Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .agents/skills/agents-shipgate/SKILL.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
---
name: agents-shipgate
description: Use when the user wants to run the prominent Agents Shipgate flows — `shipgate check`, `agents-shipgate verify`, or `shipgate audit --host` — for AI agent capability changes, PR release readiness, or coding-agent host grants.
Expand All @@ -21,7 +21,7 @@
6. For local agent control, run `shipgate check --agent codex --workspace . --format codex-boundary-json` and read the stdout `shipgate.codex_boundary_result/v1` object. Switch on `decision`; follow `first_next_action`, `repair`, and `human_review`.
7. Before editing `shipgate.yaml`, Shipgate CI, AGENTS/CLAUDE/Cursor rules, policy packs, baselines, waivers, suppressions, Codex hooks/config, Codex plugin manifests, `.mcp.json`, `.app.json`, or `SKILL.md`, plan to run `agents-shipgate verify` before completion and route trust-root review to a human when the verifier requires it.
8. For full PR verification, read `agents-shipgate-reports/agent-handoff.json` first, then `verifier.json` for detailed controller state, then `verify-run.json` for reproducibility metadata, then `report.json` for reviewer detail; `report.json.release_decision.decision` remains the release gate.
9. Auto-apply only high-confidence safe patches. Do not auto-assert action effect, action authority, approval, confirmation, idempotency, broad-scope, prohibited-action, or runtime-trace evidence.
9. Auto-apply only high-confidence safe patches. Do not auto-assert action effect, action authority, agent bindings, approval, confirmation, idempotency, broad-scope, prohibited-action, or runtime-trace evidence.
10. Ensure `.gitignore` covers `agents-shipgate-reports/` before committing.

## Fast Paths
Expand Down
2 changes: 1 addition & 1 deletion .claude-plugin/marketplace.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"name": "agents-shipgate",
"source": "./plugins/claude-code",
"description": "Run Agents Shipgate Tool-Use Readiness workflows from Claude Code: detect whether Shipgate applies, bootstrap the advisory gate, verify agent-capability PRs, and triage findings without fabricating human approval. Requires the agents-shipgate CLI (pipx install agents-shipgate, contract v10 or newer).",
"version": "0.16.0b1",
"version": "0.16.0b2",
"author": {
"name": "Three Moons Lab",
"url": "https://threemoonslab.com/"
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,11 @@ jobs:
# verdict regression should fail with a named canary before coverage,
# integration, or performance noise can obscure the safety signal.

- name: Agent binding safety canaries
run: python -m pytest tests/test_p0_binding_canaries.py -q
# Binding is a separate trust dimension from effect and authority.
# Keep these exact outcomes visible before the aggregate coverage run.

- name: Test
# v0.21 (E7): bumped from 75 → 85. Actual aggregate coverage on
# current main is ~88%, so the gate is +10pp tighter with ~3pp
Expand Down
23 changes: 12 additions & 11 deletions .well-known/agents-shipgate.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"name": "agents-shipgate",
"display_name": "Agents Shipgate",
"tagline": "The deterministic merge gate for AI-generated agent capability changes",
"version": "0.16.0b1",
"version": "0.16.0b2",
"license": "Apache-2.0",
"publisher": {
"name": "Three Moons Lab",
Expand Down Expand Up @@ -158,14 +158,14 @@
],
"codex_boundary_result_schema_version": "shipgate.codex_boundary_result/v1",
"codex_boundary_result_schema_path": "docs/codex-boundary-result-schema.v1.json",
"report_schema_version": "0.30",
"packet_schema_version": "0.9",
"report_schema_version": "0.31",
"packet_schema_version": "0.10",
"verifier_schema_version": "0.2",
"verify_run_schema_version": "shipgate.verify_run/v1",
"agent_handoff_schema_version": "shipgate.agent_handoff/v2",
"agent_handoff_schema_path": "docs/agent-handoff-schema.v2.json",
"agent_handoff_artifact": "agents-shipgate-reports/agent-handoff.json",
"contract_version": "12",
"contract_version": "13",
"inputs": [
"mcp",
"openapi",
Expand Down Expand Up @@ -225,14 +225,14 @@
"scenario": "scenario.json",
"governance_benchmark_result": "benchmark/agent-pr-governance/results/result.json"
},
"capability_lock_schema_version": "0.4",
"capability_lock_diff_schema_version": "0.5",
"capability_lock_schema_version": "0.5",
"capability_lock_diff_schema_version": "0.6",
"preflight_schema_version": "0.2",
"attestation_schema_version": "0.4",
"registry_schema_version": "0.3",
"org_evidence_bundle_schema_version": "shipgate.org_evidence_bundle/v1",
"host_grants_inventory_schema_version": "0.1",
"capability_standard_version": "0.3",
"capability_standard_version": "0.4",
"governance_benchmark_catalog_schema_version": "0.2",
"governance_benchmark_result_schema_version": "0.2",
"supporting_provisional_surfaces": [
Expand Down Expand Up @@ -345,6 +345,7 @@
"do_not_auto_assert": [
"action_effect",
"action_authority",
"agent_binding",
"approval",
"confirmation",
"idempotency",
Expand All @@ -363,16 +364,16 @@
"static_verdict_disclaimer": "This verdict covers deterministic static evidence only. Agents Shipgate did not execute the agent or prove runtime behavior, tool routing, credential enforcement, or safety.",
"schemas": {
"manifest": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/manifest-v0.1.json",
"report": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/report-schema.v0.30.json",
"report": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/report-schema.v0.31.json",
"agent_result": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/agent-result-schema.v1.json",
"codex_boundary_result": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/codex-boundary-result-schema.v1.json",
"verifier": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/verifier-schema.v0.2.json",
"verify_run": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/verify-run-schema.v1.json",
"agent_handoff": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/agent-handoff-schema.v2.json",
"packet": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/packet-schema.v0.9.json",
"packet": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/packet-schema.v0.10.json",
"preflight": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/preflight-schema.v0.2.json",
"capability_lock": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/capability-lock-schema.v0.4.json",
"capability_lock_diff": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/capability-lock-diff-schema.v0.5.json",
"capability_lock": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/capability-lock-schema.v0.5.json",
"capability_lock_diff": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/capability-lock-diff-schema.v0.6.json",
"governance_benchmark_catalog": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/governance-benchmark-catalog-schema.v0.2.json",
"governance_benchmark_result": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/governance-benchmark-result-schema.v0.2.json",
"feedback": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/feedback-schema.v0.1.json",
Expand Down
28 changes: 16 additions & 12 deletions AGENTS.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# Agents Shipgate · Agent Instructions

Authoritative instructions for AI coding agents (Claude Code, Codex, Cursor, Aider, Cline, Windsurf, Devin, or any other harness — see [`docs/agents/any-coding-agent.md`](docs/agents/any-coding-agent.md)) working **with** this repository or a project that uses Agents Shipgate.
Expand Down Expand Up @@ -139,9 +139,11 @@
instructions. Verify-mode `SHIP-VERIFY-*` checks make those trust-root edits
release-visible and route them to human review.
Never invent or auto-fill an action effect or action authority declaration.
Contract v11 publishes these boundaries as `action_effect` and
`action_authority` in `do_not_auto_assert[]`; route semantic next actions to a
human and rerun verification after the reviewed declaration is supplied.
Never invent or auto-fill `agent_bindings` root, tool, or handoff declarations;
they are reviewed closed-world claims about deployed wiring.
Contract v13 publishes these boundaries as `action_effect`, `action_authority`,
and `agent_binding` in `do_not_auto_assert[]`; route binding and semantic next
actions to a human and rerun verification after the reviewed declaration is supplied.

To reproduce the verify-native blocked refund PR demo without writing YAML:

Expand Down Expand Up @@ -343,13 +345,13 @@
- `findings[].{autofix_safe, requires_human_review, suggested_patch_kind, docs_url, provenance_kind, blocks_release}`
- `findings[].policy_routing` (policy-pack owner/reviewer/approval routing metadata only; non-enforcing and not part of `evidence`)
- `findings[].patches[]` (only when scan ran with `--suggest-patches`)
- `baseline.{matched_count, new_count, resolved_count}` · `tool_inventory[]` · `codex_plugin_surface`
- `baseline.{matched_count, new_count, resolved_count}` · root-reachable `tool_inventory[]` · full `tool_catalog[]` · `codex_plugin_surface`
- `action_surface_facts` / `action_surface_diff`
- `release_decision.evidence_coverage.{semantic_coverage,evidence_gaps}`
- `release_decision.evidence_coverage.{binding_coverage,semantic_coverage,evidence_gaps}`
- Audit envelopes: `release_decision.contribution_rules[]`, `policy_audit`,
`privacy_audit`, `heuristics_filter` — explanatory, never a second gate

The current schema is [`docs/report-schema.v0.30.json`](docs/report-schema.v0.30.json). Emitted reports carry `report_schema_version: "0.30"`; v0.29 adds normalized effect/authority assessments and zero-tolerance semantic coverage. A `passed` result now requires complete, conflict-free static evidence for every in-scope action, evaluation of all applicable controls, and no policy condition requiring review. Every release decision explicitly carries `static_analysis_only: true`, `runtime_behavior_verified: false`, and `static_verdict_disclaimer`; packet §1 mirrors them. Semantic gaps are not Findings and cannot be suppressed or baselined. See [`docs/passed-verdict-contract.md`](docs/passed-verdict-contract.md) for the exact claim and [`docs/agent-contract-current.md`](docs/agent-contract-current.md) for version history. v0.29 remains frozen at [`docs/report-schema.v0.29.json`](docs/report-schema.v0.29.json).
The current schema is [`docs/report-schema.v0.31.json`](docs/report-schema.v0.31.json). Emitted reports carry `report_schema_version: "0.31"`; v0.31 separates the full tool catalog from the root-reachable capability surface and adds binding facts, diffs, and coverage. A `passed` result requires a complete root-reachable static binding graph plus complete, conflict-free identity, effect, and authority evidence for every reachable action, evaluation of all applicable controls, and no policy condition requiring review. Every release decision explicitly carries `static_analysis_only: true`, `runtime_behavior_verified: false`, and `static_verdict_disclaimer`; packet §1 mirrors them. Binding and semantic gaps are not Findings and cannot be suppressed or baselined. See [`docs/passed-verdict-contract.md`](docs/passed-verdict-contract.md) for the exact claim and [`docs/agent-contract-current.md`](docs/agent-contract-current.md) for version history. v0.30 remains frozen at [`docs/report-schema.v0.30.json`](docs/report-schema.v0.30.json).

**Release gating signal**: prefer `release_decision.decision` (`"blocked" | "review_required" | "insufficient_evidence" | "passed"`) over `summary.status`. The new field is **baseline-aware** — a baseline-matched critical surfaces in `release_decision.review_items` (accepted debt), not `release_decision.blockers`. `summary.status` stays baseline-blind for v0.7 compatibility, so a baseline-matched-only critical produces both `summary.status = "release_blockers_detected"` AND `release_decision.decision = "review_required"` (intentional divergence — see [STABILITY.md](STABILITY.md#release_decisiondecision-vs-summarystatus)). `insufficient_evidence` (added v0.14) signals that the scan saw too many low-confidence tools or source-loader warnings to be trustworthy; consumers that switch on the enum must fall back to `review_required` for unknown future values.

Expand Down Expand Up @@ -429,7 +431,7 @@
### Where is the report schema?

Parse `agents-shipgate-reports/report.json` and validate against
[`docs/report-schema.v0.30.json`](docs/report-schema.v0.30.json) (current).
[`docs/report-schema.v0.31.json`](docs/report-schema.v0.31.json) (current).
Older reports (`report_schema_version: "0.10"`) validate against the
frozen [`docs/report-schema.v0.10.json`](docs/report-schema.v0.10.json).
Do not scrape Markdown when JSON is available.
Expand Down Expand Up @@ -467,7 +469,8 @@
| What | Path | Stable |
|---|---|---|
| Manifest schema | [`docs/manifest-v0.1.json`](docs/manifest-v0.1.json) | `0.1` |
| Report schema (current) | [`docs/report-schema.v0.30.json`](docs/report-schema.v0.30.json) | `0.30` |
| Report schema (current) | [`docs/report-schema.v0.31.json`](docs/report-schema.v0.31.json) | `0.31` |
| Report schema (v0.30 frozen reference) | [`docs/report-schema.v0.30.json`](docs/report-schema.v0.30.json) | `0.30` |
| Report schema (v0.29 frozen reference) | [`docs/report-schema.v0.29.json`](docs/report-schema.v0.29.json) | `0.29` |
| Report schema (v0.28 frozen reference) | [`docs/report-schema.v0.28.json`](docs/report-schema.v0.28.json) | `0.28` |
| Report schema (v0.27 frozen reference) | [`docs/report-schema.v0.27.json`](docs/report-schema.v0.27.json) | `0.27` |
Expand Down Expand Up @@ -495,12 +498,13 @@
| Report schema (v0.8 frozen reference) | [`docs/report-schema.v0.8.json`](docs/report-schema.v0.8.json) | `0.8` |
| Report schema (v0.7 frozen reference) | [`docs/report-schema.v0.7.json`](docs/report-schema.v0.7.json) | `0.7` |
| Report schema (v0.6 frozen reference) | [`docs/report-schema.v0.6.json`](docs/report-schema.v0.6.json) | `0.6` |
| Packet schema (Release Evidence Packet, latest) | [`docs/packet-schema.v0.9.json`](docs/packet-schema.v0.9.json) | `0.9` |
| Packet schema (Release Evidence Packet, latest) | [`docs/packet-schema.v0.10.json`](docs/packet-schema.v0.10.json) | `0.10` |
| Packet schema (v0.9 frozen reference) | [`docs/packet-schema.v0.9.json`](docs/packet-schema.v0.9.json) | `0.9` |
| Packet schema (v0.8 frozen reference) | [`docs/packet-schema.v0.8.json`](docs/packet-schema.v0.8.json) | `0.8` |
| Packet schema (v0.7 frozen reference) | [`docs/packet-schema.v0.7.json`](docs/packet-schema.v0.7.json) | `0.7` |
| Capability standard | [`docs/capability-standard.md`](docs/capability-standard.md) | `0.3` |
| Capability lock schema | [`docs/capability-lock-schema.v0.4.json`](docs/capability-lock-schema.v0.4.json) | `0.4` |
| Capability lock diff schema | [`docs/capability-lock-diff-schema.v0.5.json`](docs/capability-lock-diff-schema.v0.5.json) | `0.5` |
| Capability lock schema | [`docs/capability-lock-schema.v0.5.json`](docs/capability-lock-schema.v0.5.json) | `0.5` |
| Capability lock diff schema | [`docs/capability-lock-diff-schema.v0.6.json`](docs/capability-lock-diff-schema.v0.6.json) | `0.6` |
| Governance benchmark catalog schema | [`docs/governance-benchmark-catalog-schema.v0.2.json`](docs/governance-benchmark-catalog-schema.v0.2.json) | `0.2` |
| Governance benchmark result schema | [`docs/governance-benchmark-result-schema.v0.2.json`](docs/governance-benchmark-result-schema.v0.2.json) | `0.2` |
| Check catalog | [`docs/checks.json`](docs/checks.json) | regenerated each release |
Expand Down Expand Up @@ -560,7 +564,7 @@
`agents-shipgate evidence-packet --from <packet.json|report.json>` to
re-render. The full packet contract (fixed sections, disclaimers,
`evidence_matrix` rules) lives in
[STABILITY.md §Release Evidence Packet](STABILITY.md#release-evidence-packet-v09)
[STABILITY.md §Release Evidence Packet](STABILITY.md#release-evidence-packet-v010)
and [`docs/agent-contract-current.md`](docs/agent-contract-current.md#read-these-for-release-review).

Exit codes (stable):
Expand Down
11 changes: 11 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,17 @@

## Unreleased

- **Root-reachable agent binding graph (P0, `0.16.0b2`).** Tool catalogs no
longer become an agent's capability surface by extraction alone. Framework
adapters emit static tool and handoff edges, `agent_bindings` supports exact
reviewed closed-world declarations, and partial, dynamic, ambiguous, or
conflicting graphs prevent `passed`. Reports separate `tool_catalog[]` from
root-reachable `tool_inventory[]` and publish binding facts, diffs, coverage,
evidence gaps, and human-routed remediation.
- **Binding contract versions.** Runtime contract advances to v13; report to
v0.31; packet to v0.10; capability standard to v0.4; capability lock/diff to
v0.5/v0.6; action snapshot to v0.3; and safety qualification formats to v2.

- **Provider-scoped canonical tool identity (P0).** Tool observations now get
deterministic source-scoped IDs and same-name tools from different
providers remain distinct. Cross-source evidence joins only through exact,
Expand Down
Loading