Releases: sjh9714/Agent-Gate
Agent Gate v0.1.3
v0.1.3 is a security maintenance prerelease.
Security:
- Pin the Action build toolchain to esbuild 0.28.1 to address Dependabot alerts in development dependencies.
- Rebuild the committed Action bundle with the fixed toolchain.
Runtime rule behavior is unchanged from v0.1.2.
Agent Gate v0.1.2
Patch prerelease for human-decision-first Markdown reports.
Changed:
- Markdown reports now lead with human-facing labels: PASSED, NEEDS HUMAN DECISION, and BLOCKED.
- Reports now show Why, Recommended Next Step, and Policy Status before detailed findings.
- Finding-derived Markdown values are normalized and truncated for safer job summaries and PR comments.
- JSON decisions remain unchanged as pass, warn, and block.
Runtime rule behavior is unchanged from v0.1.1.
Agent Gate v0.1.1
Metadata-only patch prerelease for GitHub Marketplace publishing.
Changed:
- Rename the Action metadata display name to Agent Gate for AI PRs to satisfy GitHub Marketplace name uniqueness.
Runtime behavior is unchanged from v0.1.0.
Agent Gate v0.1.0
Agent Gate v0.1.0
No AI PR gets merged without proof.
Agent Gate v0.1.0 is a pre-release of a deterministic CI firewall for AI-generated pull requests. It focuses on explainable checks for PR contracts, risky file changes, agent control-plane drift, workflow permission escalation, and missing test-change evidence.
What works today
- Deterministic core analyzer and JSON/Markdown reports
agent-gate.ymlconfig parsing- PR body contract parsing
- Contract scope checks for allowed and blocked paths
- High-risk path detection
- Agent control-plane drift detection
- Missing test evidence detection
- GitHub Actions workflow permission escalation detection
- Dangerous workflow pattern detection
- CLI replay for deterministic fixtures
- Unsafe PR zoo fixtures for local demos
- Root GitHub Action for
uses: sjh9714/Agent-Gate@<ref> - PR report comment upsert
- Self-dogfooding Agent Gate workflow
- Repository CI
Security model
Agent Gate is API-only at runtime. The Action loads policy from the PR base ref, reads PR metadata and changed-file data through GitHub APIs, and does not checkout PR code.
Runtime analysis does not call LLMs, execute repository scripts, install packages from the target PR, or execute MCP servers.
Demo
Run the unsafe workflow fixture locally:
pnpm --filter agent-gate build
node packages/cli/dist/main.js replay fixtures/unsafe-pr-zoo/workflow-permission-escalationExpected headline findings:
Agent Gate: BLOCKED
ERROR workflow/permission-escalation
ERROR workflow/dangerous-pattern
Path: .github/workflows/release.yml
Install
Use the root Action from a pull request workflow:
permissions:
contents: read
pull-requests: read
jobs:
agent-gate:
runs-on: ubuntu-latest
steps:
- uses: sjh9714/Agent-Gate@v0.1.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
mode: warn
fail-on-block: falseTo enable PR report comments, add issues: write and set comment: true.
Start with mode: warn and fail-on-block: false. After policy findings are tuned, move toward mode: block and fail-on-block: true.
Known limitations
- Agent Gate is pre-release; APIs and rule names may change in later pre-releases.
- CODEOWNERS and reviewer evidence are not implemented yet.
- Package and dependency drift rules are not implemented yet.
- GitHub Actions job-level permission escalation comparison is limited.
- Test evidence checks are file-pattern based; they do not prove semantic coverage.
- PR comment upsert requires
issues: writeand may warn on fork PRs with read-only tokens.
Stability note
For this pre-release, prefer @v0.1.0 or a pinned commit SHA. Expect early rule names, report details, and configuration options to change as the pre-release matures.