-
Notifications
You must be signed in to change notification settings - Fork 3
Home
The deterministic merge gate for AI-generated agent capability changes.
When a coding agent (Claude Code, Codex, Cursor) or a human changes what an AI agent can do, Agents Shipgate turns that diff into a deterministic merge verdict — before the agent gets production-like permissions. This open-source CLI and GitHub Action statically reviews the tools an agent can call: it reads a shipgate.yaml manifest, normalizes tools from MCP, OpenAPI, and SDK sources, and produces a deterministic Tool-Use Readiness Report (Markdown, JSON, SARIF).
Static by default. No agent execution. No tool calls. No LLM calls. No MCP connections. No network. No telemetry.
Sandbox controls can. Evals measure does. Agents Shipgate reviews should vs. can before merge.
Sandboxes constrain runtime capability. Evals observe behavior in tested scenarios. Agents Shipgate compares the static tool authority introduced by a change with the purpose, scopes, and controls reviewers intended to approve.
Static only: Agents Shipgate does not execute the agent, replace runtime sandboxing, or prove runtime behavior.
See the preregistered 2026 Open-Source Agent Tool-Surface Study for the public catalog, study boundaries, and reproducibility artifacts.
pipx install agents-shipgate
agents-shipgate init --workspace . --write
agents-shipgate scan -c shipgate.yaml| If you want to… | Read |
|---|---|
| Get a finding in 60 seconds | Quickstart |
| Understand the model | Concepts |
| See it on real public APIs | Real-World Examples |
Write a shipgate.yaml
|
Manifest Reference |
| Browse the 80+ check catalog | Check Catalog |
| Wire it into your CI | CI Recipes |
| Track findings over time | Baseline Workflow |
| Understand the trust posture | Trust Model |
| Write a custom check | Plugin Authoring |
| Debug an error | Troubleshooting |
| Compare against eval/observability | FAQ |
| Explore the 2026 open-source Agent study | Tool-Surface Study 2026 |
| Read the internals | Architecture |
A scan against DigitalOcean's public OpenAPI (~600 endpoints) surfaces hundreds of findings — most flagging missing approval policies on destructive operations. Against the Twilio Messaging API configured with a read-only declared purpose, it flags every Delete* operation as a scope contradiction. Against the canonical OpenAI Agents SDK customer_service example, it picks up update_seat as a write tool from name alone — without importing the file. Against the Anthropic cookbook customer service agent, it flags cancel_order as a critical missing-approval finding before the pattern reaches production.
| Not evals | Evals test behavior. Shipgate reviews release artifacts. |
| Not a sandbox | Sandboxes constrain runtime capability. Shipgate cannot stop a tool call in flight. |
| Not observability | Observability records runtime. Shipgate runs before promotion. |
| Not a gateway | Gateways enforce access. Shipgate produces review evidence. |
See FAQ for the longer comparison.
- Source: github.com/ThreeMoonsLab/agents-shipgate
- Marketplace: GitHub Action
-
PyPI:
agents-shipgate - License: Apache-2.0
- Security: see SECURITY.md
Agents Shipgate · Apache-2.0 · maintained by Three Moons Lab · 2026 tool-surface study · Report a false positive
Getting started
Reference
Workflows
Research
Extending
Project