Skip to content
Pengfei Hu edited this page Jul 12, 2026 · 6 revisions

Agents Shipgate

The deterministic merge gate for AI-generated agent capability changes.

When a coding agent (Claude Code, Codex, Cursor) or a human changes what an AI agent can do, Agents Shipgate turns that diff into a deterministic merge verdict — before the agent gets production-like permissions. This open-source CLI and GitHub Action statically reviews the tools an agent can call: it reads a shipgate.yaml manifest, normalizes tools from MCP, OpenAPI, and SDK sources, and produces a deterministic Tool-Use Readiness Report (Markdown, JSON, SARIF).

Static by default. No agent execution. No tool calls. No LLM calls. No MCP connections. No network. No telemetry.

Sandbox controls can. Evals measure does. Agents Shipgate reviews should vs. can before merge.

Sandboxes constrain runtime capability. Evals observe behavior in tested scenarios. Agents Shipgate compares the static tool authority introduced by a change with the purpose, scopes, and controls reviewers intended to approve.

Static only: Agents Shipgate does not execute the agent, replace runtime sandboxing, or prove runtime behavior.

See the preregistered 2026 Open-Source Agent Tool-Surface Study for the public catalog, study boundaries, and reproducibility artifacts.

pipx install agents-shipgate
agents-shipgate init --workspace . --write
agents-shipgate scan -c shipgate.yaml

Start here

If you want to… Read
Get a finding in 60 seconds Quickstart
Understand the model Concepts
See it on real public APIs Real-World Examples
Write a shipgate.yaml Manifest Reference
Browse the 80+ check catalog Check Catalog
Wire it into your CI CI Recipes
Track findings over time Baseline Workflow
Understand the trust posture Trust Model
Write a custom check Plugin Authoring
Debug an error Troubleshooting
Compare against eval/observability FAQ
Explore the 2026 open-source Agent study Tool-Surface Study 2026
Read the internals Architecture

What it catches

A scan against DigitalOcean's public OpenAPI (~600 endpoints) surfaces hundreds of findings — most flagging missing approval policies on destructive operations. Against the Twilio Messaging API configured with a read-only declared purpose, it flags every Delete* operation as a scope contradiction. Against the canonical OpenAI Agents SDK customer_service example, it picks up update_seat as a write tool from name alone — without importing the file. Against the Anthropic cookbook customer service agent, it flags cancel_order as a critical missing-approval finding before the pattern reaches production.

What it is not

Not evals Evals test behavior. Shipgate reviews release artifacts.
Not a sandbox Sandboxes constrain runtime capability. Shipgate cannot stop a tool call in flight.
Not observability Observability records runtime. Shipgate runs before promotion.
Not a gateway Gateways enforce access. Shipgate produces review evidence.

See FAQ for the longer comparison.


Project links

Clone this wiki locally