Notes on agent PR merge verdicts.
Engineering decisions, AI-generated PR review lessons, trust-root protection, and what we learned building agents-shipgate.
RSS feed-
How to security-review MCP tools before production
Reviewing MCP tool surfaces before agents can call them. Wildcard exposure, scope creep, missing approval policies, schema strictness — what good and bad look like.
Read -
AI agent deployment checklist: 18 checks before production
An 18-item pre-flight for shipping AI agents to staging or production. Covers inventory, schemas, scopes, approvals, side effects, idempotency, and blast radius.
Read -
AI agent CI/CD: add a release gate to your GitHub Actions pipeline
Adding agents-shipgate to your GitHub Actions workflow in four stages: advisory mode, baseline, strict mode, governance. Real YAML for each step.
Read -
Healthcare for agents
Why tool-using AI agents need care across their lifecycle, not just an eval at release — and the discipline we are early in building to provide it.
Read -
From CI/CD to agent release readiness
CI/CD made code releases safe. Agent releases need an analogous shift — tool surface, scopes, and policies become release artifacts the same way code did.
Read -
agents-shipgate vs runtime guardrails: where each one fits
Runtime guardrails enforce policy at call time. agents-shipgate enforces it at PR time. Both are necessary; neither replaces the other.
Read -
MCP tool surfaces need release review
MCP makes it trivial to expose dozens of tools to an agent. The exported tool surface is a release artifact — review wildcards, scopes, and undocumented actions before promotion.
Read -
How to add Agents Shipgate to GitHub Actions in 5 minutes
Drop a workflow into .github/workflows/, set advisory mode, and every PR gets a structured tool-surface review with severity counts and finding evidence.
Read -
Adding a release gate to an Anthropic Claude tool-use agent
Anthropic's Messages API tool surface lives in a JSON tools array plus a system prompt. agents-shipgate scans both and produces release-readiness findings on every PR.
Read -
Adding a release gate to an OpenAI Agents SDK project
If your agent is built with @function_tool decorators, agents-shipgate reads the source statically (no import) and produces release-readiness findings on every PR.
Read -
Your AI agent has a tool surface. It needs a release gate.
Tools are release artifacts. Evals are not release gates. Once an agent can refund, email, or deploy, the tool surface itself needs a deterministic check before promotion.
Read -
What's in a release-readiness report? Walking a real finding list
A real agents-shipgate report on a real Anthropic-published agent. Thirteen findings — what each one means and the manifest change that resolves it.
Read -
What is tool-use readiness?
Tool-use readiness is the static check that an agent's tool surface can ship: inventory, schema, auth, approval, side effects, idempotency, blast radius.
Read -
Why evals are not release gates
Evals validate behavior on inputs you wrote. They don't answer the release question for a tool-using agent. Here's what each is for, and why conflating them ships bugs.
Read