‹ Agent Governance Index

Is microsoft/autogen production-ready?

Mechanical governance score from agent-contracts scan against a clean clone. No vibes, no testimonials — reproducible from the exact commit below.

100/100 A no change since the previous scan
Full governance surface. autogen scores the maximum on every measured dimension. Note: a perfect surface score does not mean agents built on it tell the truth at runtime — that failure has no surface to grep.

Dimension breakdown (100 points)

tests_and_ci — a test suite plus CI that runs it20/20
tool_governance — permission / allowlist / approval / human-in-loop gating on tool calls20/20
secret_safety — secrets git-ignored, no obvious hardcoded keys15/15
eval_harness — an eval / benchmark / labeled-corpus surface15/15
dependency_pinning — a lockfile or pinned dependency manifest10/10
observability — logging / audit / tracing10/10
resilience — retry / backoff / fallback / escalation10/10

Reproduce this score

pip install "agent-contracts @ git+https://github.com/impartshadow/agent-contracts.git"
git clone --depth 1 https://github.com/microsoft/autogen.git
git -C autogen checkout 027ecf0a37
agent-contracts scan --root autogen --json

Scored commit: 027ecf0a379bcc1d09956d46d12d44a3ad9cee14. The score is the output of a deterministic scanner, not a judgment call — a clean clone reproduces it.

What this score can and can't tell you

This index measures observable governance surface — the guardrails a reliable agent needs. It does not certify that agents built on autogen behave correctly at runtime. The most expensive agent failure — confidently claiming a task is "done" with nothing to back it — has no surface to grep, so no static score (including this one) can see it. Here's the proof, on the #1-ranked framework.

Every framework is re-scanned on a schedule. The weekly delta — what moved, on which commit, and what it means for teams building on it — goes out at echofromshadow.substack.com.