feat: add Agent Governance Toolkit sample — policy enforcement for ADK agents

[imran-siddique]

Summary

Adds a community sample demonstrating the Agent Governance Toolkit (AGT) integration with Google ADK, as discussed in google/adk-python#5418 and invited by @DeanChensj.

What's included

File	Description
\governance_plugin.py\	GovernancePlugin — evaluates YAML/OPA/Cedar policies before tool calls, logs to Merkle audit chain
\main.py\	Example usage with an ADK agent
\policies/default.yaml\	Sample policy (block shell exec, rate limit APIs, require approval for payments)
\README.md\	Documentation with install, usage, and policy examples

How it works

\
Tool call → GovernancePlugin.before_tool_call() → Policy evaluation (<5ms) → Allow/Deny/Warn → Audit log
\\

Requirements

\\�ash
pip install google-adk agentmesh-platform
\\

AGT Stats

• v3.2.0 Public Preview, 9,500+ tests, MIT licensed
• 5 SDK languages, 12+ framework integrations
• 10/10 OWASP Agentic Top 10 coverage

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[DeanChensj]

We can have a plugins/ folder under src/google/adk_community to host the plugin

[DeanChensj]

Why Microsoft?

[imran-siddique]

Hi @hangfei @Jacksunwei — friendly ping for a review when you get a chance. Happy to address any feedback. Thanks!

[DeanChensj]

Hi @imran-siddique , I already left some comments and those haven't been addressed

[DeanChensj]

@gemini-cli /review

[github-actions]

🤖 Hi @DeanChensj, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

Thank you for the contribution! The integration with the Agent Governance Toolkit is a great addition.

However, I've identified a few issues that should be addressed:

1. Security (Fail-Open): The plugin currently allows all tool calls if the agentmesh-platform dependency is missing. This could lead to a false sense of security.
2. Enforcement Mechanism: It's unclear if returning {"allowed": False} actually blocks the tool call in google-adk. Raising an exception might be more robust.
3. Licensing/Copyright: As noted by @DeanChensj, the licensing and copyright should be aligned with the project's standards.
4. Reliability: The default policy directory path and the installation instructions in the logs could be improved for better UX.

Please see the line-level comments for more details.

[github-actions]

I agree with @DeanChensj. This sample is being contributed to a Google-owned repository, so it should ideally follow the project's licensing (Apache 2.0) and copyright standards. Also, the plugins/ folder suggestion would help better integrate this into the ADK community structure.

[github-actions]

It's important to verify if google-adk's Agent class automatically interprets the allowed key in the returned dictionary. If the agent doesn't check this value, the governance won't actually be enforced. Most plugin systems expect an exception to be raised to block an action. If result.allowed is False, should we raise an exception here?

[github-actions]

This install command should probably match the one in the README (agentmesh-platform[server]) to ensure all necessary components (like the audit service) are available.

[github-actions]

Using a relative path like "./policies" as a default can be unreliable depending on where the user executes their script. It might be better to require this path or calculate it relative to the agent's entry point.

[github-actions]

This "fail-open" logic (returning allowed: True when agentmesh-platform is missing) might be a security risk. If a user intends to have governance but the package is missing, the agent will proceed without any restrictions. Consider raising an ImportError or providing a configuration to choose between fail-open and fail-closed behaviors.