feat: add AgentGovernancePlugin for tool-call governance

[imran-siddique]

Adds an ADK plugin that integrates microsoft/agent-governance-toolkit for centralized tool-call policy enforcement.

This replaces #117, fully addressing review feedback from @DeanChensj and the Gemini code review.

What changed vs #117

Feedback	Resolution
Wrong copyright (Microsoft/MIT)	Apache 2.0 / Google LLC throughout
Wrong plugin API (sync, custom interface)	Extends BasePlugin, async before_tool_callback
Wrong return semantics	Returns None (allow) or dict (short-circuit deny) per ADK contract
Fail-open default	Fail-closed by default; opt-in fail_open=True
Unreliable policy_dir path	Required param, resolved to absolute
Wrong file location	Plugin in src/google/adk_community/plugins/, sample in contributing/samples/
No tests	11 tests covering allow/deny/fail-open/missing-dep/audit/custom-agent-did

Files

• src/google/adk_community/plugins/agent_governance_plugin.py - the plugin
• src/google/adk_community/plugins/__init__.py - public exports
• tests/plugins/test_agent_governance_plugin.py - 11 tests
• contributing/samples/agent_governance/ - usage example + sample policies

Usage

from google.adk_community.plugins import AgentGovernancePlugin
from google.adk.runners import Runner

plugin = AgentGovernancePlugin(policy_dir="./policies")
runner = Runner(agent=agent, plugins=[plugin], app_name="my_app", session_service=sessions)

Requires agentmesh-platform (pip install agentmesh-platform).

[imran-siddique]

@DeanChensj this replaces #117 with a full rewrite addressing all your review feedback. Key changes: correct BasePlugin extension, async before_tool_callback, Apache 2.0 copyright, fail-closed default, proper file placement, and 11 tests. Would appreciate another look when you get a chance.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[giskard09]

The fail-closed default is the right call — fail-open governance plugins are security theater.

One gap worth noting: before_tool_callback covers the pre-execution decision (allow/deny), but the audit record stays in the Python process. If the agent restarts, the log rotates, or an external auditor needs to verify what actually executed — there's no independently verifiable anchor.

Mycelium Trails closes that loop: after before_tool_callback allows the call, a single POST /nexus/trail anchors the outcome on Base (Arbitrum L2). The anchor is independently verifiable without trusting the operator. Published on the Official MCP Registry (io.github.giskard09/argentum).

Would it make sense to add an optional audit_backend param so operators can plug in an external anchor? Happy to sketch the interface if useful.

[imran-siddique]

I have signed the CLA.