Runtime Governance Middleware for Microsoft Agent Framework (MAF)

[imran-siddique]

🛡️ Runtime Governance for Microsoft Agent Framework (MAF)

We've built a governance middleware layer that integrates directly into MAF's middleware pipeline, bringing policy enforcement, capability sandboxing, audit trails, and rogue agent detection to any MAF-powered application.

Architecture

MAF Agent Pipeline
    │
    ├── GovernancePolicyMiddleware (AgentMiddleware)
    │     └── Evaluates YAML policies before agent execution
    │
    ├── AuditTrailMiddleware (AgentMiddleware)  
    │     └── Merkle-chained tamper-evident audit log
    │
    ├── CapabilityGuardMiddleware (FunctionMiddleware)
    │     └── Enforces tool-level restrictions per agent Ring
    │
    └── RogueDetectionMiddleware (FunctionMiddleware)
          └── Behavioral anomaly detection → auto-quarantine

Demo Output (3 Scenarios)

Scenario 1: Policy Enforcement

🤖 Research Agent → "Search for AI governance papers"
  ├── ✅ Policy Check: ALLOWED (web_search permitted)
  └── 📦 Result: "Found 15 papers on AI governance..."

🤖 Research Agent → "Read /internal/secrets/api_keys.txt"
  ├── ⛔ Policy Check: DENIED (blocked pattern: **/internal/**)
  └── 📦 Agent received: "Policy violation: Access to internal resources is restricted"

Scenario 2: Capability Sandboxing (Ring 2)

🤖 Analysis Agent → run_code("import pandas; df = pd.read_csv('data.csv')")
  ├── ✅ Capability Guard: ALLOWED (run_code in permitted tools)

🤖 Analysis Agent → write_file("/output/results.csv", data)
  ├── ⛔ Capability Guard: DENIED (write_file not in permitted tools)

Scenario 3: Rogue Agent Detection

🤖 Report Agent → send_email × 50 — rapid burst
  ├── 🚨 Rogue Check: CRITICAL (score: 129.24)
  ├── 🛑 Action: QUARANTINED — Agent execution halted

Audit Summary:

📋 Total entries: 7
   ✅ Allowed: 4  │  ⛔ Denied: 3  │  🚨 Quarantined: 1
🔒 Merkle chain integrity: VERIFIED ✓

Try It

pip install agent-framework --pre
git clone https://github.com/microsoft/agent-governance-toolkit
cd agent-governance-toolkit
pip install -e packages/agent-os packages/agent-mesh packages/agent-sre
python demo/maf_governance_demo.py

Components

Component	Description
maf_adapter.py	4 middleware classes + factory function
demo/	Interactive demo with 3 scenarios
research_policy.yaml	Example governance policy
30 unit tests	Full test coverage

Key Design Decisions

• Chain-of-responsibility — Each middleware calls await call_next() or blocks, fitting MAF's native middleware pattern. Two OSS projects from Microsoft working together: Agent Framework for orchestration and Agent Governance Toolkit for runtime security.
• Real governance, simulated contexts — Demo uses mock MAF contexts but real PolicyEvaluator, AuditLog, and RogueAgentDetector from the governance toolkit
• Production-ready — All 212 tests pass across 5 packages
• Framework-portable middleware protocol — The adapter implements the MAF middleware protocol without a direct package dependency on agent-framework, which allows the same governance middleware to be used with other frameworks such as Dify, LlamaIndex, CrewAI, and Google ADK. When agent-framework is installed, the adapter uses MAF's native types directly; otherwise it provides compatible base classes.

What's Next

• --live mode with real LLM provider (Azure OpenAI / Ollama)
• Dashboard UI for audit trail visualization
• Integration with MAF's upcoming Capabilities API
• Deeper tool approval hooks per agent-framework#3054

We'd love feedback on the middleware design and policy schema. If you're building MAF agents and need governance guardrails, give this a spin! 🚀