks porting the equivalent primitives to the other language SDKs where applicable, so governance behavior stays consistent across the ecosystem.

What was added in Python (PR #2572)

• Trusted skill metadata source (TrustedSkillMetadataSource) so skill name and origin come from framework-owned values, not spoofable request payloads
• provenance_source_trust provenance marker on audit events
• UTC-normalized audit timestamps
• Deterministic, order-stable context hashing with a fail-safe path
• Spoof-resistance tests across the ADK, CrewAI, Semantic Kernel, OpenAI Agents SDK, AutoGen, and LangChain adapters

Gap in other SDKs

A scan of the other SDKs shows they have framework discovery and detection (recognizing langchain, crewai, autogen, etc.) but none implement the skill-audit primitives above (no trusted_skill / TrustedSkillMetadata, no provenance_source_trust, no emit_skill_audit):

SDK	Path	Status
TypeScript	agent-governance-typescript/	Framework discovery only, no skill-audit primitives
.NET	agent-governance-dotnet/	Has Audit and Integration namespaces, no skill-audit primitives
Go	agent-governance-golang/	Discovery and audit-chain example only
Rust	agent-governance-rust/	Framework integration support only

Proposed work

For each SDK, evaluate whether equivalent framework adapters exist and, where they do, port:

• trusted skill metadata source extraction (framework-owned, not request-derived)
• provenance trust marker on audit events
• UTC-normalized audit timestamps
• deterministic context hashing
• spoof-resistance tests

Where a given framework adapter does not exist in a language SDK, no work is required for that adapter and it should be noted as not applicable.

References

• PR: fix(agent-os): harden foundational skill-aware audit trail for issue #1609 #2572 (Python implementation)
• RFC: RFC: Govern agent Skills (context injection) across ADK, CrewAI, Semantic Kernel, and OpenAI Agents SDK #1609

[github-actions]

❔ Contributor Check: UNKNOWN

Check	Result
Profile	MEDIUM
Credential	NONE
Overall	UNKNOWN

Automated check by AGT Contributor Check.

[yuvrajsingh2428]

Thanks for opening this. I'd like to investigate the TypeScript implementation and compare it with the behavior introduced in #2907 to understand the changes needed for parity. If the scope is manageable, I'd be happy to work on it.

[Ricky-G]

@yuvrajsingh2428 merged this issue to track all other language implementaitons other than Python, happy for you to take this one and submit a pr

[yuvrajsingh2428]

Thanks @Ricky-G! I'll take this one.

I'll start by comparing the Python implementation from #2907 with the TypeScript SDK and then work through the remaining language implementations to bring them into parity. I'll open a PR once I have the changes ready.